The plugin is designed for OllyDbg. Attach OllyDbg to your target process and set a breakpoint at the instruction you will get return address control effectively (like the RET after a stack overflow), then execute the program. The reason behind this is that OllyUni also looks in non-code sections for suitable byte sequences and those could be loaded after the program start or dynamically created.
In general, the global options are accessible via "Plugins->OllyUni". Here you can set the UNICODE page for the character translation, the recursion depth for UNICODE, Verbosity (you shouldn't touch this, unless you are FX) and the forbidden characters that you can't use in your exploit.
All messages will be written to the OllyDbg log window (ALT-L). When performing searches, make sure your log window is visible BEFORE you run the action.
Features:
- Finding UNICODE addressable return addresses for CALL/JMP <reg>
- Finding ASCII addressable return addresses for CALL/JMP <reg>, specific to the register you are looking for
- Finding ASCII addressable return addresses for stack adjustments (POP, ADD ESP) followed by RET
- Setting filters on what characters you can use in the overflow for all functions
- Saving your results
- Comparing results with previously saved ones and saving the diff
Finding Addresses:
Right-click in the code window (ALT-C). In the context menu, you will find the entry "Overflow Return Address >", under which you have the three different types of tasks. When you already performed a search you also get here "Load address data from file and compare" as well as "Save address data to file". If you already compared data, you get "Save compare matches to file".
Comparing addresses:
The "compare" functionality is for finding so-called universal offsets that work with different languages and service packs. Be careful, the plugin allows you to compare apples and grapes (JMP EDI vs. CALL EAX). The data files are ASCII with the 4byte addresses one per line.
