|You are here:|
FSG states for Fast Small Good.
Here are the release dates:
|FSG 1.0||2002 January|
|FSG 1.1||2002 April|
|FSG 1.2||2002 May|
|FSG 1.3||2002 August|
|FSG 1.31||2002 August|
|FSG 1.33||2002 November|
|FSG 2.0||2004 May|
Unpacking FSG 1.0
Find OEP by Section Hop
Below is an example of a malware packed with FSG 1.0. When it is run, it stops at entry point 0x401050:
The plugin has found the OEP at 0x401090, which is encouraging because this location is close to the beginning of the executable (0x401000)
Unpack FSG 2.0OllyDbg. It will warn that the entry point is outside of the code's section. Just hit .
The program stops at the beginning of the unpacking routine:
00400154 > 8725 4C734000 XCHG DWORD PTR DS:[40734C],ESP ; Save ESP to 0x40734C 0040015A 61 POPAD ; Retrieve registers 0040015B 94 XCHG EAX,ESP ; Loads ESP into EAX 0040015C 55 PUSH EBP ; EBP = 0x4020A8
Later in the code, we can see a serie of conditional jumps as follows:
004001CD ^78 F3 JS SHORT crackme#.004001C2 004001CF 75 03 JNZ SHORT crackme#.004001D4 004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C]
This is the unpacked code. All you need to do is to dump the code with OllyDump.