Jump to content
Tuts 4 You
crystalboy

Finspy Vm: Statically unpacking

Recommended Posts

Zasz

This is so interesting, thanks for posting.

 

Quote

Next we see the directive "db 5 dup(0CCh)" followed by "mov edi, edi". Reverse engineers will recognize these sequences as the Microsoft Visual C compiler's implementation of hot-patching support.

So that's what that thing was.

Share this post


Link to post
Share on other sites
yano65bis

Good info :)

 

thanks

  • Like 1

Share this post


Link to post
Share on other sites
whoknows

Devirtualizing Finspy Phase #1

http://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye

 

Share this post


Link to post
Share on other sites
plutos
Posted (edited)

Greetings!

Could somebody share FinSpy sample? I registered at Hybrid-Analysis, but when it came to downloading the sample, they turned me down because I did not have any publications, research papers, etc. I am mostly interested in VM analysis and do not really do much malware research.

Thanks in advance!

 

Edited by plutos (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×