Posted January 24, 20187 yr There you can find awesome articles on how to face FinSpy VM: http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf Credits to Rolf Rolles and Filip Kafka
January 25, 20187 yr This is so interesting, thanks for posting. Quote Next we see the directive "db 5 dup(0CCh)" followed by "mov edi, edi". Reverse engineers will recognize these sequences as the Microsoft Visual C compiler's implementation of hot-patching support. So that's what that thing was.
January 30, 20187 yr https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf Enjoy :)
February 1, 20187 yr Author Rolf Rolles part 2 available here: http://www.msreverseengineering.com/blog/2018/1/31/finspy-vm-part-2-vm-analysis-and-bytecode-disassembly
February 21, 20187 yr I was waiting for the 3rd part for long time, Rolf Rolles part 3: http://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization
February 22, 20187 yr Devirtualizing Finspy Phase #1 http://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye
March 8, 20187 yr Greetings! Could somebody share FinSpy sample? I registered at Hybrid-Analysis, but when it came to downloading the sample, they turned me down because I did not have any publications, research papers, etc. I am mostly interested in VM analysis and do not really do much malware research. Thanks in advance! Edited March 8, 20187 yr by plutos
March 23, 20187 yr This is another pretty interesting one on FinSpy: FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines
Create an account or sign in to comment