Add IP and port functions for OICQ (reposted from green corps)
(1641 words in this post posts) (have read: 485 times) to add the IP and port function Zhuanzhai author OICQ: ominous particular that: the content of this article is only for research and exchange purposes, such as used for illegal purposes Or improper modification, everything is at your own risk! Our goal is to remove the advertisement and display the IP address of the target object at the point of advertisement. How should we start, ok, slowly come with me! After analysis of the OICQ directory structure, the directory AD and the advertisement are found. One is that the English text of the advertisement is AD, and the second is that the picture file is what we see in the advertisement. After trying to delete the directory, huh, the advertisement has passed. But after entering OICQ next time, the program will automatically create this directory and reload the ad file. Since the program does not read the advertising file advertisement, it will disappear, so it is not able to read it. Use Soft-ICE to set the breakpoint on CreateFilea, which is usually used to open a file or device. After the SICE is intercepted, the view is about that is about to open, thus judge whether it is where I want to modify. The specific modification method is detailed. The advertisement is removed, but click the mouse on the advertising area, the browser will still open the ad link, it seems that we also need more complete modifications to the program. Ok, since you click on the ad, a browser will have a browser, it must be running a program. There are two ways to open the running browser program. First, call the COM interface, and the other is to call the API function of the normal runner. The first method is technically difficult, and the general procedure is rarely adopted. So use the SICE to set the breakpoint to the API function related to the running program, such as Shellexecutea, Winexec, and more. Ok, the program is interrupted at the shellexecutea, which is just to avoid this API function. Oh, I will find a suitable modification in the program, and I will find the call of the user32.ptinRect function. After analysis, it is found that it is used as a mouse click in a specific area. Get it, as long as it is judged that it is always in the area, it will not perform the shellexecutea there. Sending a message window and an advertisement of the recovery window in a different location, it is also said to two locations, both places must be modified, the principle is the same. The specific modification method is detailed in the "Block Send Message Window Click on the program" and "Segment of Reply Message Window Click on the Ad". (We have added a IP address and port number after clicking the mouse, adding a program entry related to the displayed program window, I will explain later) This advertisement really removes, neither see, no Come in. Oh, start our next goal, display the IP address and port number! ! ! In the past, I would like to know that my friend's IP address on OICQ has only a private tool program or a package monitor program, and the latter professional requires high, and the discrimination rate is low, it is inconvenient. Some small procedures are indeed useful, but after all, this feature does not directly do this function. It is convenient and reliable in the OICQ program, and many data and structures within OICQ can get many information we usually not easily obtain. However, after all, there is only binary assembly code, no source program, the analysis difficulty of the program, and the workload can be imagined. After a difficult to imagine a number of crazy and restart, and extremely hard setup breakpoint tracking debugging analysis work ... (omitted 5201314 words), finally roughly gaining the data structural pointer we are interested in and its related call position.
This time is my most depressed, I remembered that there is no human job, just like the old comrades who have already happily lived on the life of 49 years ago, the miserable life is surprised and the heart is awkward ... (hereby omitted 520 words). Fortunately, I came yet, I finally found the needed pointer address at 0042513D. Just use this pointer to get the IP address of the target object and the port number. What we need to do is to display this information in previous ad sites. It's another arduous task in front of me. Fortunately, I have a firm belief, rich clinical experience and hope for successful joy, and the desire to chat MM address, I will definitely cherish, can't be like Zhou Xingxing It is the same expectation to come again ... (omitted again, so as to avoid eggs). Instead of getting a critical data pointer, it can be said that we have succeeded 90%, the next thing is displayed. But this also requires repeated trials and modifications. Let's refuse this process: First, to achieve new features, there is no doubt that you need to add code and data, and perform a certain API function, so you need to find an appropriate method to add code to the original program. The perfect method is to make a housing add program that adds the required segment (data segment, block), and add the import table item to the address positioning of the new API function, but also modify the PE file header The related information in the middle, this is the approach of viruses. This undoubtedly a very complex and cumbersome, interested students can see my previous article "Encryption Research on the Executable Documents under 95". In fact, the amount of the program to be added is not large, and the amount of zero stars will be large, and the API function used is not much. So we take the method of manually modifying the added, but it also requires the necessary conditions and methods. Look at the following analysis and methods: The logical structure of the PE executable is segment, such as code segment ".text", data segment ".data", resource segment "RSCS", etc. These segments are aligned according to the file, that is, the segment size will be aligned at least 10h, usually 1000 hours (4096 bytes), which is specified by the file header (determined when the link). But the code is also good, it is impossible to do the length just right. That is, the size of the segment is greater than the code in the segment or the actual size. The difference between them is the redundant space, which is called "gap". Some simple PE file slimming software is to remove the "void" method to lose weight. This "void" can be used by us to place code, data, and stack. I often analyze the tool software for the PE file file header is "TDUMP.exe" that Borland has previously taken in the C series software.
Let us look at the results of the actual analysis: Object Table: # name virtsize rva physize phys off flags - -------------------------- ---- -------- -------- 01 .text 000D0637 00001000 000D1000 0000000060 000220E8 000D2000 0003000 000D2000 40000040 [IR] 03.data 00039848 00105000 00012000 00105000 C0000040 [IRW] 04.RSRC 0003E4C0 0013F000 0003F000 00117000 40000040 [IR] The above information (its OJECT is what we said) is used. We are definitely the first choice .Text paragraph (.Text is the code segment, Flag is CER, means including code, executable, readable, readable). It can be seen that .Text segment code actual length D0637H, physical length D1000, file offset position is 1000h. OK, this section has "void" of D1000H-D0637H = C9CH. This length can fully meet our needs, and the code data stack can be placed in this area. It is well known that it is necessary to use as a data segment, and the attributes of the segment need to be writable. Ok, just rewrite the ".text" attribute, the value of the writable property is 80000000h, then add the original 60000020h, it is C0000020h, that is, it becomes the CERW property (see "code for specific modification. Segment segment attribute modification "). See the results of using TDUMP analysis after we change. Object Table: # Name Virtsize RVA Physize Phys Off Flags - -------- ------------------------- --- -------- 01 .text 000D0637 00001000 000D1000 00001000 C0000020 [CRW] 02 .rdata 000320E8 000D2000 00033000 000D2000 40000040 [IR] 03 .data 00039848 00105000 00012000 00105000 C0000040 [IRW] 04 .rsrc 0003E4C0 0013F000 0003F000 00117000 40000040 [IR] Well, found places where the code data and stack is found, that is, where it is actually offset by 1000h D0637H. In order to align the boundary, we use D1640H (file offset). Use TDUMP to view the code segment base address (image base), from 1000 hours and 400000h, respectively, can calculate our program after loading, 400000H 1000H D0640H = 4d1640h. That is to say, our code is in memory 4D1640 after being loaded, which is used in later program jumps. The work of adding code is already done, and now the key issue is to prepare specific code for the saving and display of IP addresses and port numbers.
The first is to save the IP address and port information in the object data. We have obtained the data pointer (program 00425157), the change program makes the program directly into our save programs (4D1640). The set of pointers of this data is placed in Eax, and since the segment of the program is useful, the stack cannot be turned. In order to modify the stack pointer, all stack activities are carried out in our "gap" (the top 4d1900). Then save the value of several registers (stack). The IP address and port numbers are located in the data structure 214h and 218h, respectively (that is, EAX 214H and EAX 218h). The IP address is a string pointer and the port is a 32-bit integer. What we have to do is to convert them into strings and save them in your own site. We have smartfully with a WSPrintfa function to output a string and port number to an address (casually find an idle address in our "void", I am using the 4D1700, 4D1720 amplifier is formatted string " % S:% D "). The actual program is translated into a C language is Printf ("% s:% d", char * ip, int port) so that we save the data in the form of the string in the data area. It is worth noting that since we have modified the useful code in the original program for jump programs, you need to add (CMP DWORD PTR [Eax 000001DC], ECX), to resume our program Stack pointers and registers, turn it back to the original program to continue execution with a conditional jumping instruction. Careful classmates may notice that we have no explicit calls WSPrintfa functions, but we are actually called. This is also true that the call to SETWINDOWTEXTA is called in the additional program that displays IP. What is going on? We know that all API functions need to be relocated before the call is called, and this process occurs when the system is loaded with this PE program. The system is filled in with the address of the IMPORT table in the PE file. We did not modify the Import table, so if you write the assembly code directly, the system will not be positioned for it. Because the Import table is more complicated, change it is a very cumbersome thing. So we use a variable method, and since the system is relocated, the address information of the API function exists. Specific practices are as follows: to find a place in the original program have the invocation wsprintfA:: 0049CE30 FF1560274D00 Call USER32.wsprintfA: 0049CE36 83C410 add esp, 00000010: 0049CE39 EB1A jmp 0049CE55 actual assembly code should Call dword ptr [004D2760], we know The address of the WSPrintfa is placed in 004D2760. So, as long as you indirectly get this calling address, this address is a two-pointer to the actual address of the WSPrintfa. This way we can directly call this address. The setWindowTexta used in the "Additional Programs of the IP Address and Serial Port" is also called in this way. (The specific modification method details the "Block Data Call" and "Save IP Address and Additional Programs" before popping up the send message window ") Only need after 4D1700h in order to save the IP address and port for strings. It will be displayed when you need it. As we mentioned in front of us, IP addresses need to be displayed after clicking the ad.
So, we add a jump to the entry (4D1680H) that jumps to our display program in the middle of the program segment that click on the ad. The principle of displaying the program is simple, and the SETWINDOWTEXTA function is used to display the string of 4D1700h in the window of the previous ad. Before the display, it is judged that if there is no IP address, if there is only one colon, there is no IP address, simply write a "0". The method of calling the setWindowTexta function is mentioned earlier. There are two important issues to pay attention to: Where do we get a parameter required for the setWindowTexta function? ? Advertising window handle? I have known the code that has a Call user32.getWindowRect called when you click on the advertisement. This function requires a window handle. [ESI 160H] is the ad hill handle you need for user32.getWindowRect, we can use this handle to call SETWINDETEXTA to make the string on the ad window. There is also because the original advertising window is used for the picture display, so it cannot be used to display characters. Its window style has a value of SS_ETCHEDFRAME. We need to drop it and plus two styles of style ss_center and ss_centerImage for vertical centering horizontal. The window elements (controls) in the general static dialog box are static in the resource segment, not the program dynamically generated. So we don't need to change the program, just need to change the value in the resource segment. Specific changes are detailed in the "Change of Advertising Window Patterns in Message Send Dialog". The program is basically finished, and finally you can enjoy the result of our hard change, and however, the OICQ 820 has checking the file has been modified. Similarly, any obstacle to prevent us from moving on a successful road can only be eliminated by us, this prompts have been modified, and the dialog that has been modified can only be tuned by us. Fortunately, it is very simple, set the breakpoint on Messageboxa, wait for the breakpoint, find the previous code, find the code that determines whether the code is popped up and ruthless, see "Popup file modify the warning box segment". Datual! Learn a lot! So many code yourself slowly use UltraEdit to find modifications, know the consequences of being knocking wrong? Oh, it's not a crash. Considering some of the needs of primary DIY users, I use a professional Patch software "codefusion" that modified the professional PATCH software "CodeFusion". The friends you need can go to my homepage to download. Ok, the course ends. If there is time, you can also make a lot of modifications to OICQ. But there is no doubt that this figure is very arduous, but as long as you have a victory of confidence and abundant energy, and dare to accept this unmanned task challenge, there is a noble eye and can endure the PPMM. You will succeed! (¥ ... # %% ... ※ #! ¥ #% ah ah, ah ~~~~~ ~~ ~~, is flattened by the front row student).
Adding functionality to display IP and port open OICQ ad block file changes before: |: 0042AF5B FF152C244D00 Call KERNEL32.CreateFileA file: 0042AF61 8BF8 mov edi, eax: 0042AF63 83FFFF cmp edi, FFFFFFFF handle (open failure): 0042AF66??? 897D08 mov dword ptr [ebp 08], edi:? 0042AF69 0F84EB000000 je 0042B05A: 0042AF6F 8D45F4 lea eax, dword ptr [ebp-0C]: 0042AF72 50 push eax: 0042AF73 57 push edi changed later:: 0042AF5B FF152C244D00 Call KERNEL32.CreateFileA ? file: 0042AF61 8BF8 mov edi, eax:? 0042AF63 83FFFF cmp edi, FFFFFFFF change in the future:: 00443B56 33FF xor edi, edi: 00443B58 397DDC cmp dword ptr [ebp-24], edi:? 00443B5B EB5C jmp 00443BB9 manually change the method: Find 16 credits: 39 7D DC 75 5C Change to: EB file Offset to 43B5BH Send message window Click on the program Change Change Previous:: 00432B4E 50 Push Eax: 00432B4F FFB660010000 Push DWORD PTR [ESI 00000160]; ESI 160 is the window handle: 00432B55 FF1578274D00 Call USER32.GetWindowRect: 00432B5B 8D45DC lea eax, dword ptr [ebp-24]: 00432B5E 8BCE mov ecx, esi: 00432B60 50 push eax: 00432B61 E8A6110700 call 004A3D0C: 00432B66 FF7510 push [ebp 10] : 00432B69 8D45DC LEA EAX, DWORD PTR [EBP-24]: 00432B6C FF 750C push [ebp 0C]: 00432B6F 50 push eax: 00432B70 FF15B8274D00 Call USER32.PtInRect:? 00432B76 85C0 test within eax, eax region click: 00432B78 0F84FF000000 je 00432C7D: 00432B7E 6A10 push 00000010:? 00432B80 FF157C274D00 Call USER32.GetKeyState: 00432B86 33DB XOR EBX, EBX: 00432B88 663BC3 CMP AX, BX: 00432B8B 7D0F JGE 00432B9C: 00432B8D C705D874510001000000 MOV DWORD PTR [0000000000000 JMP 00432C84) later:
: 00432B70 FF15B8274D00 Call USER32.PtInRect: 00432B76 85C0 test eax, eax: 00432B78 0F84FF000000 je 00432C7D:? 00432B7E 6A10 push 00000010 Click on an area: 00432B80 FF157C274D00 Call USER32.GetKeyState: 00432B86 E9F5EA0900 jmp 004D1680 show program which:? 00432B8B 7D0F jge 00432B9C: 00432B8D C705D874510001000000 MOV DWORD PTR [005174D8] 0000000001: 00432B97 E9E8000000 JMP 00432C84 manual change method: Find 16 credits: 33 DB 66 3B C3 7D 0F C7 Change to: E9 F5 EA 09 00 file offset is 32B86H Reply message window Click block ads before the change::? 0046221C FF15B8274D00 Call USER32.PtInRect area within the ad clicks: 00462222 85C0 test eax, eax:? 00462224 0F84D8000000 je 00462302 change in the future::? 0046221C FF15B8274D00 Call USER32.PtInRect area within the ad clicks: 00462222 85C0 Test Eax, E9000000 JMP 00462302? Manual change method: Find 16 credits: 0F 84 D8 00 00 8B 46 56 Change to: E9 D9 00 00 00 00 00 00 00 file offset to 62224h Objects before sending a message window block data changes to previous calls:: 0042513D 56 push esi: 0042513E 8BF1 mov esi, ecx: 00425140 FFB6F4000000 push dword ptr [esi 000000F4]: 00425146 FFB6B0000000 push dword ptr [esi 000000B0]: 0042514C E879810300 call 0045D2CA? Structure the first site: 00425151 33C9 xor ecx, ecx: 00425153 3BC1 cmp eax, ecx success:? 00425155 7431 je 00425188 structure of the first site: 00425151 33C9 xor ecx, ecx:? 00425153 3BC1 cmp eax, ecx success: 00425155 7431 je 00425188?: 00425157 E9E4C40A00 JMP 004D1640? IP address and port program: 0042515C 90 NOP? Manual change method: Find 16 credits: 39 88 DC 01 00 00 75 08 Change to: E9 E4 C4 0A 00 90 file offset is 25157h display IP address and serial add-on: 004D1680 803D00174D003A CMP BYTE PTR [004D1700], 3A? Character memory area first character is not a colon, it means no IP address: 004D1687 7509 JNE 004D1692?: 004D1689 66C70500174D16000 MOV WORD PTR [004D1700 ], 0030? Character memory area writes a "0": 004D1692 6800174D00 PUSH 004D1700?: 004D1697 FFB660010000 PUSH DWORD PTR [ESI
00000160] report window window handle: 004D169D A1E8714A00 mov eax, dword ptr [004A71E8] he local calls SetWindowTextA address:?? 004D16A2 FF10 call dword ptr [eax] relocation good address SetWindowTextA of: 004D16A4 E9D415F6FF jmp 00432C7D after? : 004D16A9 90 NOP? Alignment: 004D16AA 90 NOP: 004D16AB 90 NOP: 004D16AC 90 NOP: 004D16AD 90 NOP: 004D16AE 90 NOP: 004D16AF 90 NOP WSPRINTF User String:: 004D1720 25733A2564 "% S:% D" manual Change method: In the file offset D1680 Add 16 credited code: 80 3D 00 17 4D 00 3A 75-09 66 C7 05 00 17 4D 00 30 00 68 0014 4D 00 FF-B6 60 01 00 00 A1 E8 71 4A 00 ff 10 E9 D4 15 F6- FF 90 90 90 90 90 90 90 Add 16 credits at the file offset D1720: 25 73 3A 25 64 Save the IP address and port additional programs: 004D1640 8BDC MOV EBX, ESP? Needle : 004D1642 BC00194D00 mov esp, 004D1900 needle into unused memory areas:? 004D1647 50 push eax register:? 004D1648 51 push ecx: 004D1649 52 push edx: 004D164A 56 push esi: 004D164B FFB018020000 push dword ptr [eax 00000218] as the port? Address: 004D1651 FFB014020000 PUSH DWORD PTR [EAX 00000214] P Address string pointer: 004D1657 6820174D00 PUSH 004D1720? Yes Printf mode character: 004D165C 6800174D00 Push 004d1700?: 004d1661 8b353 2CE4900 MOV ESI, DWORD PTR [0049CE32] His place calling WSPrintfa's address: 004D1667 FF16 CALL DWORD PTR [ESI]? Relocated WSPrintfa Address: 004D1669 83C410 Add ESP, 00000010?: 004D166C 5E POP ESI?: 004D166D 5A pop edx: 004D166E 59 pop ecx: 004D166F 58 pop eax: 004D1670 3988DC010000 cmp dword ptr [eax 000001DC], ecx original program at the code 00425157 is useful to get rid of:?? 004D1676 8BE3 mov esp, ebx needles: 004D1678 E9E03AF5FF jmp 0042515D ?: 004D167D 90 NOP: 004D167E 90 NOP: 004D167F 90 NOP manual change method: Add 16 credit code at file offset D1640: