//

// Script that patches BFG games in memory

//

// Path:

//

// a) bp on OpenMutexA

// b) on first break, Alt+F9, sub 4E1 from EIP and set bp there

// c) run and break on 2nd OpenMutexA call

// d) remove bp, Alt+F9, patch JNZ to JZ or JMP

// e) run, break on PUSH ECX (where our section address is)

// f) trace a bit (2xF7) to get EDX

// g) patch [EDX+1BD7C] from JE to JMP to skip TerminateProcess

//



var tmp //declaring a variable to be used later

var tmp2

var OMA //declaring variable in which we'll store OpenMutexA API's address



gpa "OpenMutexA","kernel32.dll" //this gets the address of OpenMutexA from kernel32.dll module

mov OMA,$RESULT //the result of the above operation



bp OMA //we break on OpenMutexA; we saved the address at beginning

esto //performs Shift+F9

rtu //returns to user-code a.k.a. Alt+F9

mov tmp,eip //we move current EIP to tmp var, so we can operate modifications to it;)

sub tmp,4E1 //we go to that PUSH ECX;)

mov tmp2,tmp //we swap vars, tmp is used and overwritten later, that's why

bp tmp2 //and we break there



esto //Shift+F9 so we break on 2nd OpenMutexA call

bc OMA //clearing breakpoint on OpenMutexA

rtu //return to user code

mov tmp,eip //putting current EIP in tmp var

mov [tmp],840FC085 //patching JNZ to JZ to kill Debug-Blocker



esto //Shift+F9 so we break on PUSH ECX

sti //F7

sti //F7

mov tmp,edx //we put EDX in tmp var

add tmp,1BD7C //we get to the JE above TerminateProcess

mov [tmp],99E9 //we patch JE to JMP

bc tmp2 //clearing bp

msg "Now Shift+F9 and you can detach afterwards;)" //prompts a msg =]

ret //end of script