Jump to content
Tuts 4 You

Finspy Vm: Statically unpacking


crystalboy

Recommended Posts

This is so interesting, thanks for posting.

 

Quote

Next we see the directive "db 5 dup(0CCh)" followed by "mov edi, edi". Reverse engineers will recognize these sequences as the Microsoft Visual C compiler's implementation of hot-patching support.

So that's what that thing was.

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

Greetings!

Could somebody share FinSpy sample? I registered at Hybrid-Analysis, but when it came to downloading the sample, they turned me down because I did not have any publications, research papers, etc. I am mostly interested in VM analysis and do not really do much malware research.

Thanks in advance!

 

Edited by plutos
Link to comment
Share on other sites

  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...