/*



Detach Father from Child+Patch Crypto Process+CopyMem2

Credits go to Ricardo, Hippu, Tenketsu and VolX for thier scripts and ideas.



*/



//Variable Declarations



var WaitForDebugEvent

var WriteProcessMemory

var DebugActiveProcessStop

var PEHeaderBase

var ImageBase

var CodeBegin

var DataBegin

var ProcessDebugEvent

var ProcessBuffer

var ChildProcessID

var ChildOEP

var OEPBytes

var OEPOffset1

var OEPOffset2

var OEPOffset3

var CryptoProcess

var Address

var Buffer

var Patch1

var Patch2

var temp1



//Setup



dbh



msg "Clear all breakpoints, and Set Ollydbg to pass all exceptions,\r\nand add custom exceptions C0000005, C000001D, C000001E and C0000096, press OK to continue."



gpa "WaitForDebugEvent", "kernel32.dll"

mov WaitForDebugEvent, $RESULT

gpa "WriteProcessMemory", "kernel32.dll"

mov WriteProcessMemory, $RESULT

gpa "DebugActiveProcessStop", "kernel32.dll"

mov DebugActiveProcessStop, $RESULT



//Get Section Bases



gmi eip, MODULEBASE

mov ImageBase, $RESULT

mov PEHeaderBase, ImageBase

add PEHeaderBase, 3C                                     // Offset to PE signature

mov PEHeaderBase, [PEHeaderBase]

add PEHeaderBase, ImageBase



mov CodeBegin, PEHeaderBase

add CodeBegin, 104                                       // Offset to 1st Section Virtual Address

mov CodeBegin, [CodeBegin]

add CodeBegin, ImageBase



mov DataBegin, PEHeaderBase                              // Offset to 2nd Section Virtual Address

add DataBegin, 12C

mov DataBegin, [DataBegin]

add DataBegin, ImageBase



log CodeBegin

log DataBegin



// Begin Unpacking



bphws WriteProcessMemory, "x"

erun



bphwc WriteProcessMemory

bphws WaitForDebugEvent, "x"

erun



// Get Information at WaitForDebugEvent



bphwc WaitForDebugEvent

mov ProcessDebugEvent, esp

add ProcessDebugEvent, 04

mov ProcessDebugEvent, [ProcessDebugEvent]

mov OEPOffset1, ProcessDebugEvent

add OEPOffset1, 18

mov OEPOffset2, ProcessDebugEvent

add OEPOffset2, 24

mov OEPOffset3, ProcessDebugEvent

add OEPOffset3, 28

log ProcessDebugEvent

log OEPOffset1

log OEPOffset2

log OEPOffset3



// Get Child Process ID and Child OEP



bphws WriteProcessMemory, "x"

erun



bphwc WriteProcessMemory

mov ChildProcessID, ProcessDebugEvent

add ChildProcessID, 04

mov ChildProcessID, [ChildProcessID]

mov ChildOEP, [OEPOffset1]



// Get Stack Info



mov Address, esp

add Address, 08

mov Address, [Address]

log Address



mov Buffer, esp

add Buffer, 0C

mov Buffer, [Buffer]

log Buffer



// Patch OEP of Child



mov temp1, ChildOEP

sub temp1, Address

add temp1, Buffer

mov OEPBytes, [temp1]

log "OEP of Child Process was patched to EBFE"

log ChildOEP

log ChildProcessID

mov [temp1], #EBFE#



// Find and patch Crypto Proc



rtr

sti

gmemi eip, MEMORYBASE

mov CryptoProcess, $RESULT

find CryptoProcess, #8B048A50E8????????83C40C#           // "mov eax, dword ptr ds:[edx+ecx*4]" "push eax" "call XXXXXXXX" "add esp,0c"

cmp $RESULT, 0

je Error1

mov CryptoProcess, $RESULT

add CryptoProcess, 04

mov [CryptoProcess], #9090909090#

log CryptoProcess

log "Crypto Process was nopped."



eval "Successfully Patched OEP = {ChildOEP} of Child Process (PID= {ChildProcessID}) from {OEPBytes} (Inverted) to EBFE.\r\n\r\nCheck log for more info. Press OK to continue." 

msg $RESULT



// Patch CopyMemII and WaitForDebugEvent



bphws WaitForDebugEvent, "x"

erun



bphwc WaitForDebugEvent



mov Patch1, [esp]

sub Patch1, 12

log Patch1

mov [Patch1], #909090909090909090909090909090909090#

add Patch1, 14

eval "jmp {CodeBegin}"

asm Patch1, $RESULT

add Patch1, 05

eval "nop"

asm Patch1, $RESULT



mov Patch2, CodeBegin

eval "add dword [{OEPOffset1}],1000"

asm Patch2, $RESULT

add Patch2, 0A

eval "add dword [{OEPOffset2}],1000"

asm Patch2, $RESULT

add Patch2, 0A

eval "add dword [{OEPOffset3}],1000"

asm Patch2, $RESULT

add Patch2, 0A

eval "cmp dword [{OEPOffset3}],{DataBegin}"

asm Patch2, $RESULT

add Patch2, 0A

eval "jnz {Patch1}"

asm Patch2, $RESULT

add Patch2, 06

eval "push {ChildProcessID}"

asm Patch2, $RESULT

add Patch2, 05

eval "call {DebugActiveProcessStop}"

asm Patch2, $RESULT

add Patch2, 05

eval "nop"

asm Patch2, $RESULT



sub CodeBegin, 1000

mov [OEPOffset1], CodeBegin

mov [OEPOffset2], CodeBegin

mov [OEPOffset3], CodeBegin



//go [esp]



mov eip, [esp]

bphws Patch2, "x"

erun



bphwc Patch2

msg "Script Completed Successfully! More Info in Log. Have fun!"

jmp End



Error1:

msg "Can't find Crypto Process call!"



End:

ret