Archived Blog

Reverse Engineering the Embedded OpenType Decompression

06.25.2008 - 10:45 AM

As security researchers, we regularly analyze many different types of files. It's important that we take the time to teach ourselves about unusual file formats, so that we can be prepared when a malicious attack occurs with an uncommon file type.

One unusual file type that we recently studied is the EOT file format. A quick definition from Wikipedia explains:

"Embedded OpenType (EOT) fonts are a compact form of OpenType fonts designed by Microsoft for use as embedded fonts on Web pages. These files usually use the extension '.eot'."

Basically, EOT files are custom font files meant for Web pages. The tools used to create these fonts have mechanisms that can be built into the EOT files, such as subsetting and tethering, so that copying and reversing is difficult (more on this later). So, with these basic facts, let's investigate some of the internal details.

We attempted to search the Web for tools that parse EOT files and output the pure OpenType fonts, but we found nothing. (If you find a tool like this, please let us know!) In this blog, we focus on how to parse OpenType fonts from EOT files. To begin, let's see how a Web site that hosts EOT files would look.

Here is an example:

In order for Internet Explorer (IE) to render the font for the Web page, IE needs to decompress the EOT files and extract the OpenType fonts. Perhaps you've already guessed what we're going to do . . . hook into the IE decompression engine and grab the OpenType fonts at runtime.

First, we have to figure out which module IE uses to decompress the EOT files. By monitoring the module events when IE parses a Web page with EOT files, we can see that IE loads and unloads the file T2EMBED.DLL (using Windows XP SP3, with IE 7).

Knowing that the T2EMBED.DLL module handles decompression of the EOT files, our next step is figuring out which function we need to hook, to give us the clean OpenType fonts. To do this, we fire up IDA PRO. After a few hours of dynamic analysis we found an interesting function called T2OSSvcDecompressFontBuffer.

Dynamic and static analysis of this function shows us that T2OSSvcDecompressFontBuffer is the function that decompresses the OpenType fonts from EOT files. All we have to do now is hook this call, so that after the call to T2OSSvcDecompressFontBuffer is made, the return value will have a pointer to the OpenType font. Then we can dump the font to a file.

Here we see DebugView output of our DLL hooking T2OSSvcDecompressFontBuffer and dumping the OpenType buffer:

And here is the resulting OpenType font that was dumped:

Game Over. Hopefully this blog was useful for anyone doing research in EOT files. Please leave a comment if it was helpful.

Security Researcher: Moti Joseph


Bookmark This Post: