Archive for the ‘Reverse Engineering with OllySocketTrace’ Category

Today I would like to share with you a really great plugin for OllyDbg (a 32-bit assembler-level, analyzing debugger for Windows).

The plugin is OllySocketTrace from Harmony Security. Its job is to trace the socket operations performed by a process. It records all buffers sent and received. It also records all parameters and return values, and the trace is highlighted with a unique color for each socket being traced.

Here is a screen shot of the plugin in action:

I find this tool, together with Wireshark, very handy when I’m analyzing and reverse engineering unknown protocols. Allow me to show you how I use it. In our work here at Websense Security Labs, we frequently use IDA Pro. When IDA Pro runs, it sends packets over the LAN. We can use OllySocketTrace to see what IDA Pro sends over the network and why.

Here is a screen capture of the socket events that IDA Pro generates.

We can see that IDA Pro uses the UDP protocol to send packets. We can also see in the very clear presentation, how many packets are sent and to where.
But this wonderful plugin doesn’t stop there, it also includes a Hint section to help us to understand even more about what is going on.

For example, we can see that IDA Pro broadcast a UDP packet over the LAN on port 23945, and that it is waiting for an answer.

The reason that it’s waiting is that it is checking to see if another IDA Pro session is running and if it has a valid licence.

Game over!

Security Researcher: Moti Joseph