Connector externalIP changer

[someone]

This function gets the IP from memory

00407713 E8 08C1FFFF CALL Connecto.00403820

Inside that function is this:

0040383F 59 POP ECX ; 0065FC94
00403840 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00403843 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00403846 8B00 MOV EAX,DWORD PTR DS:[EAX]

 

And change it to :

0040383F 59 POP ECX
00403840 B8 C42B5F00 MOV EAX,Connecto.005F2BC4 ; ASCII ": 1 : Zone : 14 : 0"
00403845 90 NOP
00403846 90 NOP
00403847 90 NOP

 

Where 005F2BC4 is the address of your string:

 

How do you make a tool for this:

1)Open the connector Process with your tool

2)Find a free slot in the memory to write your address(save the offest call it offset 1)

3) go to the offset 00403840 and start writing

B8 XX XX XX XX 90 90 90

(where XX XX XX XX is the offset of your custom IP, offset 1, written in LittleEndian, remember to reverse bytes, B8 means MOV memory to EAX, 90 means NOP )

 

To save most of your time, A free space for the connector in memory is:

Starting from this address 0061C3E0 and ending at this address 0061DFF0.

 

 

Since I was too lazy to write something so I used the STDOUT, so here is what my client got:

Send: Return Code: 0x00000000
00000000 01 81 00 00 00 00 00 00 00 00 00 41 01 00 00 00 ...........A....
00000010 3A 22 00 00 00 01 00 00 00 01 00 00 00 01 00 00 :"..............
00000020 00 01 00 00 00 01 00 00 00 01 00 00 00 00 01 00 ................
00000030 00 07 CF 3A 20 31 20 3A 20 5A 6F 6E 65 20 3A 20 ...: 1 : Zone :
00000040 31 34 20 3A 20 30 00 00 00 10 0E 29 23 14 : 0.....)#

Took me 5 minutes to find this.