Getting started with manual shell removal FSG 15th

Comments: [Remove text title] manual shelling entry 15th FSG 1.33 [remove text author] weiyi75 [Dfcg] [author's mailbox] weiyi75@sohu.com [author's homepage] Dfcg official base camp [use tools] Peid, ollydbg, ImportREC, Loadpe [shelling platform] Win2K/XP [software name] Unpackme [software introduction] [detachment title] manual shelling 15th articles FSG 1.33
[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Peid, Ollydbg, ImportREC, Loadpe
[Shelling platform] Win2K/XP
[Software name] Unpackme
[Software Overview] Loveboom uses a FSG compressed shelling exercise program written in VB.
Software size: 2.65 KB
FSG 1.33.rar
[Shelling method] FSG 1.33-> dulek/xt
[Protection method] FSG compression Shell
[Shell removal statement] I am a little cainiao and may share with you a little bit :)
--------------------------------------------------------------------------------
[Shelling content]
First, Peid shell check, FSG 1.33-> dulek/xt, OD load run, no exception, judge it as a compression shell.
00404B58> BE A4014000 mov esi, fsg1_33.004001A4 // shell inlet.
00404B5D AD lods dword ptr ds: [esi]
00404B5E 93 xchg eax, ebx
00404B5F AD lods dword ptr ds: [esi]
00404B60 97 xchg eax, edi
00404B61 AD lods dword ptr ds: [esi]
00404B62 56 push esi
00404B63 96 xchg eax, esi
00404B64 B2 80 mov dl, 80
00404B66 A4 movs byte ptr es: [edi], byte ptr ds: [esi>
00404B67 B6 80 mov dh, 80
00404B69 FF13 call dword ptr ds: [ebx]
00404B6B ^ 73 F9 jnb short fsg1_33.00404B66
00404B6D 33C9 xor ecx, ecx
00404B6F FF13 call dword ptr ds: [ebx]
00404B71 73 16 jnb short fsg1_33.00404B89
00404B73 33C0 xor eax, eax
00404B75 FF13 call dword ptr ds: [ebx]
00404B77 73 1F jnb short fsg1_33.00404B98
Open the memory image. The workspace segment is in the 404000 resources segment. The memory image breakpoint does not work. It also does not use PUSHAD or other statements, and the ESP law cannot be used. It is said that FSG 1.33 still has a variant version. It takes too much time to track data in a single step and the API breakpoint is slow.
The best way to deal with it is to simulate tracking, because it does not have SEH, it is better to simulate tracking.
Memory image, project 13
Address = 00404000
Size = 00001000 (4096 .)
Owner = fsg000033 00400000
Section =
Include = SFX, imports, resources // the current segment is in 404000.
Type = Imag 01001002
Access = R
Initial access = RWE
Memory image, Project 12
Address = 00401000
Size = 00003000 (12288 .)
Owner = fsg000033 00400000
Section =
Include = code // Oep must be in the Code segment. Whether FSG Is In The SFX, imports, and resources sections, decompress the package and loop the plane. Finally, you must access 401000 across segments.
Code segment.
Type = Imag 01001002
Access = R
Initial access = RWE
So, under the command line
Tc eip BE A4014000 mov esi, fsg1_33.004001A4 // shell inlet.
00404B5D AD lods dword ptr ds: [esi]
00404B5E 93 xchg eax, ebx
00404B5F AD lods dword ptr ds: [esi]
00404B60 97 xchg eax, edi
00404B61 AD lods dword ptr ds: [esi]
00404B62 56 push esi
00404B63 96 xchg eax, esi
00404B64 B2 80 mov dl, 80
00404B66 A4 movs byte ptr es: [edi], byte ptr ds: [esi>
00404B67 B6 80 mov dh, 80
00404B69 FF13 call dword ptr ds: [ebx]
00404B6B ^ 73 F9 jnb short fsg1_33.00404B66
00404B6D 33C9 xor ecx, ecx
00404B6F FF13 call dword ptr ds: [ebx]
00404B71 73 16 jnb short fsg1_33.00404B89
00404B73 33C0 xor eax, eax
00404B75 FF13 call dword ptr ds: [ebx]
00404B77 73 1F jnb short fsg1_33.00404B98
00404B79 B6 80 mov dh, 80
00404B7B 41 inc ecx
00404B7C B0 10 mov al, 10
........................................ ........................................ .........
Command Line
Bp GetModuleHandleA
77E6AB06> & nbs