Find the Jump Point

Once the bad chars have been found; find the jump point to exploit:

!mona jmp -r esp -cpb "BAD CHARS"

This will identify the potential jumps, potentially in a list. Any can be used.

In mona click on one, and press enter to follow it into the decompiled app. In x86 systems, the jump value will be reversed:

JMP ESP: 62501203

In retn: \x03\x12\x50\x62

Last updated