是oicq.exe的md5校验和。oicq就是通过这个判断是否被修改了的。
- 标 题:oicq目录下面的hash.dat
- 作 者:最弱智
- 时 间:2000-12-1 16:19:15
- 链 接:http://bbs.pediy.com
是oicq.exe的md5校验和。oicq就是通过这个判断是否被修改了的。
VC6 编译:
c:\> cl mdx.c
使用:
c:\> cl oicq.exe
md5 = xx xx ............
[MDX.C]
#include <io.h>
#include <conio.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#pragma intrinsic( _rotl )
#define BLOCK 0x40
#define BUFFER 0x6000
typedef unsigned char BYTE;
typedef unsigned int WORD;
typedef unsigned long DWORD;
void MDInit( DWORD *pMD )
{
pMD[ 0 ] = 0x67452301;
pMD[ 1 ] = 0xefcdab89;
pMD[ 2 ] = 0x98badcfe;
pMD[ 3 ] = 0x10325476;
}
void MD5Calc( DWORD *pData, DWORD *pMD5 )
{
static DWORD MD51[] = {
0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821
};
static DWORD MD52[] = {
0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a
};
static DWORD MD53[] = {
0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665
};
static DWORD MD54[] = {
0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
};
WORD i;
DWORD t1, t2, t3, t4;
t1 = pMD5[ 0 ];
t2 = pMD5[ 1 ];
t3 = pMD5[ 2 ];
t4 = pMD5[ 3 ];
for( i = 0; i < 0x4; i ++ ){
t1 += ( ( ~t2 & t4 ) | ( t2 &
t3 ) ) + MD51[ i * 4 ];
t1 = _rotl( t1 + pData[ i * 4 ], 7 ) +
t2;
t4 += ( ( ~t1 & t3 ) | ( t1 &
t2 ) ) + MD51[ i * 4 + 1];
t4 = _rotl( t4 + pData[ i * 4 + 1 ], 0xc
) + t1;
t3 += ( ( ~t4 & t2 ) | ( t4 &
t1 ) ) + MD51[ i * 4 + 2 ];
t3 = _rotl( t3 + pData[ i * 4 + 2 ], 0x11
) + t4;
t2 += ( ( ~t3 & t1 ) | ( t3 &
t4 ) ) + MD51[ i * 4 + 3 ];
t2 = _rotl( t2 + pData[ i * 4 + 3 ], 0x16
) + t3;
}
for( i = 0; i < 0x4; i ++ ){
t1 += ( ( ~t4 & t3 ) | ( t2 &
t4 ) ) + MD52[ i * 4 ];
t1 = _rotl( t1 + pData[ ( i * 4 + 1 )
& 0xf ], 5 ) + t2;
t4 += ( ( ~t3 & t2 ) | ( t1 &
t3 ) ) + MD52[ i * 4 + 1 ];
t4 = _rotl( t4 + pData[ ( i * 4 + 0x6
) & 0xf ], 9 ) + t1;
t3 += ( ( ~t2 & t1 ) | ( t4 &
t2 ) ) + MD52[ i * 4 + 2 ];
t3 = _rotl( t3 + pData[ ( i * 4 + 0xb
) & 0xf ], 0xe ) + t4;
t2 += ( ( ~t1 & t4 ) | ( t3 &
t1 ) ) + MD52[ i * 4 + 3 ];
t2 = _rotl( t2 + pData[ ( i * 4 ) &
0xf ], 0x14 ) + t3;
}
for( i = 0; i < 0x4; i ++ ){
t1 += ( t2 ^ t3 ^ t4 ) + MD53[ i * 4 ];
t1 = _rotl( t1 + pData[ ( i * 0xc + 5
) & 0xf ], 4 ) + t2;
t4 += ( t1 ^ t2 ^ t3 ) + MD53[ i * 4 +
1 ];
t4 = _rotl( t4 + pData[ ( i * 0xc + 8
) & 0xf ], 0xb ) + t1;
t3 += ( t1 ^ t4 ^ t2 ) + MD53[ i * 4 +
2 ];
t3 = _rotl( t3 + pData[ ( i * 0xc + 0xb
) & 0xf ], 0x10 ) + t4;
t2 += ( t3 ^ t4 ^ t1 ) + MD53[ i * 4 +
3 ];
t2 = _rotl( t2 + pData[ ( i * 0xc + 0xe
) & 0xf ], 0x17 ) + t3;
}
for( i = 0; i < 0x4; i ++ ){
t1 += ( ( ~t4 | t2 ) ^ t3 ) + MD54[ i
* 4 ];
t1 = _rotl( t1 + pData[ ( i * 0xc ) &
0xf ], 6 ) + t2;
t4 += ( ( ~t3 | t1 ) ^ t2 ) + MD54[ i
* 4 + 1 ];
t4 = _rotl( t4 + pData[ ( i * 0xc + 0x7
) & 0xf ], 0xa ) + t1;
t3 += ( ( ~t2 | t4 ) ^ t1 ) + MD54[ i
* 4 + 2 ];
t3 = _rotl( t3 + pData[ ( i * 0xc + 0xe
) & 0xf ], 0xf ) + t4;
t2 += ( ( ~t1 | t3 ) ^ t4 ) + MD54[ i
* 4 + 3 ];
t2 = _rotl( t2 + pData[ ( i * 0xc + 0x5
) & 0xf ], 0x15 ) + t3;
}
pMD5[ 0 ] += t1;
pMD5[ 1 ] += t2;
pMD5[ 2 ] += t3;
pMD5[ 3 ] += t4;
}
main( int argc, char *argv[] )
{
int nHandle, nSize, i, nFlag;
BYTE *pBuffer;
DWORD MD5[ 4 ], *pData;
long lSize;
if( argc == 1 ){
printf( "Usage: MDX <file>\n" );
exit( -1 );
}
pBuffer = ( BYTE * )malloc( ( BUFFER + 0x50 ) * sizeof( BYTE
) );
if( !pBuffer ){
printf( "Mallocate memory error.\n" );
exit( -1 );
}
nHandle = open( argv[ 1 ], O_RDONLY | O_BINARY );
if( nHandle == -1l ){
printf( "Can not opening file \"%s\".\n",
argv[ 1 ] );
exit( -1 );
}
lSize = filelength( nHandle );
if( lSize == 0 | lSize == -1 ){
printf( "File is empty or too large\n"
);
exit( -1 );
}
MDInit( MD5 );
nFlag = 1;
while( nFlag ){
nSize = read( nHandle, pBuffer, BUFFER
);
if( nSize == -1 ){
printf( "Can not read
from file.\n" );
exit( -1 );
}
if( nSize != BUFFER ){
nFlag = 0;
memset( &pBuffer[
nSize ], 0, 0x4f );
pBuffer[ nSize++ ]
= 0x80;
i = 0x40 - ( nSize
& 0x3f );
nSize += ( i > 7 )
? i : i + 0x40 ;
*( (long *)&pBuffer[
nSize - 8 ] ) = ( lSize << 3 );
}
for( i = 0; i < nSize; i += 0x40 ){
pData = ( DWORD * )(
&pBuffer[ i ] );
MD5Calc( pData, MD5
);
}
};
close( nHandle );
free( pBuffer );
pBuffer = ( BYTE * ) MD5;
printf( "\nMD5 = ", argv[ 1 ] );
for( i = 0; i < 0x10; i ++ ) printf( "%02X ", *pBuffer
++ );
printf( "\n" );
}
Disclaimer: This is only for educational purpose. Use it at your
own risk!
Take the following steps to simply prevent oicq2000 build 1115 from displaying
advertisement pics:
1、rename "oicq.exe" to "old_oicq.exe"(It is packed with
ASPack).
2、compile the following prog to "oicq.exe", put it in the same directory
with old_oicq.exe.
Version: oicq 2000 build 1115
#include <windows.h>
#include <stdio.h>
const char FileName[ ] =
"Old_OICQ.exe";
const long PATCH_SIZE =
3;
void *BaseAddr =
(void *)0x0042A9D2L;
const char NewBytes[]
= { 0xE9, 0x22, 0x01 };
const char OldBytes[]
= { 0x53, 0x68, 0x80 };
char TmpBytes[3];
void main(void)
{
STARTUPINFO StartInfo;
PROCESS_INFORMATION ProcessInfo;
unsigned long OldProtect;
unsigned long BytesWritten;
unsigned long BytesRead;
int k,
len;
char Path[512];
printf("AD remover for OICQ 2000 buid 1115.\n");
printf("Coded by Netguy.\n");
printf("Please wait while OICQ is loading...\n");
__try
{
GetModuleFileName(NULL, Path,
512);
len = lstrlen(Path);
Path[len - 8] = '\0';
SetCurrentDirectory(Path);
ZeroMemory(& StartInfo,
sizeof(StartInfo));
StartInfo.cb = sizeof(StartInfo);
if (CreateProcess( FileName,
NULL,
NULL,
NULL,
FALSE,
NULL,
NULL,
NULL,
&StartInfo,
&ProcessInfo
)
== 0)
{
__leave;
}
if (WaitForInputIdle(ProcessInfo.hProcess,
INFINITE) != 0)
{
__leave;
}
if (VirtualProtectEx(ProcessInfo.hProcess,
BaseAddr, PATCH_SIZE,
PAGE_READWRITE,
&OldProtect) == 0)
{
__leave;
}
if (ReadProcessMemory(ProcessInfo.hProcess, BaseAddr, TmpBytes, PATCH_SIZE,
&BytesRead)
== 0)
{
__leave;
}
k = 0;
while(OldBytes[k] == TmpBytes[k])
k++;
if (k < PATCH_SIZE) __leave;
WriteProcessMemory(ProcessInfo.hProcess, BaseAddr, NewBytes, PATCH_SIZE,
&BytesWritten);
}
__finally
{
if (ProcessInfo.hProcess)
{
CloseHandle(ProcessInfo.hProcess);
CloseHandle(ProcessInfo.hThread);
}
}
}