-2

Me and my friend have been creating a Advanced C++ TCPClient, He created the client, and i created the server. The client has a static IP inside the code and We lost the code for the client. I am currently wondering is it possible to decompile in IDA and change the IP. i have been scanning through IDA and i have not found the IP anywhere. Does anyone know if this is possible?

Its not as simple as just recreating the client, it is a bit more complex then just placing a listener and client

Callum
  • 725
  • 6
  • 17
  • 2
    Assuming you have permission to write to the executable, it is POSSIBLE to change the executable in limited ways (and changing the IP address sounds entirely doable). Decompiling is technically not required. Whether it is worth it compared to the effort of recompiling/redesigning the code [classic case of "store your code in a version control system, off your main computer], and whether you know how to identify the right set of bytes (vs. instructions and other "random data") is of course another question. – Mats Petersson Jan 18 '15 at 18:12
  • @EdHeal A disassembler (etc.) tool – deviantfan Jan 18 '15 at 18:12
  • @EdHeal: If you hover the mouse over the tag, it gives you a brief description (in this case, as deviantfan, a disassembler that supposedly creates assembler code that you can modify and compile again, but this depends on many factors) – Mats Petersson Jan 18 '15 at 18:14

2 Answers2

2

Yes, it is certainly possible, and probably not too hard.

Suppose the IP address is 10.11.12.13. Search through the binary for 0D 0C 0B 0A and 0A 0B 0C 0D... the IP address might be stored in network byte order (big endian), or in host byte order (little endian), depending on how it was written and how it was optimized. Note that this may be more difficult if you are on another architecture. On some architectures (not x86), if you want to load a 32-bit constant like an IP address, you'll do it by loading two 16-bit constants.

Decompilation might not even be necessary. You just have to make sure that the new IP address is added using the same byte order.

I am assuming here that your IP address isn't stored as a string, which is also possible, in which case the new address would have to be shorter.

(Of course, the lesson here is that you should always use host names instead of hard-coding IP addresses into your code, but you'll do better next time, right? If you use a host name, you can always just change DNS records when your server moves, or modify /etc/hosts (C:\Windows\System32\Drivers\etc\hosts on Windows).)

Dietrich Epp
  • 205,541
  • 37
  • 345
  • 415
  • 1
    FYI, there is no guarantee that the data belongs to an IP address. It could belong to one or more instructions or other data. This is what makes decompiling difficult. – Thomas Matthews Jan 18 '15 at 18:22
  • Of course, even if you use a hostname, if you decide to change the hostname, it only really makes for a slightly easier search, nothing other than that. And there is of course no guarantee that the compiler hasn't inlined the address in multiple places – Mats Petersson Jan 18 '15 at 18:22
  • @MatsPetersson: That's incorrect... if you use a hostname, you can always change the DNS records or modify `/etc/hosts` / `C:\Windows\System32\Drivers\etc\hosts` – Dietrich Epp Jan 18 '15 at 18:24
  • Well, assuming you a) have write access there (or can get), and b) you always use the same machine. – Mats Petersson Jan 18 '15 at 18:26
  • You still have far more options when using host names, even if they are hard coded, compared to hard coded IP addresses. – Dietrich Epp Jan 18 '15 at 18:27
  • Thanks for your replie. I tried this method but i could not find it. I'll just rewrite the programming code, it seems more than its worth to change the ip. The ip seem to unfindable.. Thanks for your help. – Callum Jan 20 '15 at 20:48
1

If the address is in fact stored in an array of 4 bytes (regardless of how it's declared), then it's quite possible to change it in the executable image.

Finding it, with confidence, is another story. Depending on how the code was written, the bytes may be in ascending or descending order of precedence. Let's say the address is 12.34.56.78 - if you perform a binary search on the executable for those four bytes in either order and find exactly one instance, it's pretty likely that's them, and depending on how brave you are, you can just change them and see if it works.

If you find more than one instance (in either order), things get significantly trickier.

If you have a recollection of what the code looked like where the address was stored and used it'll make it much easier to find. In particular, if the address was actually stored in a data segment, especially if referenced from another module, that narrows down where you need to search.

Because IPv4 addresses fit comfortably in 32-bit integers, it's entirely possible to use them in a manner where they'll only appear in actual machine instructions, which takes you into the code segment, a much more dangerous place to be playing around.

I'd only do this for a one-off check - without the source code, the software is un-maintainable, so for anything beyond the most minimal usage, I'd say you really need to rewrite it ... and keep the source!

TedB
  • 346
  • 2
  • 5
  • I tried this for a few days and could not find it. Im going to rewrite the code because of maintenance would be needed. So i'll be rewriting the source code. – Callum Jan 20 '15 at 20:49