https://stackoverflow.com/questions/18960890
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI ended up finding it with some guessing, it seems that each piece of the application split things with an 00 before every piece of the ip, so it turned out to be: 00 32 00 34 00 2E etc and so on.
Ollydbg Reverse Engineering IP Address
-
29-06-2022 - |
Question
I'm trying to reverse engineer an old game that I used to fiddle around with that is no longer being maintained. Currently, I'm just trying to edit the connection IP to fake that the server is online, but I've had some problems tracking down the IP within the application. After doing a wireshark test, the IP Address that the program tries to connect to is: 24.56.108.156, but doing a scan for that with a hex editing program(XVI32 specifically) in hex or text returns no result.
So, I continued to fiddle and loaded up ollydbg which I haven't used forever and my knowledge of assembly has plummeted no doubt. Anyway, I first looked into the referenced strings and found some text left in there (code comments it seems) that shows that the "RemoteHostIP" function returns the IP of the remote host. So, I found the assembly to the call and did a breakpoint on it to make sure it was the correct function and it is called right when the client tries to connect. The assembly for it is:
MOV EAX, DWORD PTR DS:[C98FA8]
OR EAX, EAX
JE SHORT Eternal.0043629F //Jumps back to the MOV call.
I looked at the value of EAX and it shows to be 75843918 and the DS is 002B, but the EAX value(when converted back to decimal or ascii) is not equal to the IP address that the client tries to connect too. So, I have no clue what exactly DS means other than Data segment register or how it effects the de-referenced pointer, so I went to the expression 00C98FA8 and got the same value of 75843918 which is not what I'm looking for.
I'm running out of ideas over here, is there anything specific I could have missed? Does that DS have some effect that I don't know about? Any help would be greatly appreciated and if I left out some information that could be helpful, just tell me.
--Newly Added Information--
In response to typ1232 and just for more information:
The address has some padding between the individual numbers, it went like: 32, Random Number Of 00s and other junk ..etc, so I cannot track it down directly.
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
