FiSH v1.27: mIRC v6.17 patch details by sonic(Speedy moded from the patch code for mIRC v6.16):
*************************************
recv/incoming:
--------------
0055B5B8 74 24 je short mirc617.0055B5DE
0055B5BA 90 nop
0055B5BB E8 40820300 call mirc617.00593800 <--- code cave call/incoming
0055B5C0 90 nop
0055B5C1 90 nop
0055B5C2 90 nop
0055B5C3 8BCE mov ecx,esi
0055B5C5 E8 36E0F8FF call mirc617.004E9600
005937FF 90 nop
00593800 813D 80385900 FF000000 cmp dword ptr ds:[593880],0FF
0059380A 7F 26 jg short mirc617.00593832
0059380C 68 003A5900 push mirc617.00593A00 ; ASCII "FiSH.dll"
00593811 FF15 D0415900 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
00593817 68 203A5900 push mirc617.00593A20 ; ASCII "incoming"
0059381C 50 push eax
0059381D FF15 80425900 call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
00593823 85C0 test eax,eax
00593825 74 29 je short mirc617.00593850
00593827 A3 293A5900 mov dword ptr ds:[593A29],eax
0059382C 90 nop
0059382D 90 nop
0059382E 90 nop
0059382F 90 nop
00593830 90 nop
00593831 90 nop
00593832 BB 1706FEAF mov ebx,AFFE0617 <-- mIRC version
00593837 56 push esi
00593838 57 push edi
00593839 57 push edi
0059383A FF15 38415900 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
00593840 8BF0 mov esi,eax
00593842 8BCF mov ecx,edi
00593844 FF15 293A5900 call dword ptr ds:[593A29] <--- FiSH.dll!incoming
0059384A 5F pop edi
0059384B 5E pop esi
0059384C 90 nop
0059384D 90 nop
0059384E 90 nop
0059384F 90 nop
00593850 8BCF mov ecx,edi <--- old (replaced) code from 0055B5BA
00593852 8BD6 mov edx,esi
00593854 E8 D7ECF2FF call mirc617.004C2530
00593859 33DB xor ebx,ebx
0059385B C3 retn
0059385C 90 nop
00193800h: 81 3D 80 38 59 00 FF 00 00 00 7F 26 68 00 3A 59 ; ?Ç8Y. ...&h.:Y
00193810h: 00 FF 15 D0 41 59 00 68 20 3A 59 00 50 FF 15 80 ; . .╨AY.h :Y.P .Ç
00193820h: 42 59 00 85 C0 74 29 A3 29 3A 59 00 90 90 90 90 ; BY.à└t)?:Y.ÉÉÉÉ
00193830h: 90 90 BB 17 06 FE AF 56 57 57 FF 15 38 41 59 00 ; ÉÉ?.■»VWW .8AY.
00193840h: 8B F0 8B CF FF 15 29 3A 59 00 5F 5E 90 90 90 90 ; ï≡ï╧ .):Y._^ÉÉÉÉ
00193850h: 8B CF 8B D6 E8 D7 EC F2 FF 33 DB C3 90 90 90 90 ; ï╧ï╓Φ╫∞≥ 3█├ÉÉÉÉ
send/outgoing:
--------------
0055ABD0 0F85 E5010000 jnz mirc617.0055ADBB
0055ABD6 B9 01000000 mov ecx,1
0055ABDB E8 20EFF8FF call mirc617.004E9B00
0055ABE0 E8 1B8D0300 call mirc617.00593900 <--- code cave call
0055ABE5 8A08 /mov cl,byte ptr ds:[eax]
0055ABE7 40 |inc eax
0055ABE8 84C9 |test cl,cl
0055ABEA 75 F9 \jnz short mirc617.0055ABE5
005938FF 90 nop
00593900 A1 493A5900 mov eax,dword ptr ds:[593A49]
00593905 3D FF000000 cmp eax,0FF
0059390A 7F 26 jg short mirc617.00593932
0059390C 68 003A5900 push mirc617.00593A00 ; ASCII "FiSH.dll"
00593911 FF15 D0415900 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
00593917 68 403A5900 push mirc617.00593A40 ; ASCII "outgoing"
0059391C 50 push eax
0059391D FF15 80425900 call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
00593923 85C0 test eax,eax
00593925 74 19 je short mirc617.00593940
00593927 A3 493A5900 mov dword ptr ds:[593A49],eax
0059392C 90 nop
0059392D 90 nop
0059392E 90 nop
0059392F 90 nop
00593930 90 nop
00593931 90 nop
00593932 87EE xchg esi,ebp
00593934 FFD0 call eax <--- FiSH.dll!outgoing
00593936 87EE xchg esi,ebp
00593938 90 nop
00593939 90 nop
0059393A 90 nop
0059393B 90 nop
0059393C 90 nop
0059393D 90 nop
0059393E 90 nop
0059393F 90 nop
00593940 8BC5 mov eax,ebp <--- old (replaced) code from
00593942 8D50 01 lea edx,dword ptr ds:[eax+1]
00593945 C3 retn
00593946 90 nop
00193900h: A1 49 3A 59 00 3D FF 00 00 00 7F 26 68 00 3A 59 ; íI:Y.= ...&h.:Y
00193910h: 00 FF 15 D0 41 59 00 68 40 3A 59 00 50 FF 15 80 ; . .╨AY.h@:Y.P .Ç
00193920h: 42 59 00 85 C0 74 19 A3 49 3A 59 00 90 90 90 90 ; BY.à└t.úI:Y.ÉÉÉÉ
00193930h: 90 90 87 EE FF D0 87 EE 90 90 90 90 90 90 90 90 ; ÉÉçε ╨çεÉÉÉÉÉÉÉ?
00193940h: 8B C5 8D 50 01 C3 90 90 90 90 90 90 90 90 90 90 ; ï┼ìP.├ÉÉÉÉÉÉÉÉÉ
mIRC.exe integrity check:
-------------------------
00458DAE |. 33C9 xor ecx,ecx
00458DB0 |. 85C0 test eax,eax
00458DB2 |. 0F95C1 setne cl <--- mIRC.exe CRC check => nooped :P
00458DB5 |. 5F pop edi