Script for finding IP Address in EXE file

Templates/Scripts
1

Hi! I’m a newbie, just bought 010editor days ago, i try to understand reverse engineering EXE files.
I worte 2 small scripts for learning, idk. maybe someone find it useful.

void FindHexIPAddressesInExe() {
    const int IP_LENGTH = 8;
    string hexIpString;
    string ipAddress;
    long fileSize = FileSize();
    long pos;
    for (pos = 0; pos <= fileSize - IP_LENGTH; pos+=1) {
        if(IsTCPHeader(ReadString(pos, 20))){
        
            hexIpString = ReadString(pos + 20, IP_LENGTH);
            if (IsValidHexIPAddress(hexIpString)) {
                ipAddress = ConvertHexToIP(hexIpString);
                Printf("IP ADDRESS FOUND: %s - %s\n", hexIpString,ipAddress);
            }
        }
    }
}

int IsTCPHeader(string tcpHeader) {
    int sourcePort = HexToInt(SubStr(tcpHeader, 0, 4));
    int destPort = HexToInt(SubStr(tcpHeader, 4, 4));
    
    if (sourcePort < 0 || sourcePort > 65535 || destPort < 0 || destPort > 65535) {
        return 0;
    }
    int dataOffset = HexToInt(SubStr(tcpHeader, 12, 2)) >> 4;
    
    return (dataOffset >= 5 && dataOffset <= 15);
}

int IsValidHexIPAddress(string hexIp) {
    return (Strlen(hexIp) == 8 && RegExMatch(hexIp, "^[0-9A-Fa-f]{8}$"));
}

string ConvertHexToIP(string hexIp) {
    int byte1 = HexToInt(SubStr(hexIp, 0, 2));
    int byte2 = HexToInt(SubStr(hexIp, 2, 2));
    int byte3 = HexToInt(SubStr(hexIp, 4, 2));
    int byte4 = HexToInt(SubStr(hexIp, 6, 2));
    
     string s;
     SPrintf( s, "%d.%d.%d.%d", byte1, byte2, byte3, byte4 );
    
     return s;
}

int HexToInt(string hex) {
    int value = 0;
    int i;
    string c;
    for (i = 0; i < Strlen(hex); i++) {
        c = SubStr(hex, i, 1);
        if (c[0] >= '0' && c[0] <= '9') {
            value = (value << 4) | (c[0] - '0');
        } else if (c[0] >= 'A' && c[0] <= 'F') {
            value = (value << 4) | (c[0] - 'A' + 10);
        } else if (c[0] >= 'a' && c[0] <= 'f') {
            value = (value << 4) | (c[0] - 'a' + 10);
        }
    }
    return value;
}

FindHexIPAddressesInExe();

and

int IsValidIPAddress(string ip) {
    return RegExMatch(ip, "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
}

void FindIPAddressesInExe() {
    const int IP_LENGTH = 15;
    string ipString;

    long pos = 0;
    while (pos <= FileSize() - IP_LENGTH) {
        ipString = ReadString(pos, IP_LENGTH);
        
        if (IsValidIPAddress(ipString)) {
                Printf("Found IP-Address: %s bei Position: 0x%08X\n", ipString, pos);
                pos += Strlen(ipString);
        }
        
        pos++;
    }
}

FindIPAddressesInExe();
2

Thanks Janicious!

Graeme
SweetScape Software