# ESET’S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER


-----

## CONTENTS

**Introduction** **3**

**Anti-disassembly** **4**

**FinFisher’s virtual machine** **7**

Terms and definitions 8

Vm_start 8

**FinFisher’s interpreter** **10**

1. Creating an IDA graph 10

2. Vm_dispatcher 11

3. Vm_context 12

4. Virtual instruction implementations – vm_handlers 14

5. Writing your own disassembler 17

6. Understanding the implementation of this virtual machine 19

7. Automating the disassembly process for more FinFisher samples 20

8. Compiling disassembled code without the VM 20

**Conclusion** **22**

**Appendix A: IDA Python script for naming FinFisher vm_handlers** **23**


-----

## INTRODUCTION


Thanks to its strong anti-analysis measures, the

FinFisher spyware has gone largely unexplored.

Despite being a prominent surveillance tool,

only partial analyses have been published on its

more recent samples.

Things were put in motion in the summer

of 2017 with ESET’s analysis of FinFisher

surveillance campaigns that ESET had

discovered in several countries. In the course of

[our research, we have identified campaigns where](https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/)

_[internet service providers most probably played](https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/)_

the key role in compromising the victims with

FinFisher.

When we started thoroughly analyzing this

malware, the main part of our effort was

overcoming FinFisher’s anti-analysis measures

in its Windows versions. The combination

of advanced obfuscation techniques and

proprietary virtualization makes FinFisher very

hard to de-cloak.

To share what we learnt in de-cloaking this

malware, we have created this guide to help

others take a peek inside FinFisher and analyze

it. Apart from offering practical insight into

analyzing FinFisher’s virtual machine, the

guide can also help readers to understand

virtual machine protection in general – that

is, proprietary virtual machines found inside a

binary and used for software protection. We

will not be discussing virtual machines used in

interpreted programming languages to provide

compatibility across various platforms, such as

the Java VM.


We have also analyzed Android versions of

FinFisher, whose protection mechanism is based

on an open source LLVM obfuscator. It is not as

sophisticated or interesting as the protection

mechanism used in the Windows versions, thus

we will not be discussing it in this guide.

Hopefully, experts from security researchers to

malware analysts will make use of this guide to

better understand FinFisher’s tools and tactics,

and to protect their customers against this

omnipotent security and privacy threat.


-----

## ANTI- DISASSEMBLY

When we open a FinFisher sample in IDA Pro,

the first protection we notice in the main

function is a simple, yet very effective, anti
disassembly trick.

FinFisher uses a common anti-disassembly

technique – hiding the execution flow by

replacing one unconditional jump with two

complementary, conditional jumps. These

conditional jumps both target the same

location, so regardless of which jump is made,

the same effective code execution flow results.

The conditional jumps are then followed by

garbage bytes. These are meant to misdirect the

disassembler, which normally will not recognize

that they are dead code, and will steam on,

disassembling garbage code.

What makes this malware special is the way

in which it uses this technique. In most other

malware we’ve analyzed, it is only used a few

times. FinFisher, however, uses this trick after

every single instruction.


This protection is very effective at fooling the

disassembler – many parts of the code aren’t

disassembled properly. And of course, it is

impossible to use the graph mode in IDA Pro.

Our first task will be to get rid of this anti
disassembly protection.

The code was clearly not obfuscated manually

but with an automated tool and we can observe

a pattern in all the jump pairs.

There are two different types of jump pairs –

near jump with a 32-bit offset and short jump

with an 8-bit offset.

The opcodes of both conditional near jumps

(with a dword as a jump offset) start with a

0x0F byte; while the second bytes are equal

to 0x8?, where ? in both jump instructions

differs only by 1 bit. This is because x86 opcodes

for complementary jumps are numerically

consecutive. For example, this obfuscation

scheme always pairs JE with JNE (0x0F 0x84 vs

0x0F 0x85 opcodes), JP with JNP (0x0F 0x8A vs

0x0F 0x8B opcodes), and so on.

These opcodes are then followed by a 32
bit argument specifying the offset to the

destination of the jump. Since the size of

both instructions is 6 bytes, the offsets in two

consequent jumps differ exactly by 6. (Figure 1)


Figure 1 // Screenshot showing instructions followed by two conditional near jumps every time


-----

For example, the code below can be used to detect two of these consecutive conditional jumps:


Deobfuscation of short jumps is based on the

same idea, only the constants are different.

The opcode of a short conditional jump equals

0x7?, and is followed by one byte – the jump

offset. So again, when we want to detect two

consecutive, conditional near jumps, we have to

look for opcodes: 0x7?; offset; 0x7? ± 1; offset -2.

The first opcode is followed by one byte, which

differs by 2 in two consequent jumps (which is,

again, the size of both instructions). (Figure 2)

For example, this code can be used to detect

two conditional short jumps:


After detecting one of these conditional jump

pairs, we deobfuscate this code by patching the

first conditional jump to unconditional (using

the 0xE9 opcode for the near jump pairs and

0xEB for the short jump pairs) and patch the

rest of the bytes with NOP instructions (0x90)
```
 def patch_jcc32(addr):
   PatchByte(addr, 0x90)
   PatchByte(addr+1, 0xE9)
   PatchWord(addr+6, 0x9090)
   PatchDword(addr+8,
      0x90909090)
 def patch_jcc8(addr):
   PatchByte(addr, 0xEB)
   PatchWord(addr+2, 0x9090)

```
In addition to these two cases, there might be

some places where a jump pair consists of a

short and a near jump, rather than two jumps of

the same category. However, this only occurs in

a few cases in the FinFisher samples and can be

fixed manually.

With these patches made, IDA Pro starts to

“understand” the new code and is ready (or at

least almost ready) to create a graph. It may be

the case that we still need to make one more

improvement: append tails, i.e. assign the node

with the destination of the jump to the same


-----

Figure 2 // Examples of instructions followed by two conditional short jumps every time

graph where the node with the jump instruction

is located. For this, we can use the IDA Python

function append_‌func_‌tail.

The last step of overcoming the anti-disassembly

tricks consists of fixing function definitions. It may

still occur that the instruction after the jumps is
```
push ebp, in which case IDA Pro (incorrectly)

```
treats this as the beginning of a function and

creates a new function definition. In that case, we

have to remove the function definition, create the

correct one and append tails again.

This is how we can get rid of FinFisher’s first

layer of protection – anti-disassembly.


-----

## FINFISHER’S  VIRTUAL MACHINE

After a successful deobfuscation of the first

layer, we can see a clearer main function whose

sole purpose is to launch a custom virtual

machine and let it interpret the bytecode with

the actual payload.

As opposed to a regular executable, an

executable with a virtual machine inside uses

a set of virtualized instructions, rather than

directly using the instructions of the processor.

Virtualized instructions are executed by a

virtual processor, which has its own structure

and does not translate the bytecode into a

native machine code. This virtual processor as

well as the bytecode (and virtual instructions)

are defined by the programmer of the virtual

machine. (Figure 3)

As mentioned in the introduction, a well-known

example of a virtual machine is the Java Virtual

Machine. But in this case, the virtual machine

is inside the binary, so we are dealing with a

virtual machine used for a protection against

reverse engineering. There are well-known

commercial virtual machine protectors, for

example VMProtect or Code Virtualizer.

The FinFisher spyware was compiled from

source code and the compiled binary was

then protected with a virtual machine at the

Figure 3 // Bytecode interpreted by the virtual CPU


assembly level. The protection process includes

translating instructions of the original binary

into virtual instructions and then creating a

new binary that contains the bytecode and the

virtual CPU. Native instructions from the original

binary are lost. The protected, virtualized

sample must have the same behavior as a non
protected sample.

To analyze a binary protected with a virtual

machine, one needs to:

1. Analyze the virtual CPU.

2. Write one’s own disassembler for this custom

virtual CPU

and parse the bytecode.

3. Optional step: compile the disassembled code

into a binary file to

get rid of the virtual machine.

The first two tasks are very time-consuming,

and the first one can also get quite difficult.

It includes analyzing every vm_‌handler and

understanding how registers, memory access,

calls, etc. are translated.


-----

### Terms and definitions

There is no standard for naming particular parts

of a virtual machine. Hence, we will define some

terms which will be referenced throughout the

whole paper.

- Virtual machine (vm) – custom, virtual CPU;

contains parts like the

_vm_‌dispatcher, vm_‌start, vm_‌handlers_

- _vm_‌start – the initialization part; memory_

allocation and decryption routines are

executed here

- Bytecode (also known as pcode) – virtual

opcodes of vm_‌instructions with their

arguments are stored here

- _vm_‌dispatcher – fetches and decodes virtual_

opcode; is basically a preparation for the

execution of one of the vm_‌handlers

- _vm_‌handler – an implementation of a_

_vm_‌instruction; executing one vm_‌handler_

means executing one vm_‌instruction

- Interpreter (also known as vm_‌loop) –

_vm_‌dispatcher + vm_‌handlers – the virtual_

CPU

- Virtual opcode – an analog of the native

opcode

- _vm_‌context (vm_‌structure) – an internal_

structure used by the interpreter

- _vi_‌params – a structure in the vm_‌context_

structure; the virtual instruction parameters,

used by the vm_‌handler; it includes the

_vm_‌opcode and arguments_

When interpreting the bytecode, the virtual

machine uses a virtual stack and a single virtual

register.

- _vm_‌stack – an analog of a native stack, which_

is used by the virtual machine

- _vm_‌register – an analog of a native register,_

used by this virtual machine; further

referenced as tmp_‌REG

- _vm_‌instruction – an instruction defined_

by developers of vm; the body (the

implementation) of the instruction is called its

_vm_‌handler_


In the following sections, we will describe the

parts of the virtual machine in more technical

detail and explain how to analyze them.

A deobfuscated graph of the main malware

function consists of three parts – an

initialization part and two other parts which

we have named vm_‌start and interpreter

_(vm_‌dispatcher + vm_‌handlers)._

The initialization part specifies a unique

identifier of what could be interpreted as a

bytecode entry point, and pushes it on the stack.

Then, it jumps to the vm_‌start part that is an

initialization routine for the virtual machine

itself. It decrypts the bytecode and passes

control to the vm_‌dispatcher that loops over

the virtual instructions of the bytecode and

interprets them using the vm_‌handlers.

The vm_‌dispatcher starts with a pusha

instruction and ends with a jmp dword ptr
```
[eax+ecx*4] instruction (or similar), which is a

```
jump to the relevant vm_‌handler.

### Vm_‌start

The graph created after the deobfuscation of

the first layer is seen in Figure 4. The vm_‌start

part is not so important for the analysis of the

interpreter. However, it can help us understand

the whole implementation of the vm; how it

uses and handles virtual flags, virtual stack, etc.

The second part – the vm_‌dispatcher with

_vm_‌handlers – is the crucial one._

The vm_‌start is called from almost every

function, including the main function. The calling

function always pushes a virtual instruction

identifier and then it jumps to vm_‌start. Every

virtual instruction has its own virtual identifier.

In this example, the identifier of the virtual

entry point, where the execution from the main

function starts, is 0x21CD0554. (Figure 5)

In this part, there is a lot of code for preparing

the vm_‌dispatcher – mainly for preparing

the bytecode and allocating memory for the


-----

Figure 5 // vm_start is called from each of the 119 virtualized functions.
The ID of the first virtual instruction of the respective function
is given as an argument.

whole interpreter. The most important parts of the code do the


following:

1. Allocate 1MB with RWX permission for bytecode and a few


more variables.


2. Allocate 0x10000 bytes RWX for local variables in the virtual

machine for the current thread – the vm_‌stack.


3. Decrypt a piece of code using an XOR decryption routine. The

decrypted code is an aPLib unpacking routine.


The XOR decryption routine used in the sample is a slightly

modified version of XOR dword, key routine. Actually, it skips

the first of the six dwords and then XORs only the remaining


5 dwords with the key. Following is the algorithm for the

routine (further referred to as XOR decryption_‌code):


4. Call aPLib unpacking routine to unpack bytecode. After

unpacking, virtual opcodes are still encrypted. (Figure 6)


Preparing virtual opcodes (step 1, 3 and 4) is done only once –

at the beginning – and is skipped in subsequent executions of

_vm_‌start, when only instructions for proper handling of flags_

and registers are executed.


-----

Figure 6 // All the code from the vm_start to the vm_dispatcher in grouped nodes named based on their purpose.


## FINFISHER’S INTERPRETER

This part includes the vm_‌dispatcher with all

the vm_‌handlers (34 in FinFisher samples) and

is crucial for analyzing and/or devirtualizing the

virtual machine. The interpreter executes the

bytecode.

The instruction jmp dword ptr [eax+ecx*4]

jumps to one of the 34 vm_‌handlers. Each

_vm_‌handler implements one virtual machine_


instruction. In order to know what every

_vm_‌handler does, we first need to understand_

the vm_‌context and vm_‌dispatcher.

### 1. Creating an IDA graph

Before diving into it, creating a well-structured

graph can really help understanding the

interpreter. We recommend splitting the

graph into two parts – the vm_‌start and the

_vm_‌dispatcher, i.e. to define a beginning of a_

function at the vm_‌dispatcher’s first instruction.

What is still missing is the actual vm_‌handlers

referenced by the vm_‌dispatcher. In order to

connect these handlers with the graph of the


-----

_vm_‌dispatcher, the following functions can be_

used:
```
AddCodeXref(addr_‌of_‌jmp_‌instr, 

```
vm_‌handler, XREF_‌USER|fl_‌JN)

adding references from the last vm_‌dispatcher

instruction to the beginnings of the

_vm_‌handlers_
```
AppendFchunk

```
appending tails again

After appending every vm_‌handler to the

dispatcher function, the resulting graph should

look like (Figure 7)


### 2. Vm_‌dispatcher

This part is responsible for fetching and

decoding the bytecode. It performs the

following steps:

- Executes pusha and pusf instructions to

prepare virtual registers and virtual flags for

further execution of a virtual instruction.

- Retrieves the base address of the image and

address of vm_‌stack

- Reads 24 bytes of bytecode specifying the

next vm_‌instruction

and its arguments


Figure 7 // Graph of the vm_dispatcher with all 34 vm_handlers.


-----

- Decrypts the bytecode with the previously

described XOR decryption routine

- Adds the image base to the bytecode

argument in case the argument is a global

variable

- Retrieves the virtual opcode (number 0-33)

from the decrypted bytecode

- Jumps to the corresponding vm_‌handler

which interprets the virtual opcode

After the vm_‌handler for an instruction has

executed, the same sequence of steps is

repeated for the next one, starting from the

_vm_‌dispatcher’s first instruction._

In the case of the vm_‌call handler, the control

is passed to the vm_‌start part instead (except

Figure 8 // Screenshot of one of the vm handlers


for instances when a non-virtualized function

follows).

### 3. Vm_‌context

In this part, we will describe the vm_‌context

– a structure used by the virtual machine,

containing all the information necessary

for executing the vm_‌dispatcher and each

_vm_‌handler._

When looking at the code of both the

_vm_‌dispatcher and the vm_‌handlers in greater_

detail, we can notice there are a lot of data

operation instructions, referring to ebx+offset,

where offset is a number from 0x00 to 0x50.

In Figure 8, we can see what the main part of

_vm_‌handler 0x05 in one FinFisher sample looks_

like. (Figure 8)


-----

The ebx register points to a structure we named

_vm_‌context. We must understand how this_

structure is used – what the members are, what

they mean, and how they are used. When solving

this puzzle for the first time, a bit of guessing

is needed as to how the vm_‌context and its

members are used.

For example, let’s have a look at the sequence of

instructions at the end of the vm_‌dispatcher:
```
 movzx ecx, byte ptr [ebx+0x3C]
 // opcode for vm_handler
 jmp dword ptr [eax+ecx*4] 
 // jumping to one of the 34 vm_
 handlers

```
Since we know that the last instruction is a

jump to a vm_‌handler, we can conclude that

ecx contains a virtual opcode and thus the

0x3C member of a vm_‌struct refers to a virtual

opcode number.

Let’s make one more educated guess. At the end

of almost every vm_‌handler,


there is the following instruction:
```
add dword ptr [ebx], 0x18.

```
This same member of the vm_‌context was

also used earlier in the vm_‌dispatcher’s

code – just before jumping to a vm_‌handler.

The vm_‌dispatcher copies 24 bytes from

the structure member to a different location

([ebx+38h]) and decrypts it with the XOR

decryption routine to obtain a part of the actual

bytecode.

Hence, we can start thinking of the first

member of the vm_‌context ([ebx+0h]) as a

_vm_‌instruction_‌pointer, and of the decrypted_

location (from [ebx+38h] to [ebx+50h]) as an

ID of a virtual instruction, its virtual opcode and

arguments. Together, we will call the structure

_vi_‌params._

Following the steps described above, and using

a debugger to see what values are stored in the

respective structure members, we can figure

out all the members of the vm_‌context.

After the analysis, we can rebuild both

FinFisher’s vm_‌context and vi_‌params

structure:

```
struct vm_context {
DWORD vm_instruct_ptr; // instruction pointer to the bytecode
DWORD vm_stack; // address of the vm_stack
DWORD tmp_REG; // used as a “register” in the virtual machine
DWORD vm_dispatcher_loop; // address of the vm_dispatcher
DWORD cleanAndVMDispatchFn; // address of the function which pops values and jumps

```
to the vm_dispatcher skipping the first few instructions from it
```
DWORD cleanUpDynamicCodeFn; // address of the function which cleans vm_instr_ptr and
calls cleanAndVMDispatchFn
DWORD jmpLoc1; // address of jump location
DWORD jmpLoc2; // address of next vm_opcode – just executing next vm_instruction
DWORD Bytecode_start; // address of the start of the bytecode in data section
DWORD DispatchEBP;
DWORD ImageBase; // Image base address

```
DWORD ESP0_flags; // top of the native stack (there are saved flags of the vm_code)

DWORD ESP1_flags; // same as previous
```
DWORD LoadVOpcodesSectionFn;
vi_params bytecode; // everything necessary for executing vm_handler, see below
DWORD limitForTopOfStack; // top limit for the stack
};

```

-----

### 4. Virtual instruction implementations – vm_‌handlers

Each vm_‌handler handles one virtual opcode

– since we have 34 vm_‌handlers, there

are at most 34 virtual opcodes. Executing

one vm_‌handler means executing one

_vm_‌instruction, so in order to reveal what a_

_vm_‌instruction does, we need to analyze the_

corresponding vm_‌handler.

After reconstructing the vm_‌context and

naming all the offsets from ebx, the previously

shown vm_‌handler changes to a much more

readable form, as seen in Figure 9.


At the end of this function, we notice a

sequence of instructions, starting with the

vm_‌instruction_‌pointer, being incremented

by 24 – the size of each vm_‌instruction’s

vi_‌params structure. Since this sequence

is repeated at the end of almost every

vm_‌handler, we conclude it is a standard

function epilogue and the actual body of the

vm_‌handler can be written as simply as:
```
mov [tmp_‌REG], Arg0

```
So, there we go – we have just analyzed the

first instruction of the virtual machine. :-)

Figure 9 // The previous
_vm_handler after_
inserting the
_vm_context structure_


-----

To illustrate how the analyzed instruction works

when executed, let’s consider the vi_‌params

structure filled as follows:
```
 struct vi_params {
 DWORD ID_of_virt_instr = doesn’t
 matter;
 DWORD OpCode = 0x0C;
 DWORD Arg0 = 0x42;
 DWORD Arg4 = 0;
 DWORD Arg8 = 0;
 DWORD ArgC = 0;
 };

```
From what was stated above, we can see that

the following instruction will be executed:
```
mov [tmp_‌REG], 0x42

```
Figure 10 // Screenshot of a JNP_handler


At this point, we should understand what

one of the vm_‌instructions does. The

steps we followed should serve as a decent

demonstration of how the entire interpreter

works.

However, there are some vm_‌handlers that are

harder to analyze. This vm’s conditional jumps

are tricky to understand because of the way

they translate flags.

As mentioned before, the vm_‌dispatcher starts

with pushing native EFLAGS (of vm_‌code) to

the top of the native stack. Therefore, when the

handler for a respective jump is deciding whether

to jump or not, it looks at EFLAGS at the native

stack and implements its own jump method.

Figure 10 illustrates how the virtual JNP handler is

implemented by checking the parity flag.

(Figure 10)


-----

For other virtual conditional jumps, it may be necessary to check several flags – for example, the jump

result of the virtualized JBE depends on the values of both CF and ZF – but the principle stays the

same.

After analyzing all 34 vm_‌handlers in FinFisher’s virtual machine, we can describe its virtual

instructions as follows:

Figure 11 // vm_table with all 34 vm_handlers accessed


Please note that the keyword “tmp_‌REG”

refers to a virtual register used by the virtual

machine –temporary register in the vm_‌context

structure, while “reg” refers to a native register,

e.g. eax.

Let’s have a look at the analyzed instructions

of the virtual machine. For example,

_case_‌3_‌vm_‌jcc is a general jump handler that_

can execute any native jump, either conditional

or unconditional.

Apparently, this virtual machine does not

virtualize every native instruction – that’s where

instructions in cases 4 and 6 come in handy.


These two vm_‌handlers are implemented to

execute native code directly – all they do is to

read the opcode of a native instruction given as

an argument and execute the instruction.

One more thing to note is that the vm_‌registers

are always at the top of the native stack, while

the identifier of the register to be used is stored

in the last byte of arg0 of the virtual instruction.

The following code can be used to access the

respective virtual register:


-----

### 5. Writing your own disassembler

After we have correctly analyzed all the

_vm_‌instructions, there is still one step to_

be done before we can start the analysis

of the sample – we need to write our own

disassembler for the bytecode (parsing it

manually would be problematic due to its size).

By putting in the effort and writing a more

robust disassembler we can save ourselves

some trouble when FinFisher’s virtual machine

is changed and updated.

Let’s start with the vm_‌handler 0x0C, which

executes the following instruction:
```
mov [tmp_‌REG], reg

```
This instruction takes exactly one argument

– the identifier of a native register to be used

as reg. This identifier must be mapped into

a native register name, for instance using a
```
resolve_‌reg function as described above.

```
The following code can be used to dissasemble

this vm_‌handler:
```
 def vm_0C(state, vi_params):
   global instr
   reg_pos = 7 – (vi_arams[arg0]
   & 0x000000FF)
   tmpinstr = “mov [tmp_REG],
   %s” % resolve_reg(reg_pos)
   instr.append(tmpinstr)
   return

```
Again, vm_‌handlers for jumps are harder

to understand. In case of jumps, members

_vm_‌context.vi_‌params.Arg0 and vm_‌context._

_vi_‌params.Arg1 store the offset by which to_


jump. This “jump offset” is actually an offset in

the bytecode. When parsing jumps, we need to

put a marker to the location to which it jumps.

For example, this code can be used:
```
 def computeLoc1(pos, vi_params):
   global instr
   jmp_offset = (vi_params[arg0]
 & 0x00FFFFFF) + (vi_params[arg1]
 & 0xFF000000)
   if jmp_offset < 0x7FFFFFFF:
      jmp_offset /= 0x18 # their
      increment by 0x18 is my
      increment by 1
   else:
      jmp_offset = int((      0x100000000 + jmp_offset)
      / 0x18)
   return pos+jmp_offset

```
Finally, there is a vm_‌handler responsible for

executing native instructions from arguments,

which needs special treatment. For this, we

have to use a disassembler for native x86

instructions – for example, the open source tool

Distorm.

The length of an instruction is stored in

vm_‌context.vi_‌params.OpCode & 0x0000FF00.

The opcode of the native instruction that

will be executed is stored in the arguments.

The following code can be used to parse the

vm_‌handler that executes native code:


-----

Up to this point, we have created Python

functions to disassemble each vm_‌handler. All

of these, combined with the code responsible

for marking jump locations, finding the ID of

a virtual instruction after the call and a few

others, are necessary for writing your own

disassembler.

Afterwards, we can run the finished

disassembler on the bytecode.

Figure 12 // Part of the unpacked and decrypted FinFisher bytecode

For example, from the part of the bytecode

shown in Figure 12, we may get the following

output:


-----

### 6. Understanding the implementation of this virtual machine

After we have analyzed all the virtual handlers

and constructed a custom disassembler, we can

have one more look at the virtual instructions to

get an overall idea of how they were created.

First, we must understand that the virtualization

protection was implemented at the assembly

level. The authors translated native instructions

into their own, somewhat complicated

instructions, which are to be executed by a

custom virtual CPU. To achieve this, a temporary

“register” (tmp_‌REG) is used.

We can look at some examples to see how

this translation works. For example, the virtual

instruction from the previous example –
```
mov tmp_‌REG, EAX
push tmp_‌REG

```
– was translated from the original native

instruction push eax. When virtualized, a

temporary register was used in an intermediate

step to change the instruction into something

more complicated.

Let’s consider another example:

```
mov tmp_REG, 0
add tmp_REG, EBP
add tmp_REG, 0x10
mov tmp_REG, [tmp_REG]
push tmp_REG

```

The native instructions that were translated into

these virtualized instructions were the following

(with reg being one of the native registers):
```
mov reg, [ebp+0x10]
push reg

```
This is, however, not the only way to virtualize

a set of instructions. There are other virtual

machine protectors with other approaches. For

instance, one of the commercial vm protectors

translates each math operation instruction


into NOR logic, with a number of temporary

registers being used instead of one.

Conversely, FinFisher’s virtual machine did not

go as far as to cover all the native instructions.

While many of them can be virtualized, some

can’t – math instructions, such as add, imul and
```
div, being some examples. If these instructions

```
appear in the original binary, the vm_‌handler

responsible for executing native instructions is

called to handle them in the protected binary.

The only change is that EFLAGS and native

registers are popped from the native stack just

before the native instruction is executed, and

pushed back after it is executed. This is how the

virtualization of every native instruction was

avoided.

A significant drawback of protecting binaries

with a virtual machine is the performance

impact. In the caseof FinFisher’s virtual

machine, we estimate it to be more than one

hundred times slower than native code, based

on the number of instructions that have to be

executed to handle every single vm_‌instruction

(vm_‌dispatcher + vm_‌handler).

Therefore, it makes sense to protect only

selected parts of the binary– and this is also the

case in the FinFisher samples we analyzed.

Moreover, as mentioned before, some of

the virtual machine handlers can call native

functions directly. As a result, the users of the

virtual machine protection (i.e. the authors

of FinFisher) can look at the functions at the

assembly level and mark which of them are

to be protected by the virtual machine. For

those that are marked, their instructions will be

virtualized, for those that are not, the original

functions will be called by the respective virtual

handler. Thus, the execution might be less time
consuming while the most interesting parts of

the binary stay protected. (Figure 13)


-----

Figure 13 // Scheme representing FinFisher’s entire vm protection and how the execution can jump out of the vm


### 7. Automating the disassembly process for more FinFisher samples

In addition to the length of the bytecode our

parser has to process, we have to keep in mind

that there is some randomization across various

FinFisher samples. Although the same virtual

machine has been used for the protection, the

mapping between the virtual opcodes and the

_vm_‌handlers is not always constant. They can_

be (and are) paired randomly and differently

for each of the FinFisher samples we analyzed.

It means that if the vm_‌handler for the 0x5

virtual opcode in this sample handles the mov
```
[tmp_‌REG], arg0 instruction, it may be

```
assigned a different virtual opcode in another

protected sample.

To address this issue, we can use a signature

for each of the analyzed vm_‌handlers. The

IDA Python script in Appendix A can be applied

after we have generated a graph as shown in

Figure 7 (it is particularly important to have

the jz/jnz jump obfuscation eliminated – as

described in the first section of this guide) to

name the handlers based on their signatures.

(With a small modification, the script can also


be used to recreate the signatures in case the

_vm_‌handlers are changed in a future FinFisher_

update.)

As mentioned above, the first vm_‌handler

in the FinFisher sample you analyze may be

different than JL, as in the example FinFisher

sample, but the script will identify all of the

_vm_‌handlers correctly._

### 8. Compiling disassembled code without the VM

After disassembly and after a few

modifications, it is possible to compile the

code. We will treat virtual instructions as native

instructions. As a result, we will get a pure

binary without the protection.

Most of the vm_‌instructions can be compiled

immediately using copy-paste, since the output

of our disassembler mostly consists of native
looking instructions. But some cases need

special treatment:

- tmp_‌REG – since we defined tmp_‌REG as

a global variable, we need to make code

adjustments for cases when an address

stored in it is being dereferenced. (Since


-----

dereferencing an address which is in a global

variable is not possible in the x86 instruction

set.) For example, the vm contains the virtual

instruction mov tmp_‌REG, [tmp_‌REG] which

needs to be rewritten as follows:
```
 push eax
 mov eax, tmp_REG
 mov eax, [eax]
 mov tmp_REG, eax
 pop eax

```
- Flags – Virtual instructions do not change

the flags, but native math instructions do.

Therefore, we need to make sure that virtual

math instruction won’t change flags in the

devirtualized binary either, which means

we have to save flags before executing

this instruction and restore them after the

execution.

- Jumps and calls – we have to put a marker to

the destination virtual instruction (jumps) or

function (calls).



- API function calls – in most cases, API

functions are loaded dynamically, whereas

in others they are referenced from the IAT of

the binary, so these cases need to be handled

accordingly.

- Global variables, native code – Some global

variables need to be kept in the devirtualized

binary. Also in the FinFisher dropper, there is a

function for switching to x64 from x86 that is

executed natively (actually it is done only with

the retf instruction). All these must be kept

in the code when compiling.

Depending on the output of your disassembler,

you may still need to do a few more

modifications to get pure native instructions

that can be compiled. Then, you can compile the

code with your favorite assembly-compiler into

a binary without the VM.


-----

## CONCLUSION

In this guide, we have described how FinFisher

uses two elaborate techniques to protect

its main payload. The primary intention of

this protection is not to avoid AV detection,

but to cover the configuration files and new

techniques implemented in the spyware by

hindering analysis by reverse engineers. As

no other detailed analysis of the obfuscated

FinFisher spyware has been published to date,

it seems the developers of these protection

mechanisms have been successful.

We have shown how we can overcome the

anti-disassembly layer automatically, and how

the virtual machine can be efficiently analyzed.

We hope this guide can help reverse engineers

analyze vm-protected FinFisher samples, as

well to better understand other virtual machine

protectors in general.


-----

### Appendix A

 IDA Python script for naming  FinFisher vm_‌handlers

The script is also available on ESET’s GitHub repository:

_[https://github.com/eset/malware-research/blob/master/finfisher/ida_finfisher_vm.py](https://github.com/eset/malware-research/blob/master/finfisher/ida_finfisher_vm.py)_


-----

-----