Finspy Vm: Statically unpacking

[crystalboy]

There you can find awesome articles on how to face FinSpy VM:

http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

Credits to Rolf Rolles and Filip Kafka

[Zasz]

This is so interesting, thanks for posting.

 

Quote

Next we see the directive "db 5 dup(0CCh)" followed by "mov edi, edi". Reverse engineers will recognize these sequences as the Microsoft Visual C compiler's implementation of hot-patching support.

So that's what that thing was.

[null_endian]

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

Enjoy :)

[yano65bis]

Good info

 

thanks

[crystalboy]

Rolf Rolles part 2 available here:

http://www.msreverseengineering.com/blog/2018/1/31/finspy-vm-part-2-vm-analysis-and-bytecode-disassembly

[Etor Madiv]

I was waiting for the 3rd part for long time, Rolf Rolles part 3:

http://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization

[whoknows]

Devirtualizing Finspy Phase #1

http://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye

 

[plutos]

Greetings!

Could somebody share FinSpy sample? I registered at Hybrid-Analysis, but when it came to downloading the sample, they turned me down because I did not have any publications, research papers, etc. I am mostly interested in VM analysis and do not really do much malware research.

Thanks in advance!

 

Edited March 8, 2018 by plutos

[evilcry]

This is another pretty interesting one on FinSpy:

FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines