Writing your own unpacker for FSG (Fast Small and Good) is a classic rite of passage in reverse engineering. This tutorial teaches you how to move away from generic automated tools and write a programmatic, custom script or utility to unpack FSG-compressed Windows Executables (PE files) manually.
The workflow is broken down into identifying how the packer behaves, finding the target jump, and programming the automation. Core Mechanics of FSG
FSG is widely known for its extremely compact unpacking stubs, heavily utilizing custom assembly optimizations (like xchg instructions to manipulate the stack pointer). It typically uses a variation of the aPLib compression library to store payload data inside its modified sections. When an FSG-packed binary runs, the stub: Allocates memory or uses existing header space.
Decompresses the original code back into the memory sections.
Resolves the Import Address Table (IAT) dynamically using APIs like LoadLibraryA and GetProcAddress.
Executes a Tail Jump to land directly onto the Original Entry Point (OEP). Phase 1: Finding the Tail Jump & OEP
Before you can program an unpacker, you must understand the exact location where the stub hands execution back to the program.
Leave a Reply