search

corelan / mona

Corelan Repository for mona.py
BSD 3-Clause "New" or "Revised" License
1.7k stars 565 forks source link

stackpivot distance to negative valued #12

Closed iz0n closed 6 years ago

iz0n commented 8 years ago

Hi, Sometimes we can control values at esp-0x???, it would be great if the -distance option can take a negative value :)

Thank you

corelanc0d3r commented 6 years ago

have you tried running a findwild search ? For example: !mona findwild -s "sub esp,*#*#retn" -distance min=4,max=1000 (the * in the first instruction will act as a numeric wildcard, and you can use the min and max values to define the size of the subtraction)

likewise, you could also search for a negative add:

!mona findwild -s "add esp,-*#*#retn" -distance min=4,max=1000 (but in reality, the byte sequence would be quite long, thus making it hard to find this kind of instructions)

Additionally, if you control bytes at esp-?? and you also control the contents of one register, it might be easier to push that register and then jump to esp (which will give you 4 bytes to jump backwards)

I'll close the issue for now, feel free to reopen if needed