- Joined
- Sep 12, 2004
- Messages
- 134
- Reaction score
- 14
Well anyone can use a no-ip with 16 letters or less in the mx main, btw i wanna change this and i will
If u wanna learn something read this part, else read the end
Open the foxanti.dll in the ollydbg
Right click -> Search for -> All referenced text strings
So now u will see something like this:
Well see this two lines ?
Put the focus in the first and press enter
If u pay attention this part will read the ip from registry
More down u can see this:
Here !!! The dll will write in the memory the ip readed in the memory, because this edit the ip in main don't works
So, if we wanna write more of 16 letters we need change this three lines:
Well i don't know what is the max u can put there... btw lets say 26 letters
So the 10 need be 1A
Now lets go make it permanent!?
Open your program of hex, look in up, there is three virtual address so we need find he in the dll in this case is very easy look for the code, 6A10, find he in your hex program and change to 6A1A (why 1A ? 26 letters dude! pay attention)
Now save it and enjoy u can put a big no-ip in the registry
Lazy people:
Here is the three offsets, change to 6AXX, where XX is the number u want of letters
0000131E
0000132A
00001341
FoxAnti..dll - 32,0 KB (32.768 bytes)
Or try find 6A10
[]'s i am waiting suggestions
If u wanna learn something read this part, else read the end
Open the foxanti.dll in the ollydbg
Right click -> Search for -> All referenced text strings
So now u will see something like this:
Code:
Text strings referenced in FoxAnti:.text
Address Disassembly Text string
100012CA PUSH FoxAnti.1000603C ASCII "SOFTWARE\Webzen\Mu\Config"
100012EF PUSH FoxAnti.10006030 ASCII "ConnectIp"
100015BD PUSH FoxAnti.10006AA8 ASCII "TfrmMain"
100015F8 PUSH FoxAnti.10006AA8 ASCII "TfrmMain"
100016B3 MOV EDI,FoxAnti.10006058 ASCII "#32770"
10001714 ASCII "
05h",0
10001852 PUSH EBP (Initial CPU selection)
100023E8 PUSH FoxAnti.100053C8 ASCII "<program name unknown>"
1000242A PUSH FoxAnti.100053C4 ASCII "..."
1000243E PUSH FoxAnti.100053A8 ASCII "Runtime Error!
Program: "
1000245C PUSH FoxAnti.100053A4 ASCII "
"
10002484 PUSH FoxAnti.1000537C ASCII "Microsoft Visual C++ Runtime Library"
10003762 PUSH FoxAnti.10005410 ASCII "user32.dll"
10003779 PUSH FoxAnti.10005404 ASCII "MessageBoxA"
1000378A PUSH FoxAnti.100053F4 ASCII "GetActiveWindow"
10003792 PUSH FoxAnti.100053E0 ASCII "GetLastActivePopup"
Well see this two lines ?
Code:
ASCII "SOFTWARE\Webzen\Mu\Config"
ASCII "ConnectIp"
Put the focus in the first and press enter
If u pay attention this part will read the ip from registry
Code:
100012B8 |. 50 PUSH EAX ; /pDisposition
100012B9 |. 51 PUSH ECX ; |pHandle
100012BA |. 6A 00 PUSH 0 ; |pSecurity = NULL
100012BC |. 68 1F000200 PUSH 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
100012C1 |. 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
100012C3 |. 68 A87D0010 PUSH FoxAnti.10007DA8 ; |Class = ""
100012C8 |. 6A 00 PUSH 0 ; |Reserved = 0
100012CA |. 68 3C600010 PUSH FoxAnti.1000603C ; |Subkey = "SOFTWARE\Webzen\Mu\Config"
100012CF |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
100012D4 |. C745 EC 500000>MOV DWORD PTR SS:[EBP-14],50 ; |
100012DB |. FF15 08500010 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
100012E1 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
100012E4 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
100012E7 |. 52 PUSH EDX ; /pBufSize
100012E8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; |
100012EB |. 57 PUSH EDI ; |Buffer
100012EC |. 50 PUSH EAX ; |pValueType
100012ED |. 6A 00 PUSH 0 ; |Reserved = NULL
100012EF |. 68 30600010 PUSH FoxAnti.10006030 ; |ValueName = "ConnectIp"
100012F4 |. 51 PUSH ECX ; |hKey
100012F5 |. FF15 00500010 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
100012FB |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
100012FE |. 52 PUSH EDX ; /hKey
100012FF |. FF15 04500010 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
More down u can see this:
Code:
10001315 |. 8B1D 3C500010 MOV EBX,DWORD PTR DS:[<&KERNEL32.Virtual>; kernel32.VirtualProtectEx
1000131B |. 50 PUSH EAX ; /pOldProtect
1000131C |. 6A 04 PUSH 4 ; |NewProtect = PAGE_READWRITE
1000131E |. 6A 10 PUSH 10 ; |Size = 10 (16.)
10001320 |. 68 D4156900 PUSH 6915D4 ; |Address = 006915D4
10001325 |. 56 PUSH ESI ; |hProcess
10001326 |. FFD3 CALL EBX ; \VirtualProtectEx
10001328 |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
1000132A |. 6A 10 PUSH 10 ; |BytesToWrite = 10 (16.)
1000132C |. 57 PUSH EDI ; |Buffer
1000132D |. 68 D4156900 PUSH 6915D4 ; |Address = 6915D4
10001332 |. 56 PUSH ESI ; |hProcess
10001333 |. FF15 40500010 CALL DWORD PTR DS:[<&KERNEL32.WriteProce>; \WriteProcessMemory
10001339 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
1000133C |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
1000133F |. 51 PUSH ECX ; /pOldProtect
10001340 |. 52 PUSH EDX ; |NewProtect
10001341 |. 6A 10 PUSH 10 ; |Size = 10 (16.)
10001343 |. 68 D4156900 PUSH 6915D4 ; |Address = 006915D4
10001348 |. 56 PUSH ESI ; |hProcess
10001349 |. FFD3 CALL EBX ; \VirtualProtectEx
Here !!! The dll will write in the memory the ip readed in the memory, because this edit the ip in main don't works
So, if we wanna write more of 16 letters we need change this three lines:
Code:
1000131E |. 6A 10 PUSH 10 ; |Size = 10 (16.)
1000132A |. 6A 10 PUSH 10 ; |BytesToWrite = 10 (16.)
10001341 |. 6A 10 PUSH 10 ; |Size = 10 (16.)
Well i don't know what is the max u can put there... btw lets say 26 letters
So the 10 need be 1A
Now lets go make it permanent!?
Open your program of hex, look in up, there is three virtual address so we need find he in the dll in this case is very easy look for the code, 6A10, find he in your hex program and change to 6A1A (why 1A ? 26 letters dude! pay attention)
Now save it and enjoy u can put a big no-ip in the registry
Lazy people:
Here is the three offsets, change to 6AXX, where XX is the number u want of letters
0000131E
0000132A
00001341
FoxAnti..dll - 32,0 KB (32.768 bytes)
Or try find 6A10
[]'s i am waiting suggestions
Last edited: