[HELP] Hex edit

[Dekryptor]

Okay here's the deal! First to say that im kinda noob in hex editing. I am trying to edit a string which equals to an ip. When i open the .exe file and search for the string it can't find it. I make a little research and noticed that this exe might be extra encrypted, coz the string still exist in the hex code, but every 2 digits of the string are in different locations and i have to change them like (1. search for "6 - change, then search for 9. and change) and so 2 by 2 which is kinda impossible coz there are lot's of "6 and 9. strings in the exe file, so what should i do now ? Help, please!

Here's an image of how my Hex/ASCII looks like.

Edit:
The program is written in Visual Basic 6 (don't know if that makes any difference)

 

[sm625]

It should be stored in the form of a string. So you want to look for the periods, which are hex code 2E. You'll see 3 of them. If you dont see them, then you're basically screwed. I notice your hex viewer is assigning periods to ascii codes that are not periods. So I would use a different hex editor.

I have a very small executable that has a hard coded IP address, and I was able to find the string and change the IP address very easily.

 

[serpretetsky]

I'm not familiar with how ip addresses are stored in an exe, but I wanted to give a couple extra suggestions to the OP

1)if you're looking for a string that means each character will have its own byte-code. So for example: "192." would translate to [31 39 32 2E], the 2E is the period. Your ascii representation on the right should show the digits correctly.

2) If the ip address is not stored as a string then you are going to probably be looking for raw hex that directly matches each quartet of the ip. In that case "192" would translate into [C0]. In this case you would probably ignore looking for periods.

3) Depending on if the data is stored little endian or big endian the data might be reversed every 4 or 8 bytes.

4) If you can't find the ip address in consecutive bytes (whether it's reversed or not) then I would not assume the ip address is scattered throughout the exe in some strange manner. You could be change hex code that has nothing to do with the ip address. If it's encrypted, like you say, then you basically have no chance of finding or changing it.