We can use Mona.py to automate the tedious byte by byte comparisons with the Mona.py plugin for Immunity Debugger.

To install Mona.py copy it to C:\Program Files\Immunity Inc\Immunity Debugger\Pycommands. To set up logging, in the Immunity Debugger window at the command line at the bottom enter:

!mona config -set workingfolder c:\logs\%p

This tells Mona.py where to log all its output.

Now we need to generate a byte array for comparison. In Immunity Debugger run the command while attached to the process:

!mona bytearray

 

The output of the command is saved in the log folder that was configured.

Now run the updated exploit. Take note of the memory address where the badchars string should begin on the stack : 00AFFD44 ( as an example)

Now in Immunity Debugger run:

!mona compare -f C:\logs\program\bytearray.bin -a 00AFFD44

This command will identify the first encountered bad characters. Next run :

!mona bytearray –cpb “\x00”

The output will be a new array generated with the characters removed. Continue this process until there are no bad chars found.

 

Advertisements