OllyUni Plugin for OllyDbg 
==========================
[Phenoelit's return address finder for ASCII and UNICODE overflows]

Date:   07.12.2003
Author: FX of Phenoelit <fx@phenoelit.de>


Pheatures
---------
- Finding UNICODE addressable return addresses for CALL/JMP <reg> 
- Finding ASCII addressable return addresses for CALL/JMP <reg>, specific to
  the register you are looking for
- Finding ASCII addressable return addresses for stack adjustments (POP, ADD
  ESP) followed by RET 
- Setting filters on what characters you can use in the overflow for all
  functions
- Saving your results
- Comparing results with previously saved ones and saving the diff

Works on
--------
- Windows NT(untested)/2000(tested)/XP(untested)
- Appears to work on but nukes Windows 98

Installation
------------
Copy the OllyUni.dll into OllyDbg's directory. Make sure that if you have an entry
named "Plugin Path=" in your ollydbg.ini it points to the directory you just 
dropped OllyUni.dll in.

Usage
-----
The plugin is designed for OllyDbg, being the debugger of choice I use. Attach
Olly to your target process and set a breakpoint at the instruction you will
get return address control effectively (like the RET after a stack overflow),
then execute the program. The reason behind this is that OllyUni also looks in
non-code sections for suitable byte sequences and those could be loaded after
the program start or dynamically created.

In general, the global options are accessible via "Plugins->OllyUni". Here you
can set the UNICODE page for the character translation, the resursion depth
for UNICODE, Verbosity (you shouldn't touch this, unless you are FX) and the
forbidden characters that you can't use in your exploit. 

All messages will be written to the Olly log window (ALT-L). When performing
serches, make sure your log window is visible BEFORE you run the action. 

General operation
-----------------
The following rules apply to the whole plugin functionality:
- All operations are extremely CPU intensive. Don't use anything <1GHz. 
- Keep the log window visible at all times using the plugin.
- The results of your last operation are always stored in the address data
  list (which you can save to a file). Previous results are DELETED when you
  perform a new search.
- When you compare address data, the intersection of the two groups of data is
  stored in it's own list and can be saved as well.
- The filtered character list is applied automagically to all search
  procedures but NOT to the compare, since it's assumed that only valid
  results will be written to files.

Finding Addresses
-----------------
Right-click in the code window (ALT-C). In the context menu, you will find the
entry "Overflow Return Address >", under which you have the three different
types of tasks. When you already performed a search you also get here "Load
address data from file and compare" as well as "Save address data to file". If
you already compared data, you get "Save compare matches to file".

Comparing addresses
-------------------
The "compare" functionality is for finding so-called universal offsets that
work with different languages and service packs. Be carefull, the plugin
allows you to compare apples and grapes (JMP EDI vs. CALL EAX). The data files
are ASCII with the 4byte addresses one per line.
