Unpacking and Inline Patching FSG v1.0

Hi, does anyone have any information, or know where I can get information on unpacking (manually) and inline patching FSG v1.0? I've searched on the internet, but only managed to find (in French) an unpacking tutorial for FSG v1.33, I've also tried searching here but to no avail, so if I have inadvardently looked over the topic, my apologies.

Hi
i have done that once... the problem is that FSG is optimized a max...
the only solution a come out is adding my own code in the third section...
but i'm sure there is another way...

Regards

[JMI]

Using "FSG + tut*" I found a short comment on unpacking FSG 1.33 in English at:

http://www.geocities.com/r_etarded/ollydump.html

Essentially, it says:

You can analyst the decompression routine to find the OEP or simply just using OllyDump Tracing feature.
Just load keygenme.fsg.exe (4,288 bytes). small enough eh ;-).
Dont press anything yet, choose 'Find OEP by Section Hop (Trace Over)' or (Trace Into).
I think Trace Over is faster but Trace Into is safer. Am i right?
Just wait and see. Module entrypoint
After the tracer found the OEP, Olly will break and this time you may dump it succesfully, using OLLYDUMP.

FSG 1.33 was written back in 2002 and I doubt you will find much discussing earlier versions of the software, but who knows what through searching might find. I only spend a few minutes.

Regards,

Thanks a lot guys, I just believe in been able to unpack (manually) a protection before I use automation.

[bgrimm]

Greetings,

I seem to recall a tutorial by Hacnho, his first unpackme,
was manually unpacking FSG 1.0.

I was unable to find the past post thru searching although
I'm sure it was on exetools.

I've got it around here somewhere, ah yes.
I'll attach it to this post (i hope, first attempt at uploading).
If it is not present I will follow up this post with the file.

-bg

EDIT: I did find the post (duh, simple search of Hacnho's posts)
Here is the link to the original post:
http://www.exetools.com/forum/showthread.php?t=3764&highlight=hacnho


To Admin, sorry for the file upload wasting space as the
file is available thru original post. please delete as needed.

[JMI]

Well there's another good lesson for merliN spelled backwards. "Try the search button here".

Actually in my own search, I did see hac Nho's original tut in what I assumed was Vietnamese on his website. Assuming that Nilrem's Vietnamese was not as good as my own (which is pretty rusty), I had not included it in my previous reply.

Regards,

[TQN]

This method of hacnho can only applied with a small and simple packed exe. OllyDbg will fail when tracing with a large, complex exe. For example, I download FSG 1.0 from this site (ExeTools), pack the Stud_PE and trace with OllyDbg. Failed to find OEP.
We can use PEiD to find OEP. PEiD will find the correct OEP with packed Stud_PE. The plugin "PEiD Generic Unpacker" of PEiD can automatic unpack the FSG 1.0 packed EXE. However, PEiD sometime will fail on a console, packed Exe.
Another way is same as JMI way, use OllyDump to find OEP by "Find OEP by Section Hop (xxx)", but it take a long time.
QUnpack of FEUERRADER can find the correct OEP of Stud_PE packed, but it failed when unpack.
With the OEP found, you can he or bp on it, dump with OllyDump and rebuild IAT with ImpRec.
I am finding the manual way to find the OEP of FSG 1.0 packed exe. If I success, I will post information here.
Regards

[bgrimm]

Quote:

Originally Posted by TQN

This method of hacnho can only applied with a small and simple packed exe. OllyDbg will fail when tracing with a large, complex exe. For example, I download FSG 1.0 from this site (ExeTools), pack the Stud_PE and trace with OllyDbg. Failed to find OEP.

Your post intrigued me as I had not experimented much beyond "simple" apps with FSG.
I downloaded Stud_PE 1.8.0 (file size 663,552 bytes), I assume that was your target?

Then compressed it with FSG 1.0 resulting in a packed exe 288,864 bytes in size.

I loaded it into Olly (1.10s2) and let it trace bytewise to entry, stopping at OEP.
After a long time, in the order of 10 minutes or so, it arrived on the OEP.

---> OEP 0039F14 <55 PUSH EBP>
(Note: Same as reported by PEiD)

Dumped with OllyDump 2.21.108, no rebuild.
Fixed Imps with ImpRec, all valid.

Ended with an ugly, but fully functional Unpacked Stud_PE.exe (983,040 bytes)

Just for kicks I FSG'd several misc apps (MASM & VC4-6)
Ran them all thru Olly in the way described above. And resolved all OEP's correctly.
I did hit a few snags after OEP on a few of the test apps,
(Note: due to 1-year old daughter clearing off desk rapidly at this moment I must be brief)

One app, PEid did not report the correct OEP with generic OEP finder.
One app, dumped ok, but could not rebuild imports with ImpRec even though all valid.
(haven't had time to look into why)

I to am interested in finding the manual way to OEP and will continue testing
when time allows.

-bg

Thankyou bgrimm, and yes JMI it is a good lesson, and suprisingly one which I have already learnt, unfortunately and obviously I cannot have searched very well as my search result turned up nothing. Oh woe is me... heh. TQN thanks for the information, I'm currently using OllyDump for this; I eagerly await your findings on a way to manually find the oep.