https://blog.xpdbk.com/en/categories/windows-computer-software/Recent content in Windows computer software on LEl_FENG BlogHugo -- gohugo.ioenLEl_FENG CopyrightSun, 01 Oct 2023 15:08:31 +0700https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/Sun, 01 Oct 2023 15:08:31 +0700https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/<img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/2.webp" alt="Featured image of post X64DBG Modify String" /><blockquote> <p><strong>TL;DR / [Geek Summary]:</strong></p> <ul> <li>Reverse Engineering 101: Use x64dbg to intercept and modify static strings within a binary without source code access.</li> <li>Patching Pipeline: A complete walkthrough from global module string searching and hex editing to exporting permanent binary patches.</li> <li>Practical Customization: Demonstrated on a Minecraft GC sample to show how low-level binary manipulation can rebrand or tweak software UIs.</li> </ul> </blockquote> <h2 id="preface"> <a href="#preface" class="heading-anchor" aria-label="Anchor for Preface">#</a> Preface </h2> <p>I was using x64dbg to study a program and suddenly thought of what would happen if I changed the string. This program is a Minecraft GC that I found on the Internet and put it in the following link for use</p> <blockquote> <p><a class="link" href="https://pvphack.lanzoue.com/imViN1ad7o6h" target="_blank" rel="noopener" >Lanzoue Cloud</a> <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> Access password: <code>gy99</code></p> <p>Compression password: <code>GgGg313df</code></p> </blockquote> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/1.webp" width="798" height="458" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/1_hua6c0fd07871ca857cbabe0d0162125cf_12084_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/1_hua6c0fd07871ca857cbabe0d0162125cf_12084_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Where the string needs to be changed" class="gallery-image" data-flex-grow="174" data-flex-basis="418px" ></p> <h2 id="start"> <a href="#start" class="heading-anchor" aria-label="Anchor for Start">#</a> Start </h2> <p>Open our <code>x64dbg</code> This software is a reverse software that can be downloaded on github. After opening the software and opening our sample program</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/2.webp" width="1365" height="767" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/2_hu5ccc287b1a7bfaf0d10fdba009885d63_194468_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/2_hu5ccc287b1a7bfaf0d10fdba009885d63_194468_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Software interface" class="gallery-image" data-flex-grow="177" data-flex-basis="427px" ></p> <p>Then right click and there will be a tab</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/3.webp" width="427" height="674" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/3_hu741313233f38f6328d341c7048a94fa1_31020_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/3_hu741313233f38f6328d341c7048a94fa1_31020_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Tab" class="gallery-image" data-flex-grow="63" data-flex-basis="152px" ></p> <p>Then we scan <code>Search</code> and then scan <code>All modules</code> and then click <code>String</code></p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/4.webp" width="1365" height="767" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/4_hu1392d007dc134cb2c97f5093bfeb20f8_183850_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/4_hu1392d007dc134cb2c97f5093bfeb20f8_183850_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Analyzing" class="gallery-image" data-flex-grow="177" data-flex-basis="427px" ></p> <p>After the analysis, we directly enter the characters and click the unique string</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/5.webp" width="1365" height="767" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/5_hua2e6840d12aaa01d55ce44651258fa6a_47386_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/5_hua2e6840d12aaa01d55ce44651258fa6a_47386_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Enter the required string" class="gallery-image" data-flex-grow="177" data-flex-basis="427px" ></p> <p>Then modify the string according to hexadecimal</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/6.webp" width="1366" height="767" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/6_hu6a02421dd26f187604903f65d67cd88a_236866_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/6_hu6a02421dd26f187604903f65d67cd88a_236866_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Modify string" class="gallery-image" data-flex-grow="178" data-flex-basis="427px" ></p> <p>After the modification, right-click the file in the upper left corner and click Patch</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/7.webp" width="287" height="250" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/7_hu9e0344a243cff79ed534d340ba4b5157_11406_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/7_hu9e0344a243cff79ed534d340ba4b5157_11406_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Find patch in the file" class="gallery-image" data-flex-grow="114" data-flex-basis="275px" ></p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/8.webp" width="509" height="477" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/8_hu2bd05ad13e442ba3bdd179fad07a2bc3_9112_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/8_hu2bd05ad13e442ba3bdd179fad07a2bc3_9112_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Patch" class="gallery-image" data-flex-grow="106" data-flex-basis="256px" ></p> <p>After applying the patch, the file modification is complete</p> <p><img src="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/9.webp" width="232" height="34" srcset="https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/9_hue9a17fd2d3e711825191710f657e3218_1466_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/x64dbg%E6%94%B9%E5%AD%97%E7%AC%A6%E4%B8%B2/9_hue9a17fd2d3e711825191710f657e3218_1466_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Result" class="gallery-image" data-flex-grow="682" data-flex-basis="1637px" ></p>