Attach OllyDbg to your target process and set a breakpoint at the instruction you will get return address control effectively (like the RET after a stack overflow), then execute the program. The reason behind this is that OllyUni also looks in non-code sections for suitable byte sequences and those could be loaded after the program start or dynamically created.
In general, the global options are accessible via "Plugins->OllyUni". Here you can set the UNICODE page for the character translation, the recursion depth for UNICODE, Verbosity (you shouldn't touch this, unless you are FX) and the forbidden characters that you can't use in your exploit.
All messages will be written to the OllyDbg log window (ALT-L). When performing searches, make sure your log window is visible BEFORE you run the action.
Features: - Finding UNICODE addressable return addresses for CALL/JMP <reg> - Finding ASCII addressable return addresses for CALL/JMP <reg>, specific to the register you are looking for - Finding ASCII addressable return addresses for stack adjustments (POP, ADD ESP) followed by RET - Setting filters on what characters you can use in the overflow for all functions - Saving your results - Comparing results with previously saved ones and saving the diff
Finding Addresses: Right-click in the code window (ALT-C). In the context menu, you will find the entry "Overflow Return Address >", under which you have the three different types of tasks. When you already performed a search you also get here "Load address data from file and compare" as well as "Save address data to file". If you already compared data, you get "Save compare matches to file".
Comparing addresses: The "compare" functionality is for finding so-called universal offsets that work with different languages and service packs. Be careful, the plugin allows you to compare apples and grapes (JMP EDI vs. CALL EAX). The data files are ASCII with the 4byte addresses one per line
Credit: The information has been provided by FX of Phenoelit. The tool can be downloaded from: http://www.phenoelit.de/fr/tools.html
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable OllyDbg is a shareware, but you can download and use it for free
http://home.t-online.de/home/Ollydbg/download.htm
../
../
Kynroxes
Apr 29 2004, 04:54 AM
great tool, tks u !
COM
May 2 2004, 02:49 PM
thanks for the plug relic
JDog45
May 5 2004, 04:52 AM
Thanks for the nice plug-in
SyN/AcK
May 6 2004, 01:44 AM
This looks really nice, and I love ollydbg, although my cracking days are over. Has anyone played with this yet?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
