Identify BadChars

set the offset value to the correct one and place the RETN value as 'BBBB' this should produce the application EIP to response with 0x42424242 (BBBB). use mona to find the bad chars:

!mona bytearray -b "\x00"

0x00 = null byte

*0x0D = HTTP close – remove if hitting http*

*0x0A = HTTP new line – remove if hitting http *

0x20 = space

This will produce a .bin file that can be used to compare and filter out the bad chars. send a new payload of generated chars from 0x00 to 0xFF.

for byte in range(1, 256):
  		print("\\x" + "{:02x}".format(byte), end='')
	print()

Compare the output using mona (compares the response ESP):

!mona compare -f bytearray.bin -a esp

This will print the possible bad chars for the EXE. For example:

00 01 11 12 40 41 5f b8 ee

Bytes can appear that aren’t bad, because it can affect the byte after e.g. 40 = bad 41 = maybe not bad

Remove the bytes one by one from the payload; repeating:

!mona bytearray -b "\x00"

Ensure that the old bytes are added e.g. ‘\x00\x40’

!mona compare -f LOCATION\bytearray.bin -a esp

To identify the correct bad chars. All bad chars have been found when mona confirms the payload is ‘unmodified’.