FiSH v1.27b/1.28a: mIRC v6.20 patch details by sonic/[LinG]
Greez fly to:
Khaled Mardam-Bey - author of mIRC
????????????????? - author of FiSH
(Speedy modified from the official patch code for mIRC v6.16):
**********************************WORDS TO THE GIRL I LOVE***************************************
Carloathena,I can't stop loving you though you reject me in the past 7 years...
Seems impossible to do RE with the program in you mind.No proper way...
It really hurts...What a painful week... :(
*************************************************************************************************
*************************************NOTES FOR THE FILE SIZE*************************************
-Why file size bigger than the original one? Virus, trojan or dummy data?
-mIRC 6.20 doesn't use [email protected],which is a required function for FiSH in processing
incoming msg.I added a new section for the import table.Thus the lstrlenA RVA is 0064B139h and
new file size is 2,113,536 bytes(CRC32:7E906F56).
*************************************************************************************************
*************************NOTES FOR FiSH VERSION(To be or not to be)******************************
-What version of FiSH is this patch works for?
-I made it by refering the patch detail in FiSH 1.27b.
But after I finished making this patch.I checked FiSH homepage.. hoho..FiSH v1.28a...I'm not sure
if this patch works well with this new version although I tested for most function of it and the
patch detail in 1.28a is same as 1.27b.So try this dummy patch yourself and del it if it sucks.
*************************************************************************************************
Disable integrity check:
0045AF5E |. 33C9 xor ecx,ecx
0045AF60 |. 85C0 test eax,eax
0045AF62 |. 90 nop ;Replace "setnz cl" with "noop".
0045AF63 |. 90 nop
0045AF64 |. 90 nop
0045AF65 |. 5F pop edi
send/outgoing:
--------------
00569E04 |. /0F85 EC010000 jnz mirc.00569FF6
00569E0A |> |B9 01000000 mov ecx,1
00569E0F |. |E8 DC71F8FF call mirc.004F0FF0
00569E14 |. |E8 E79A0300 call mirc.005A3900 ;code cave call
00569E19 |. |8DA424 00000000 lea esp,dword ptr ss:[esp]
00569E20 |> |8A08 /mov cl,byte ptr ds:[eax]
00569E22 |. |40 |inc eax
00569E23 |. |84C9 |test cl,cl
00569E25 |.^|75 F9 \jnz short mirc.00569E20
005A38FF 90 nop
005A3900 /$ A1 493B5A00 mov eax,dword ptr ds:[5A3B49]
005A3905 |. 3D FF000000 cmp eax,0FF
005A390A |. 7F 26 jg short mirc.005A3932
005A390C |. 68 003B5A00 push mirc.005A3B00 ; /FileName = "FiSH.DLL"
005A3911 |. FF15 90425A00 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
005A3917 |. 68 403B5A00 push mirc.005A3B40 ; /ProcNameOrOrdinal = "outgoing"
005A391C |. 50 push eax ; |hModule
005A391D |. FF15 94425A00 call dword ptr ds:[<&KERNEL32.GetProcAddress>; \GetProcAddress
005A3923 |. 85C0 test eax,eax
005A3925 |. 74 19 je short mirc.005A3940
005A3927 |. A3 493B5A00 mov dword ptr ds:[5A3B49],eax
005A392C |. 90 nop
005A392D |. 90 nop
005A392E |. 90 nop
005A392F |. 90 nop
005A3930 |. 90 nop
005A3931 |. 90 nop
005A3932 |> 87EE xchg esi,ebp
005A3934 |. FFD0 call eax ;FiSH.dll!outgoing
005A3936 |. 87EE xchg esi,ebp
005A3938 |. 90 nop
005A3939 |. 90 nop
005A393A |. 90 nop
005A393B |. 90 nop
005A393C |. 90 nop
005A393D |. 90 nop
005A393E |. 90 nop
005A393F |. 90 nop
005A3940 |> 8BC5 mov eax,ebp ;old (replaced) code from 00569E14
005A3942 |. 8D50 01 lea edx,dword ptr ds:[eax+1]
005A3945 \. C3 retn
005A3946 90 nop
recv/incoming:
--------------
0056A7F8 |. /74 24 |je short mirc.0056A81E
0056A7FA |. |90 |nop \
0056A7FB |. |E8 00920300 |call mirc.005A3A00 |
0056A800 |. |90 |nop |------------------;code cave call
0056A801 |. |90 |nop |
0056A802 |. |90 |nop /
0056A803 |. |8BCE |mov ecx,esi
0056A805 |. |E8 E662F8FF |call mirc.004F0AF0
0056A80A |. |85C0 |test eax,eax
0056A80C |.^|0F84 72FDFFFF |je mirc.0056A584
0056A812 |. |399E 1C040000 |cmp dword ptr ds:[esi+41C],ebx
0056A818 |.^|0F84 66FDFFFF |je mirc.0056A584
0056A81E |> \33C0 |xor eax,eax
005A39FF 90 nop
005A3A00 /$ 813D 803A5A00 FF000000 cmp dword ptr ds:[5A3A80],0FF
005A3A0A |. 7F 26 jg short mirc.005A3A32
005A3A0C |. 68 003B5A00 push mirc.005A3B00 ; /FileName = "FiSH.DLL"
005A3A11 |. FF15 90425A00 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
005A3A17 |. 68 203B5A00 push mirc.005A3B20 ; /ProcNameOrOrdinal = "incoming"
005A3A1C |. 50 push eax ; |hModule
005A3A1D |. FF15 94425A00 call dword ptr ds:[<&KERNEL32.GetProcAddress>; \GetProcAddress
005A3A23 |. 85C0 test eax,eax
005A3A25 |. 74 29 je short mirc.005A3A50
005A3A27 |. A3 293B5A00 mov dword ptr ds:[5A3B29],eax
005A3A2C |. 90 nop
005A3A2D |. 90 nop
005A3A2E |. 90 nop
005A3A2F |. 90 nop
005A3A30 |. 90 nop
005A3A31 |. 90 nop
005A3A32 |> BB 2006FEAF mov ebx,AFFE0620 ; mIRC version
005A3A37 |. 56 push esi
005A3A38 |. 57 push edi
005A3A39 |. 57 push edi ; /String
005A3A3A |. FF15 39B16400 call dword ptr ds:[<&kernel32.lstrlenA>] ; \lstrlenA <---#SEE NOTES ON TOP#
005A3A40 |. 8BF0 mov esi,eax
005A3A42 |. 8BCF mov ecx,edi
005A3A44 |. FF15 293B5A00 call dword ptr ds:[5A3B29] ;FiSH.dll!incoming
005A3A4A |. 5F pop edi
005A3A4B |. 5E pop esi
005A3A4C |. 90 nop
005A3A4D |. 90 nop
005A3A4E |. 90 nop
005A3A4F |. 90 nop
005A3A50 |> 8BCF mov ecx,edi ;old (replaced) code from 0056A7FA
005A3A52 |. 8BD6 mov edx,esi
005A3A54 |. E8 B74EF2FF call mirc.004C8910
005A3A59 |. 33DB xor ebx,ebx
005A3A5B \. C3 retn
005A3A5C 90 nop