/*

DETACH FARTHER - METHOD TENKETSU - VER 0.1

AUTHOR: BENINA

Modified hipu' Script by BENINA (HTTP://REAONLINE.NET/FORUM)



Armadillo script - detach parent from client and unpack (1000 bytes method tenketsu) 



Debugging Option: Ignore custom exceptions: 0EEDFDE;C0000001..C0009898;80000004



hipu said:



MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 



ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.

do whatever is needed if u dont use the plugin...



Thanz to Ricardo,Tenketsu and hipu



*/





//////////////////////////

// To declare vars

/////////////////////////



var WaitForDebugEvent

var WriteProcessMemory

var pDebugEvent

var pBuffer

var child_ProcID

var oep_offset1

var oep_offset2

var oep_offset3

var crypto_proc

var child_OEP

var patched_line1

var imgbase

var rdata_begin

var text_begin

var text_patch

var tb_report1

var tb_report2

var tb_report3

var tb_report4

var tb_report5

var tb_report6

var addr_1000

var buffer_1000

var temp

var temp1

var temp2

var temp3

var temp4



//////////////////////////////////////

// Find rdata_begin or (data_begin)

/////////////////////////////////////



gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov rdata_begin, imgbase

find rdata_begin, #4441544100#  //find "DATA" string

cmp $RESULT,0

jne lbcontinue



find rdata_begin, #2E726461746100#  //find ".rdata" string

cmp $RESULT,0

jne lbcontinue



find rdata_begin, #2E6461746100#  //find ".data" string

cmp $RESULT,0

jne lbcontinue

jmp no_run_script

lbcontinue:

mov rdata_begin, $RESULT 

add rdata_begin, 0c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

log rdata_begin



/////////////////////////////////

// Find text_begin

////////////////////////////////





gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov text_begin, imgbase

find text_begin, #434F444500#  //find "CODE" string

cmp $RESULT,0

jne lbcontinue2



find text_begin, #2E7465787400#  //find ".text" string

cmp $RESULT,0

jne lbcontinue2

jmp no_run_script



lbcontinue2:



mov text_begin, $RESULT 

add text_begin, 0c

mov text_begin, [text_begin]

add text_begin, imgbase

log text_begin





/////////////////////////////////////////////////////

//eob found_WaitForDebugEvent WriteProcessMemory

////////////////////////////////////////////////////



gpa "WaitForDebugEvent", "kernel32.dll" 

mov WaitForDebugEvent, $RESULT

gpa "WriteProcessMemory", "kernel32.dll" 

mov WriteProcessMemory, $RESULT





///////////////////////////////////////

//Armadillo check bp first 5 bytes so:

///////////////////////////////////////





add WriteProcessMemory,5

bp WriteProcessMemory

run

bc WriteProcessMemory

sub WriteProcessMemory,5





//////////////////////////////////////////////

//Get infomation at bp Call WaitForDebugEvent

/////////////////////////////////////////////





bp WaitForDebugEvent

run

bc WaitForDebugEvent





mov pDebugEvent, esp

add pDebugEvent, 04

mov pDebugEvent, [pDebugEvent]

log pDebugEvent



mov oep_offset1, pDebugEvent

add oep_offset1, 18

mov oep_offset2, pDebugEvent

add oep_offset2, 24

mov oep_offset3, pDebugEvent

add oep_offset3, 28







////////////////////////////////////////

// Find Child_ProcID and child_OEP

///////////////////////////////////////



bp WriteProcessMemory

run

bc WriteProcessMemory







mov child_ProcID, pDebugEvent

add child_ProcID, 4

mov child_ProcID, [child_ProcID]

mov child_OEP, [oep_offset1]



///////////////////////////////////

//Save info Table report 

///////////////////////////////////





mov tb_report1,[pDebugEvent]



mov tb_report2,pDebugEvent

add tb_report2,4

mov tb_report2,[tb_report2]



mov tb_report3,pDebugEvent

add tb_report3,8

mov tb_report3,[tb_report3]



mov tb_report4,pDebugEvent

add tb_report4,C

mov tb_report4,[tb_report4]



mov tb_report5,pDebugEvent

add tb_report5,10

mov tb_report5,[tb_report5]



mov tb_report6,pDebugEvent

add tb_report6,14

mov tb_report6,[tb_report6]



////////////////////////////////////////////////////

//Get info in stack at bp Call WriteProcessMemory

///////////////////////////////////////////////////





mov addr_1000,esp

add addr_1000,8

mov addr_1000,[addr_1000]

log addr_1000



mov buffer_1000,esp

add buffer_1000,C

mov buffer_1000,[buffer_1000]

log buffer_1000



/////////////////////////////////

//Patch OEP of Son to EBFE 

/////////////////////////////////



mov temp,child_OEP

sub temp,addr_1000

add temp,buffer_1000

mov temp1,[temp]

and temp1,FFFF



eval "Bytes patched at OEP of Son (to invert the bytes order)  : {temp1}"

msg $RESULT

log $RESULT



fill temp,1,eb

add temp,1

fill temp,1,fe







///////////////////////////

// FIND ENCRYPTOR

///////////////////////////



mov crypto_proc, esp

add crypto_proc, 128

mov crypto_proc, [crypto_proc]

add crypto_proc, 2d0

mov [crypto_proc], #9090909090#

rtr	//ctrl-f9

sto	//f8





///////////////////////

//Log info to win log

//////////////////////



log "crypto_proc was nopped..."

log "patched OEP of child process to EBFE"

log child_ProcID

log child_OEP









log "press script/resume when ready"

eval "Patched successful OEP={child_OEP} of child process (PID= {child_ProcID}) to EBFE !!!!.More Info in Window Log.Press button OK to continues!"

msg $RESULT





////////////////////////////////////////////////////////////////

//Patch jump to section .text and call WaitForDebugEvent

///////////////////////////////////////////////////////////////



bp WaitForDebugEvent

run

bc WaitForDebugEvent



mov patched_line1, [esp]

mov temp,patched_line1

sub temp,11

fill temp,1,01

add temp,1

fill temp,1,00



eval "jmp {text_begin}"

asm patched_line1,$RESULT



add patched_line1,5



fill patched_line1,3,90







//////////////////////////////////////

//Patch in section .text (or CODE)

//////////////////////////////////////



mov text_patch, text_begin

mov temp2,pDebugEvent



eval "mov dword [{temp2}],{tb_report1}"

asm text_patch,$RESULT



add temp2,4

add text_patch,A

eval "mov dword [{temp2}],{tb_report2}"

asm text_patch,$RESULT



add temp2,4

add text_patch,A

eval "mov dword [{temp2}],{tb_report3}"

asm text_patch,$RESULT



add temp2,4

add text_patch,A

eval "mov dword [{temp2}],{tb_report4}"

asm text_patch,$RESULT



add temp2,4

add text_patch,A

eval "mov dword [{temp2}],{tb_report5}"

asm text_patch,$RESULT



add temp2,4

add text_patch,A

eval "mov dword [{temp2}],{tb_report6}"

asm text_patch,$RESULT



add text_patch,A

mov temp3,text_patch

eval "add dword [{oep_offset1}],1000"

asm text_patch,$RESULT



add text_patch,A

eval "add dword [{oep_offset2}],1000"

asm text_patch,$RESULT



add text_patch,A

eval "add dword [{oep_offset3}],1000"

asm text_patch,$RESULT

/////////////////////////////////////////////////

add text_patch,A

eval "cmp dword [{oep_offset3}],{addr_1000}"

asm text_patch,$RESULT



add text_patch,A

eval "je {temp3}"

asm text_patch,$RESULT



add text_patch,2

eval "cmp dword [{oep_offset3}],{rdata_begin}"

asm text_patch,$RESULT



add text_patch,A

eval "jnz {patched_line1}"

asm text_patch,$RESULT



add text_patch,6

eval "push {child_ProcID}"

asm text_patch,$RESULT



add text_patch,5

eval "CALL DebugActiveProcessStop"

asm text_patch,$RESULT



add text_patch,5

eval "NOP"

asm text_patch,$RESULT





//////////////////////////////

//Patch in Table report at :

//////////////////////////////



sub text_begin,1000

mov [oep_offset1], text_begin

mov [oep_offset2], text_begin

mov [oep_offset3], text_begin



//////////////////////////////////

//go [esp](New origin here)

///////////////////////////////////

mov eip, [esp]





//////////////////////////

// Set bp F2 at

/////////////////////////



bp text_patch

run

bc text_patch



msg "Successful!.Close OllyDbg, execute again and attach to your newely created process.More Info in Window Log. Have fun."

jmp theend



//////////////////////////////////

no_run_script:

msg "This srcipt don't run with this file. Plz Close Olly.Sorry!"





///////////////////////////////

theend:

ret

