OllyEye plug-in

Posted: November 26, 2008 in OllyEye plug-in, Other Tutorials

OllyEye plug-in

Today, I would like to present a new plug-in that I wrote called OllyEye. I wrote the plug-in to speed up the process of hunting vulnerability in applications. Here is a screenshot of the OllyEye plug-in:

How does OllyEye work?

Sometimes we want to find out where in a module the code parsing is done. In the example below, we want to find the code that parses the QuickTime video codecs that are in Windows media player.  We know that the codecs support the raw, rle, jpeg, mjpb, and rpza tags, so all we need to do is to search for those tags in our module–in this case, the “quartz.dll” module.

The OllyEye hunter knows that it should check for the video codec’s tags such as code.equals (“rpza”) and that in assembly it should be done with the CMP command that represents it. For this reason, it searches for the CMP command that matches the ‘rpza’ keyword.  Here we can see the results of the OllyEye when the hunter searches for such patterns:

At the address 0x748FD28B, we see CMP EAX,617A7072. The ASCII translation of 617A7072h is ‘azpr’, which is one of the QuickTime video codec’s supported tags. Now all the hunter has to do is set a breakpoint there, load the movie file, and wait for the breakpoint to be triggered.

A QuickView in IDA shows us that our address, 0x748FD28B, is inside the QTDec::CheckInputType when the QTDec is QT=QuickTime and Dec= Decoder. Based on this information, we know that we reviewed part of QuickView codec’s decoder.

Attached here is the source code of the OleEye plugin. You are welcome to extend it and to shoot us the update.

Game 0ver.

Security Researcher: Moti Joseph

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.