In this video I show how we can create functions when IDA fails because of the usage of opaque predicates, a common anti-disassembling trick. We will also see how we can statically decrypt the malware using a technique called (by the AV industry) as X-Rays.
This malware was called "FlyStudio" by some AV companies. The MD5 hash of the sample analysed in the video is the following one: 09002944F0F0EEC37B022507919C3538. You can download the malware samples from this URL:
https://bazaar.abuse.ch/sample/8b11f853afd0119988fd2fa04e379c6d77eb9806314b198d5c92cd1258fd02f7/
The IDA Python script used in this video to decrypt the body of the malware samples is available here:
https://pastebin.com/MCQ48ghy
