特别申明:本文所述的内容只用于研究交流之用,如用作非法用途或修改不当,一切后果自负! In particular that: the contents described in this article only for research and exchange purposes, such as used for illegal purposes or to modify properly, all at your peril!
我们的目标是去掉广告显示,并且在广告的位置上显示目标对象的IP地址和端口号。 Our goal is to remove the ads displayed, and the location of the advertising displayed on the target IP address and port number. 我们应该怎么下手呢,好的,慢慢跟我来! How should we start it, good, slowly come with me!
经过对Oicq目录结构的分析,发现目录AD和广告有关。 After Oicq directory structure of the analysis, we found the directory and advertising for AD. 其一是广告的英文简写就是AD,其二是其中的图片文件就是我们在广告中看到的。 One is the English abbreviation of advertising is to AD, the second is one of the image file that we saw in the ad. 试着删除该目录之后,呵呵,广告消逝了。 Try to delete the directory, Oh, ad disappeared. 但是下次进入Oicq之后,程序会自动新建这个目录,并且重新下载广告文件。 But the next time Oicq, the program will automatically create this directory, and re-download the ad file. 既然程序读取不到广告文件广告就会消失,那么就人工让它读不到咯。 Since the program reads the file less than advertising ads will disappear, then read the manual to make it slightly less. 用Soft-ice把断点设置在CreateFileA上,这个API调用一般是用来打开一个文件或者设备的。 With Soft-ice to set a breakpoint in CreateFileA, this API call is usually used to open a file or device. 在Sice截到断点后,查看是即将打开的那些文件,从而判断是否是我们要修改的地方。 Cut to the breakpoint in Sice, is about to open to view those files, in order to determine whether it is the place we want to modify. 具体修改方法详见"打开广告文件的程序段" Specific changes to the method described in "Open file ad block"
广告是去掉了,但是在广告区域上点击鼠标,浏览器仍然会打开广告链接,看来我们还需要对程序作更完善的修改。 Advertising is removed, but in the advertising area on the click of a mouse, the browser will still open the advertising links, it seems we also need to modify procedures for the better. 好了,既然点击广告会出现浏览器,那一定是运行了一个程序。 Well, since the browser click on the ads will appear, it must be running a program. 一般打开运行浏览器程序的有两种方法,一是调用COM接口,二是调用普通的运行程序的API函数。 Generally open to run the browser program in two ways, first call the COM interface, the second is called common API functions to run the program. 第一种方法技术难度较高,一般程序很少采用。 The first method higher technical difficulty, the general procedure is rarely used. 所以直接用Sice把断点设置在几个和运行程序有关的API函数上,比如ShellExecuteA,WinExec等等。 Therefore, the direct use Sice to break and run the program in several settings related API functions, such as the ShellExecuteA, WinExec and so on. 好了,程序在ShellExecuteA处中断,也就是只要避过这个API函数就行咯。 Well, the program is interrupted at ShellExecuteA, that is, as long as this API function to avoid the line slightly. 呵呵,顺着程序往上找合适的修改位置,会发现USER32.PtInRect函数的调用,经过分析,发现它是用作判断鼠标点击是否在特定区域内的。 Oh, right down to modify the program up to find the location, you will find USER32.PtInRect function call, after analysis, found that it is used to determine whether a particular mouse click within the region. 搞定,只要使它判断总是在区域外,就不会执行到ShellExecuteA那儿去了。 Get, as long as it is always outside the region to determine, there does not perform to ShellExecuteA go. 发送消息窗口和恢复窗口的广告点击的程序在不同的位置,也就说在两个地方,这两个地方都要修改,原理也都是一样。 Send a message window and restore the program window click on the ads in different locations, it said in two places, two places in the modification, the principle is the same. 具体修改方法详见"发送消息窗口点击广告的程序段"和"回复消息窗口点击广告的程序段"。 Specific changes to the method described in the "Send Message window click on an ad block" and "reply to the message window, click on the ad block." (我们为了实现在点击鼠标后出现IP地址和端口号,在发送消息窗口添加了一个有关显示的程序入口,我将在后面讲解) (We click the mouse in order to achieve after the IP address and port number, send a message in the display window to add a program entry, I'll explain later)
这下广告真的是去除了,既不能看到,也不能点进去了。 This really is the next to go in addition to advertising, we can not see, can not point into it. 呵呵,开始我们的下一步目标,显示IP地址和端口号! Oh, to begin our next goal, show the IP address and port number! ! ! ! !
过去要想知道Oicq上朋友的IP地址只有借助民间的一些小工具程序或者采用包监听程序,后者专业要求比较高,而且辨别率低,也不方便。 In the past in order to know the IP address of a friend on Oicq only with some small private program or using packet sniffing tools program, which is relatively high professional requirements, and identify low, is not easy. 一些小程序的确很管用, 但是毕竟没有把这个功能直接做到Oicq程序上方便和可靠,利用Oicq内部的很多数据和结构能获得很多我们平常不容易获得的信息。 Small program is very useful indeed, but after all, do not put this functionality directly Oicq convenient and reliable procedure, the use of Oicq internal structure of a lot of data and we usually can get a lot of information not readily available. 但是毕竟只有二进制汇编代码, 没有源程序,程序的分析难度和工作量可想而知。 But, after all, only the binary assembly code, not source code, program analysis can imagine the difficulty and workload. 经过令人难以想象多次数的死机和重起,以及极其艰辛的设置断点跟踪调试分析工作……(以下省略5201314字) ,终于粗略的获得了我们感兴趣的数据结构指针以及它相关调用的位置。 After a mind-boggling number of crashes and more important, the most difficult to set breakpoints and debug trace analysis ... ... (hereinafter omitted 5201314 words), and finally got rough we are interested in a pointer and its associated data structure called position. 这段时间是我最郁闷的时候,想起那段毫无人性的工作,就像已经过上幸福生活的老同志回忆起49年以前悲惨生活般的胆战心惊且心有余悸……(以下省略520字)。 This time is my most depressed, think of that part of the inhuman work, have a happy life as an old comrade recalled the tragic life of 49 years ago as a scared and fear ... ... (hereinafter omitted 520 words). 还好我挺过来了,终于在0042513D处找到了需要的指针地址。 Fortunately, I survive, and finally 0042513D found at the address pointer required. 只要利用这个指针就能获得目标对象的IP地址以及端口号。 This pointer can be used as long as the target's IP address and port number. 我们需要做的就是把这些信息显示在以前的广告位置。 We need to do is put the information displayed in the previous placement.
又是一项艰巨的任务放在我的面前,还好我有坚定的信念、丰富的临床经验以及对成功喜悦的企盼,还有对聊天MM住址的渴望,我一定会珍惜,不能像周星星一样期望再来一次……(再次省略若干,以免挨鸡蛋)。 Is a difficult task on my face, but fortunately I have a firm belief, rich clinical experience and look forward to the joy of success, as well as the desire for chat MM address, I will cherish, not like the stars week expect the same again ... ... (again, omitted some, so as not to suffer eggs). 言归正传,既然获得了关键的数据指针,那可以说我们已经成功了90%了,接下来的就是显示出来而已。 Closer to home, since access to critical data pointer that can be said that we have succeeded in 90%, and the next is shown to them. 但这也需要反复的试验和修改。 But it also requires repeated testing and modification. 让我们好好来回味一下这一过程: Let's take a look back to this process:
首先,要实现新的功能毫无疑问需要添加代码和数据,以及执行一定的API函数, 所以需要找到适当的方法添加代码到原程序之中。 First, to achieve the new features there is no doubt need to add code and data, and perform some API functions, so it is necessary to find the appropriate method to add code to the original procedures. 完美的方法就是作一个外壳添加程序,在原程序中添加所需要的段(数据段,程序段),以及添加Import表表项, 以用于新的API函数的地址定位,还要修改PE文件头中的各项相关信息,这就是病毒的做法。 The perfect way to add a program to make a shell, add in the original program required segment (data segment, block), and add Import table entries to the new API function for address location, but also to modify the PE file header of the relevant information, which is the practice of the virus. 这无疑非常的复杂和繁琐,有兴趣的同学可以参见我以前的文章"关于95下可执行文件的加密研究"。 This is undoubtedly very complex and cumbersome, interested students can see my previous article, "About 95 of the executable file encryption research." 其实我们的要添加的程序量并不大,充其量也就零零星星的几百个字节,而且用到的API函数也不多。 In fact, our program to add the amount is not large, sporadic at best a few hundred bytes, but not many use the API functions. 所以我们采取了手动修改添加的方法,但也需要必要的条件和方法。 Therefore, we adopted a method of manually modified to add, but also need the necessary conditions and methods. 看我以下的分析和方法: I see the following analysis and methods:
PE可执行文件的逻辑结构是段,比如代码段".text"、数据段".data"、资源段". rscs"等等。 PE executable file is a section of the logical structure, such as the code ". Text", the data segment ". Data", resource section ". Rscs" and so on. 这些段大小都是按文件对齐,也就是说段大小至少会按10h对齐,一般是1000h(4096字节),这由文件头中指定(链接的时候确定)。 The size of these segments are aligned according to the documents, at least according to the size of that segment 10h alignment, usually 1000h (4096 bytes), which is specified by the file header (link when determined). 但是代码也好数据也好,不可能做到长度刚好是对齐的。 Ye Hao Ye Hao code data, however, can not be exactly aligned length. 也就是说,段的大小是大于段中代码或数据实际大小的。 In other words, the segment size is larger than the actual code or data segment size. 他们之间的差值就是该段冗余的空间,这个空间被称为"空隙"。 The difference between them is the paragraph redundant space, this space is called the "gap." 有一些简单的PE文件减肥软件就是去掉"空隙"的方法来减肥的。 There are some simple diet software is the PE file to remove the "gap" approach to weight loss. 这个"空隙"可以被我们用来放置代码、数据以及堆栈。 This "gap" can be used to put our code, data and stack. 我常用的分析PE文件文件头的工具软件是Borland 以前在C++系列软件中带的"Tdump.exe"。 I used the PE file header analysis tool software is Borland C + + series before in the software with the "Tdump.exe". 让我们看看实际分析的结果: Let's look at the actual results of the analysis:
Object table: Object table:
# Name VirtSize RVA PhysSize Phys off Flags # Name VirtSize RVA PhysSize Phys off Flags
-- -------- -------- -------- -------- -------- -------- ---------- -------- -------- -------- -------- --------
01 .text 000D0637 00001000 000D1000 00001000 60000020 [CER] 01. Text 000D0637 00001000 000D1000 00001000 60000020 [CER]
02 .rdata 000320E8 000D2000 00033000 000D2000 40000040 [IR] 02. Rdata 000320E8 000D2000 00033000 000D2000 40000040 [IR]
03 .data 00039848 00105000 00012000 00105000 C0000040 [IRW] 03. Data 00039848 00105000 00012000 00105000 C0000040 [IRW]
04 .rsrc 0003E4C0 0013F000 0003F000 00117000 40000040 [IR] 04. Rsrc 0003E4C0 0013F000 0003F000 00117000 40000040 [IR]
以上是用看到的Oicq.exe的段信息(它的Oject就是我们所说的段)。 These are used to see Oicq.exe segment information (it's Oject what we call above). 我们肯定是首选.text段进行观察(.text是代码段,Flag为CER,意思就是包含代码、可执行、可读的意思(Contains code, Execute,Readable))。 We definitely preferred. Text segments were observed (. Text is the code segment, Flag of CER, meaning that contain code, executable, readable meaning (Contains code, Execute, Readable)). 可以看到,.text段代码实际长度D0637h,物理长度D1000,文件偏移位置为1000h处。 You can see,. Text segment code the actual length of the D0637h, the physical length of the D1000, the file offset to 1000h at. OK,这个段有D1000h-D0637h=C9Ch的"空隙"。 OK, this segment has D1000h-D0637h = C9Ch the "gap." 这个长度完全可以满足我们的需要了,而且代码数据堆栈都可以放在这个区域内。 The length of the fully meet our needs, and the data stack and the code can be placed in this area. 众所周知,要作为数据段使用,段的属性( Flags)需要可写。 As we all know, to use as a data segment, segment attributes (Flags) need to be written. 好了,只需要改写".text"的属性即可,可写属性的值是80000000h,然后加上原来的60000020h后,就是C0000020h了,也就是变成了CERW 属性(具体修改方法详见"代码段段属性修改")。 Well, just need to be rewritten ". Text" attribute can be written property value is 80000000h, 60000020h and then add the original post, is C0000020h, that is, become a CERW properties (specific changes to the method described in "code modify the paragraph properties "). 看看我们更改后的用Tdump分析的结果。 Take a look at our changed with Tdump results of the analysis.
Object table: # Name VirtSize RVA PhysSize Phys off Flags Object table: # Name VirtSize RVA PhysSize Phys off Flags
-- -------- -------- -------- -------- -------- -------- ---------- -------- -------- -------- -------- --------
01 .text 000D0637 00001000 000D1000 00001000 C0000020 [CRW] 01. Text 000D0637 00001000 000D1000 00001000 C0000020 [CRW]
02 .rdata 000320E8 000D2000 00033000 000D2000 40000040 [IR] 02. Rdata 000320E8 000D2000 00033000 000D2000 40000040 [IR]
03 .data 00039848 00105000 00012000 00105000 C0000040 [IRW] 03. Data 00039848 00105000 00012000 00105000 C0000040 [IRW]
04 .rsrc 0003E4C0 0013F000 0003F000 00117000 40000040 [IR] 04. Rsrc 0003E4C0 0013F000 0003F000 00117000 40000040 [IR]
好了,找到了放置代码数据和堆栈的地方,也就是其实偏移1000h+D0637h 的地方。 Well, to find a place where code data and the stack, that is, in fact, offset 1000h + D0637h place. 为了对齐边界,我们采用D1640h这个值(文件偏移)。 In order to align the boundary, we use D1640h this value (file offset). 用Tdump 查看代码段基址(Code Base)和PE文件映象基址(Image Base),分别是1000h和400000h,可以算出我们的程序在装入后的实际地址,400000h+1000h+D0640h=4D1640h。 View code with Tdump base (Code Base) and the PE file image base (Image Base), respectively, 1000h and 400000h, can be calculated into our program after the actual address, 400000h +1000 h + D0640h = 4D1640h. 也就是说我们的代码在被系统装入后在内存4D1640处,这在以后程序跳转处用到。 That our code is loaded in memory after the system 4D1640 Department, which is used in the future a branch office.
添加代码的工作已经做好,现在关键的问题就是编制具体的代码,以用于IP地址和端口号的保存和显示。 Add the code has been done, the key issue now is the development of specific code to the IP address and port number for the preservation and display.
首先是对对象数据中IP地址和端口信息的保存,我们在获得该数据指针后(程序00425157处),更改程序使程序直接跳转到我们的保存程序中(4D1640)。 The first is the object data in the IP address and port information stored, we get the data pointer (program 00425157), change the program to make a jump into our stored procedures (4D1640). 该数据的指针首址放在EAX,由于该段程序有些寄存器的值都有用,堆栈也不能乱压。 Pointer to the first address of the data on EAX, because some of the program segment register values are used, the stack can not be arbitrary pressure. 所以我们首先修改了栈指针,使所有的堆栈活动都在我们的"空隙"中进行(堆栈顶端4D1900)。 Therefore, we first modify the stack pointer, stack all of our activities are in the "gap" in the (top of the stack 4D1900). 然后保存几个寄存器的值(压栈)。 And then save a few registers (stack). IP地址和端口号分别在该数据结构+214h和+218h的地方(也就是EAX+214h和EAX+218h)。 IP address and port number of the data structure at +214 h and +218 h local (ie EAX +214 h and EAX +218 h). IP地址是一个字符串指针,端口是个32位整数。 IP address is a pointer to the string, the port is a 32-bit integer. 我们要做的就是把他们都转换成字符串,保存在自己的地盘中。 We have to do is put them all into a string, stored in the sites of their own. 我们巧妙的用了一个wsprintfA函数把字符串和端口号输出到一个地址上(随便在我们的"空隙"中找个空闲的地址,我用的是4D1700,4D1720中放的是格式化字符串"%s:%d")。 We used a wsprintfA clever function to output the string and port number to an address (just in our "gap" in the address to find free, I use 4D1700, 4D1720 is the format string in place. " % s:% d "). 实际这段程序翻译成C语言就是printf("%s:%d",char *ip, int port),这样我们就把字符串形式的数据保存在了数据区里。 Actually this program is translated into C language printf ("% s:% d", char * ip, int port), so we put the string in the form of data stored in the data area. 值得注意的是, 由于我们修改了原程序中的有用代码用于跳转程序,所以在我们的程序中就需要加上(cmp dword ptr [eax+000001DC], ecx),退出我们的程序之前恢复栈指针和各寄存器,用一条无条件跳转指令转回到原程序继续执行。 It is noteworthy, because we modified the original code used for a useful program to jump the program, so our program will need to add (cmp dword ptr [eax +000001 DC], ecx), exit the program before we resume stack pointer and the register, with an unconditional jump instruction back to the original program continues.
细心的同学可能注意到我们没有显式的调用wsprintfA函数,但是我们实际上是调用了。 Observant students may have noticed we did not explicitly call wsprintfA function, but we are actually called. 在显示IP的那段附加程序中调用SetWindowTextA的调用也是这样。 IP-in show called SetWindowTextA period additional procedures call as well. 这是怎么回事呢? This is how it happened? 我们知道所有API函数的调用前都需要重定位,这个过程发生在系统装入这个PE程序的时候。 We know all API function calls are needed before the relocation, a process that occurs in the system load when the PE program. 系统按照PE文件中Import表的内容对API函数在程序中的地址进行填写。 Import PE file system in accordance with the contents of the table in the program to the API function to fill in the address. 我们没有修改Import表,所以,如果直接写上汇编代码,系统是不会为它定位的。 We did not modify the Import tables, so if the direct write assembly code, the system is not positioned for it. 由于Import表比较复杂,更改它是个非常繁琐的事情。 Import the table is more complex due to change it is a very complicated thing. 所以我们采用变通的方法,既然系统为用到的API函数地址都作了重定位,所以API函数的地址信息也就存在了。 Therefore, we use alternative methods, since the system uses the API function addresses were made to re-locate, so the API function's address information also exist.
具体的做法如下: Specific practices are as follows:
找到原程序中有调用wsprintfA的地方: Found in the original program called wsprintfA place:
:0049CE30 FF1560274D00 Call USER32.wsprintfA : 0049CE30 FF1560274D00 Call USER32.wsprintfA
:0049CE36 83C410 add esp, 00000010 : 0049CE36 83C410 add esp, 00000010
:0049CE39 EB1A jmp 0049CE55 : 0049CE39 EB1A jmp 0049CE55
实际的汇编代码应该是Call dword ptr [004D2760],我们就知道了wsprintfA的地址是放在004D2760中。 The actual assembly code is Call dword ptr [004D2760], we know the address is on 004D2760 wsprintfA in. 所以,我们只要间接的获得这个调用的地址,这个地址就是指向wsprintfA实际地址的二重指针。 Therefore, we only indirect access to the call address, the address is pointing to the actual address wsprintfA double pointer. 这样我们就可以直接Call这个地址了。 Call so we can direct this address. 在"显示IP地址和串口的附加程序"中所用到的SetWindowTextA也是用这种方法调用的。 In the "Show additional IP address and port procedures" used in this way SetWindowTextA is called. (具体修改方法详见"弹出发送消息窗口之前的对象数据调用的程序段"和"保存IP地址和端口的附加程序") (Specific changes to the method described in "pop-up window before sending the message object data call block" and "save the IP address and port of the add-ons")
在把IP地址和端口保存为了字符串形式在4D1700h之后,今后只需要在需要的时候显示出来就行了。 In the IP address and port to save for a string in 4D1700h, the future need only show up when needed on the line.
前面我们提到了需要在点击广告后显示IP地址。 We mentioned the need to click on your ad show the IP address. 所以,我们在点击广告的程序段中间添加了跳转到我们显示程序的入口(4D1680h)。 So, we click on the ads block in the middle of a jump to add to our display program entry (4D1680h). 显示程序的原理很简单,使用SetWindowTextA函数把保存在4D1700h的字符串显示在以前广告的窗口中。 The principle is very simple display program, use the function to save 4D1700h SetWindowTextA string displayed in the previous window advertising. 在显示之前,判断一下如果没有IP地址的情况,如果是只有一个冒号,说明没有IP地址,就简单的写上一个"0"。 Before the show, if not to determine what IP address the situation, if it is just a colon, indicating that no IP address, you simply write a "0." 调用SetWindowTextA函数的方法在前面已经提到。 Call SetWindowTextA function method mentioned earlier. 需要注意还有两个重要的问题: Note that there are two important questions:
我们从什么地方获得SetWindowTextA函数需要的一个参数? Where we need to get a SetWindowTextA function parameters? ? ? 广告窗口句柄呢? Advertising window handle? 我特意在"发送消息窗口点击广告的程序段"中写出了在点击广告时有一个Call USER32.GetWindowRect调用的代码,这个函数同样需要窗口句柄。 I specifically in "window click on the ads send the message block" in the write click on the ads from time to time in a Call USER32.GetWindowRect calling code, this function also requires the window handle. [ESI+160h]就是USER32.GetWindowRect需要的广告窗口句柄,我们就可以利用这个句柄调用SetWindowTextA,使字符串显示在广告窗口上。 [ESI +160 h] is the window handle USER32.GetWindowRect need advertising, we can use this handle to call SetWindowTextA, the string is displayed in the ad window.
还有就是由于原来的广告窗口是用于图片的显示,所以不能用来显示字符。 Then there is the original ad window is used for image display, it can not be used to display characters. 它的窗口样式中有个SS_ETCHEDFRAME的值。 It has a SS_ETCHEDFRAME window style values. 我们需要去掉它并加上用于垂直居中和水平居中的两个样式SS_CENTER和SS_CENTERIMAGE。 We need to get rid of it and add to the vertical center and horizontal center of the two styles SS_CENTER and SS_CENTERIMAGE. 一般静态对话框中的窗口元素(控件)都是静态的保存在资源段中,而不是程序动态生成的。 General static dialog window elements (controls) are stored in the resource section of the static, rather than the program dynamically generated. 所以我们不需要改程序, 只需要改掉资源段中的值就可以了。 So we do not need to change the program, just get rid of the resources section of the value on it. 具体改法详见"消息发送对话框中广告窗口样式的更改"。 Change the method described in the specific "advertising message dialog window style changes."
程序基本上改完了,终于可以享受我们辛苦改动的结果了,不料Oicq 820版有检查文件是否被修改过这一手。 Procedure is basically the change over, we can finally enjoy the results of a hard change, but, Oicq 820 checks whether the file version has been modified in this hand. 同样,阻止我们通向成功道路上的任何障碍只能无情的被我们消灭,这个提示文件已被修改的对话框也只能被我们搞调。 Similarly, to stop us on the road to success is no obstacle we can be ruthless elimination, the prompt dialog box file has been modified only by us to engage in tune. 幸好搞它非常的简单,把断点设置在MessageBoxA上,等蹦出断点后,查找前面的代码,找到判断是否弹出对话框的代码并且无情的干掉,详见"弹出文件修改警告框的程序段"。 Fortunately, it is very easy to engage, the breakpoint is set on MessageBoxA, the other jumped out after the break to find the front of the code, find the code to determine whether the pop-up dialog box and kill mercilessly, see "alert box pop-up file to modify the program segment. " 大功告成! You're done! 学到不少东西吧! Learned a lot of things right! 这么多代码自己慢慢用UltraEdit查找修改吧,知道敲错一个的后果吗? So much code to find himself slowly with UltraEdit to modify it, to know the consequences of a wrong knock it? 呵呵,不是死机就是重起。 Oh, not a crash is to reboot. 考虑到一些初级DIY用户的需求, 我把修改好的EXE文件用专业的Patch软件"CodeFusion"作成了一个18K的Patch执行文件。 Consider some of the primary needs of DIY users, I modified a good Patch EXE file with the professional software "CodeFusion" for the Patch into a 18K executable file. 需要的朋友额可以到我主页上去下载。 Required amount of friends you can go to my home page to download.
好了,课程结束。 Well, end of the course. 如果有时间的话,还可以对Oicq作很多的改造。 If you have time, you can also make a lot of Oicq transformation. 但无疑这个人物是非常艰巨而复杂的,但是只要你有必胜的信心以及充沛的精力,并且敢于接受这种毫无人性任务的挑战,还有视一起PPMM为粪土的高尚眼光和能忍受对自己无情虐待的勇气,你会成功的! But no doubt this figure is very difficult and complicated, but as long as you have to win the confidence and full of energy and courage to accept this challenge without human tasks, as well as for the dirt with PPMM noble vision and can stand on his relentless abuse of courage, you will succeed! (¥……#%%……※#!¥#%啊啊啊啊~~~~~ ~~呃~~,被前排学生暴扁)。 (¥ ... ... #%% ... ... ※ #!¥#% uh ah ah ah ah ~~~~~ ~ ~ ~ ~, to be violent student flat front).
为OICQ添加显示IP和端口功能 Add to OICQ display IP and port functions
打开广告文件的程序段 Open the file block ads
更改以前:| Change before: |
:0042AF5B FF152C244D00 Call KERNEL32.CreateFileA ? : 0042AF5B FF152C244D00 Call KERNEL32.CreateFileA?
文件 File
:0042AF61 8BF8 mov edi, eax ? : 0042AF61 8BF8 mov edi, eax?
:0042AF63 83FFFF cmp edi, FFFFFFFF ? : 0042AF63 83FFFF cmp edi, FFFFFFFF?
句柄(打开失败) Handle (open failed)
:0042AF66 897D08 mov dword ptr [ebp+08], edi ? : 0042AF66 897D08 mov dword ptr [ebp +08], edi?
:0042AF69 0F84EB000000 je 0042B05A :0042AF6F 8D45F4 lea eax, dword ptr [ebp-0C] : 0042AF69 0F84EB000000 je 0042B05A: 0042AF6F 8D45F4 lea eax, dword ptr [ebp-0C]
:0042AF72 50 push eax : 0042AF72 50 push eax
:0042AF73 57 push edi : 0042AF73 57 push edi
更改以后: After the change:
:0042AF5B FF152C244D00 Call KERNEL32.CreateFileA ? : 0042AF5B FF152C244D00 Call KERNEL32.CreateFileA?
文件 File
:0042AF61 8BF8 mov edi, eax ? : 0042AF61 8BF8 mov edi, eax?
:0042AF63 83FFFF cmp edi, FFFFFFFF 更改以后: : 0042AF63 83FFFF cmp edi, FFFFFFFF to change the future:
:00443B56 33FF xor edi, edi : 00443B56 33FF xor edi, edi
:00443B58 397DDC cmp dword ptr [ebp-24], edi : 00443B58 397DDC cmp dword ptr [ebp-24], edi
:00443B5B EB5C jmp 00443BB9 ? : 00443B5B EB5C jmp 00443BB9?
手工更改方法: Manually change the method:
查找16进制代码:39 7D DC 75 5C Find hex code: 39 7D DC 75 5C
更改为: EB Changed to: EB
文件偏移为43B5Bh File offset 43B5Bh
发送消息窗口点击广告的程序段 Send a message window, click on the ads block
更改以前: Changes to previously:
:00432B4E 50 push eax : 00432B4E 50 push eax
:00432B4F FFB660010000 push dword ptr [esi+00000160] ; : 00432B4F FFB660010000 push dword ptr [esi +00000160];
esi+160是窗口句柄 esi +160 is the window handle
:00432B55 FF1578274D00 Call USER32.GetWindowRect : 00432B55 FF1578274D00 Call USER32.GetWindowRect
:00432B5B 8D45DC lea eax, dword ptr [ebp-24] : 00432B5B 8D45DC lea eax, dword ptr [ebp-24]
:00432B5E 8BCE mov ecx, esi : 00432B5E 8BCE mov ecx, esi
:00432B60 50 push eax : 00432B60 50 push eax
:00432B61 E8A6110700 call 004A3D0C : 00432B61 E8A6110700 call 004A3D0C
:00432B66 FF7510 push [ebp+10] : 00432B66 FF7510 push [ebp +10]
:00432B69 8D45DC lea eax, dword ptr [ebp-24] : 00432B69 8D45DC lea eax, dword ptr [ebp-24]
:00432B6C FF750C push [ebp+0C] : 00432B6C FF750C push [ebp +0 C]
:00432B6F 50 push eax : 00432B6F 50 push eax
:00432B70 FF15B8274D00 Call USER32.PtInRect : 00432B70 FF15B8274D00 Call USER32.PtInRect
:00432B76 85C0 test eax, eax ? : 00432B76 85C0 test eax, eax?
区域内点击 Click on the region
:00432B78 0F84FF000000 je 00432C7D : 00432B78 0F84FF000000 je 00432C7D
:00432B7E 6A10 push 00000010 ? : 00432B7E 6A10 push 00000010?
:00432B80 FF157C274D00 Call USER32.GetKeyState : 00432B80 FF157C274D00 Call USER32.GetKeyState
:00432B86 33DB xor ebx, ebx : 00432B86 33DB xor ebx, ebx
:00432B88 663BC3 cmp ax, bx : 00432B88 663BC3 cmp ax, bx
:00432B8B 7D0F jge 00432B9C : 00432B8B 7D0F jge 00432B9C
:00432B8D C705D874510001000000 mov dword ptr [005174D8], 00000001 : 00432B8D C705D874510001000000 mov dword ptr [005174D8], 00000001
:00432B97 E9E8000000 jmp 00432C84 : 00432B97 E9E8000000 jmp 00432C84
更改以后: After the change:
:00432B70 FF15B8274D00 Call USER32.PtInRect : 00432B70 FF15B8274D00 Call USER32.PtInRect
:00432B76 85C0 test eax, eax : 00432B76 85C0 test eax, eax
:00432B78 0F84FF000000 je 00432C7D : 00432B78 0F84FF000000 je 00432C7D
:00432B7E 6A10 push 00000010 ? : 00432B7E 6A10 push 00000010?
区域内点击 Click on the region
:00432B80 FF157C274D00 Call USER32.GetKeyState : 00432B80 FF157C274D00 Call USER32.GetKeyState
:00432B86 E9F5EA0900 jmp 004D1680 ? : 00432B86 E9F5EA0900 jmp 004D1680?
示程序当中 Indicate that the program which
:00432B8B 7D0F jge 00432B9C : 00432B8B 7D0F jge 00432B9C
:00432B8D C705D874510001000000 mov dword ptr [005174D8], 00000001 : 00432B8D C705D874510001000000 mov dword ptr [005174D8], 00000001
:00432B97 E9E8000000 jmp 00432C84 : 00432B97 E9E8000000 jmp 00432C84
手工更改方法: Manually change the method:
查找16进制代码:33 DB 66 3B C3 7D 0F C7 Find hex code: 33 DB 66 3B C3 7D 0F C7
更改为: E9 F5 EA 09 00 Changed to: E9 F5 EA 09 00
文件偏移为32B86h File offset 32B86h
回复消息窗口点击广告的程序段 Reply to the message window click on the ads block
更改以前: Changes to previously:
:0046221C FF15B8274D00 Call USER32.PtInRect ? : 0046221C FF15B8274D00 Call USER32.PtInRect?
广告区域内点击 Click ads area
:00462222 85C0 test eax, eax : 00462222 85C0 test eax, eax
:00462224 0F84D8000000 je 00462302 ? : 00462224 0F84D8000000 je 00462302?
更改以后: After the change:
:0046221C FF15B8274D00 Call USER32.PtInRect ? : 0046221C FF15B8274D00 Call USER32.PtInRect?
广告区域内点击 Click ads area
:00462222 85C0 test eax, eax : 00462222 85C0 test eax, eax
:00462224 E9D9000000 jmp 00462302 ? : 00462224 E9D9000000 jmp 00462302?
手工更改方法: Manually change the method:
查找16进制代码:0F 84 D8 00 00 00 8B 46 56 Find hex code: 0F 84 D8 00 00 00 8B 46 56
更改为: E9 D9 00 00 00 90 Changed to: E9 D9 00 00 00 90
文件偏移为62224h File offset 62224h
弹出发送消息窗口之前的对象数据调用的程序段 Send a message pop-up window called before the object data block
更改以前: Changes to previously:
:0042513D 56 push esi : 0042513D 56 push esi
:0042513E 8BF1 mov esi, ecx : 0042513E 8BF1 mov esi, ecx
:00425140 FFB6F4000000 push dword ptr [esi+000000F4] : 00425140 FFB6F4000000 push dword ptr [esi +000000 F4]
:00425146 FFB6B0000000 push dword ptr [esi+000000B0] : 00425146 FFB6B0000000 push dword ptr [esi +000000 B0]
:0042514C E879810300 call 0045D2CA ? : 0042514C E879810300 call 0045D2CA?
结构首址 Structure of the first site
:00425151 33C9 xor ecx, ecx : 00425151 33C9 xor ecx, ecx
:00425153 3BC1 cmp eax, ecx ? : 00425153 3BC1 cmp eax, ecx?
成功 Success
:00425155 7431 je 00425188 结构首址 : 00425155 7431 je 00425188 structure of the first site
:00425151 33C9 xor ecx, ecx : 00425151 33C9 xor ecx, ecx
:00425153 3BC1 cmp eax, ecx ? : 00425153 3BC1 cmp eax, ecx?
成功 Success
:00425155 7431 je 00425188 ? : 00425155 7431 je 00425188?
:00425157 E9E4C40A00 jmp 004D1640 ? : 00425157 E9E4C40A00 jmp 004D1640?
IP地址和端口的程序中 IP address and port procedures
:0042515C 90 nop ? : 0042515C 90 nop?
手工更改方法: Manually change the method:
查找16进制代码:39 88 DC 01 00 00 75 08 Find hex code: 39 88 DC 01 00 00 75 08
更改为: E9 E4 C4 0A 00 90 Changed to: E9 E4 C4 0A 00 90
文件偏移为25157h File offset 25157h
显示IP地址和串口的附加程序 Display IP address and port of add-ons
:004D1680 803D00174D003A cmp byte ptr [004D1700], 3A ? : 004D1680 803D00174D003A cmp byte ptr [004D1700], 3A?
字符内存区第一个字符是不是冒号,是就说明没有IP地址 Characters in the first memory area is not a colon character, it shows no IP address is
:004D1687 7509 jne 004D1692 ? : 004D1687 7509 jne 004D1692?
:004D1689 66C70500174D003000 mov word ptr [004D1700], 0030 ? : 004D1689 66C70500174D003000 mov word ptr [004D1700], 0030?
字符内存区写上一个"0" Characters written on a memory area "0"
:004D1692 6800174D00 push 004D1700 ? : 004D1692 6800174D00 push 004D1700?
:004D1697 FFB660010000 push dword ptr [esi+00000160] 告窗口的窗口句柄 : 004D1697 FFB660010000 push dword ptr [esi +00000160] report the window handle of the window
:004D169D A1E8714A00 mov eax, dword ptr [004A71E8] ? : 004D169D A1E8714A00 mov eax, dword ptr [004A71E8]?
他地方调用SetWindowTextA的地址 The address where he called SetWindowTextA
:004D16A2 FF10 call dword ptr [eax] ? : 004D16A2 FF10 call dword ptr [eax]?
重定位好了的SetWindowTextA的地址 Well, the SetWindowTextA relocation address
:004D16A4 E9D415F6FF jmp 00432C7D ? : 004D16A4 E9D415F6FF jmp 00432C7D?
之后 After
:004D16A9 90 nop ? : 004D16A9 90 nop?
对齐好看 Align nice
:004D16AA 90 nop : 004D16AA 90 nop
:004D16AB 90 nop : 004D16AB 90 nop
:004D16AC 90 nop : 004D16AC 90 nop
:004D16AD 90 nop : 004D16AD 90 nop
:004D16AE 90 nop : 004D16AE 90 nop
:004D16AF 90 nop : 004D16AF 90 nop
wsprintf所用到的模式字符串: The model used in a string wsprintf:
:004D1720 25733A2564 "%s:%d" : 004D1720 25733A2564 "% s:% d"
手工更改方法: Manually change the method:
在文件偏移D1680处添加16进制代码: Offset in the file, add the hexadecimal code D1680:
80 3D 00 17 4D 00 3A 75-09 66 C7 05 00 17 4D 00 80 3D 00 17 4D 00 3A 75-09 66 C7 05 00 17 4D 00
30 00 68 00 17 4D 00 FF-B6 60 01 00 00 A1 E8 71 30 00 68 00 17 4D 00 FF-B6 60 01 00 00 A1 E8 71
4A 00 FF 10 E9 D4 15 F6- FF 90 90 90 90 90 90 90 4A 00 FF 10 E9 D4 15 F6-FF 90 90 90 90 90 90 90
在文件偏移D1720处添加16进制代码: Offset in the file, add the hexadecimal code D1720:
25 73 3A 25 64 25 73 3A 25 64
保存IP地址和端口的附加程序 Save an additional IP address and port procedures
:004D1640 8BDC mov ebx, esp ? : 004D1640 8BDC mov ebx, esp?
针 Needle
:004D1642 BC00194D00 mov esp, 004D1900 ? : 004D1642 BC00194D00 mov esp, 004D1900?
针到无用的内存区域 Pin to the useless memory region
:004D1647 50 push eax ? : 004D1647 50 push eax?
寄存器 Register
:004D1648 51 push ecx : 004D1648 51 push ecx
:004D1649 52 push edx : 004D1649 52 push edx
:004D164A 56 push esi : 004D164A 56 push esi
:004D164B FFB018020000 push dword ptr [eax+00000218] ? : 004D164B FFB018020000 push dword ptr [eax +00000218]?
象端口的地址 Address as the port
:004D1651 FFB014020000 push dword ptr [eax+00000214] P : 004D1651 FFB014020000 push dword ptr [eax +00000214] P
地址的字符串指针 Address of the string pointer
:004D1657 6820174D00 push 004D1720 ? : 004D1657 6820174D00 push 004D1720?
是printf的模式字符 Is the model character printf
:004D165C 6800174D00 push 004D1700 ? : 004D165C 6800174D00 push 004D1700?
:004D1661 8B3532CE4900 mov esi, dword ptr [0049CE32] 他地方调用wsprintfA的地址 : 004D1661 8B3532CE4900 mov esi, dword ptr [0049CE32] the address of his place calls wsprintfA
:004D1667 FF16 call dword ptr [esi] ? : 004D1667 FF16 call dword ptr [esi]?
重定位好了的wsprintfA的地址 Well, the wsprintfA relocation address
:004D1669 83C410 add esp, 00000010 ? : 004D1669 83C410 add esp, 00000010?
:004D166C 5E pop esi ? : 004D166C 5E pop esi?
:004D166D 5A pop edx : 004D166D 5A pop edx
:004D166E 59 pop ecx : 004D166E 59 pop ecx
:004D166F 58 pop eax : 004D166F 58 pop eax
:004D1670 3988DC010000 cmp dword ptr [eax+000001DC], ecx ? : 004D1670 3988DC010000 cmp dword ptr [eax +000001 DC], ecx?
原程序00425157处被改掉的有用代码 Be rid of the original program 00,425,157 useful code
:004D1676 8BE3 mov esp, ebx ? : 004D1676 8BE3 mov esp, ebx?
针 Needle
:004D1678 E9E03AF5FF jmp 0042515D ? : 004D1678 E9E03AF5FF jmp 0042515D?
:004D167D 90 nop : 004D167D 90 nop
:004D167E 90 nop : 004D167E 90 nop
:004D167F 90 nop : 004D167F 90 nop
手工更改方法: Manually change the method:
在文件偏移D1640处添加16进制代码: Offset in the file, add the hexadecimal code D1640:
8B DC BC 00 19 4D 00 50-51 52 56 FF B0 18 02 00 8B DC BC 00 19 4D 00 50-51 52 56 FF B0 18 02 00
00 FF B0 14 02 00 00 68-20 17 4D 00 68 00 17 4D 00 FF B0 14 02 00 00 68-20 17 4D 00 68 00 17 4D
他地方调用wsprintfA的地址 The address where he called wsprintfA
:004D1667 FF16 call dword ptr [esi] ? : 004D1667 FF16 call dword ptr [esi]?
重定位好了的wsprintfA的地址 Well, the wsprintfA relocation address
:004D1669 83C410 add esp, 00000010 ? : 004D1669 83C410 add esp, 00000010?
:004D166C 5E pop esi ? : 004D166C 5E pop esi?
:004D166D 5A pop edx : 004D166D 5A pop edx
:004D166E 59 pop ecx : 004D166E 59 pop ecx
:004D166F 58 pop eax : 004D166F 58 pop eax
:004D1670 3988DC010000 cmp dword ptr [eax+000001DC], ecx ? : 004D1670 3988DC010000 cmp dword ptr [eax +000001 DC], ecx?
原程序00425157处被改掉的有用代码 Be rid of the original program 00,425,157 useful code
:004D1676 8BE3 mov esp, ebx ? : 004D1676 8BE3 mov esp, ebx?
针 Needle
:004D1678 E9E03AF5FF jmp 0042515D ? : 004D1678 E9E03AF5FF jmp 0042515D?
:004D167D 90 nop : 004D167D 90 nop
:004D167E 90 nop : 004D167E 90 nop
:004D167F 90 nop : 004D167F 90 nop
手工更改方法: Manually change the method:
在文件偏移D1640处添加16进制代码: Offset in the file, add the hexadecimal code D1640:
8B DC BC 00 19 4D 00 50-51 52 56 FF B0 18 02 00 8B DC BC 00 19 4D 00 50-51 52 56 FF B0 18 02 00
00 FF B0 14 02 00 00 68-20 17 4D 00 68 00 17 4D 00 FF B0 14 02 00 00 68-20 17 4D 00 68 00 17 4D
消息发送对话框中广告窗口样式的更改 Messaging dialog box, change the window style advertising
更改以前的窗口样式(style)是50000012h, Change the style of the previous window (style) is 50000012h,
WS_CHILDWINDOW|WS_VISIBLE|SS_LEFT|SS_ETCHEDFRAME WS_CHILDWINDOW | WS_VISIBLE | SS_LEFT | SS_ETCHEDFRAME
更改以后的窗口样式(style)是50000201h, After changing the window style (style) is 50000201h,
WS_CHILDWINDOW|WS_VISIBLE|SS_LEFT|SS_CENTER|SS_CENTERIMAGE WS_CHILDWINDOW | WS_VISIBLE | SS_LEFT | SS_CENTER | SS_CENTERIMAGE
手工更改方法: Manually change the method:
在文件偏移141EFCh处把 In the file offset 141EFCh at the
12 00 00 50 12,000,050
改为02 01 00 50 To 02,010,050
代码段段属性修改 Code to modify the paragraph properties
更改以前的代码段属性为60000020,CER(包含代码,可执行,可读) Change the attributes of the previous code 60000020, CER (including code, executable, readable)
更改以后的代码段属性为C0000020,CRW(包含代码,可读写和执行) Change the code after the property is C0000020, CRW (including code, can read and write and execute)
手工更改方法: Manually change the method:
在文件偏移21Ch处把 In the file at the offset 21Ch
20 00 00 60 20,000,060
改为20 00 00 C0 To 20 00 00 C0
Tidak ada komentar:
Posting Komentar