damif512
commented
5 years ago I think that there's a first bug at line 13331
This :
egg_size = hex2bin("%x" % len(data))
Should be replaced by :
egg_size = hex2bin("%02x" % len(data))
Closed damif512 closed 5 years ago
damif512
commented
5 years ago I think that there's a first bug at line 13331
This :
egg_size = hex2bin("%x" % len(data))
Should be replaced by :
egg_size = hex2bin("%02x" % len(data))
damif512
commented
5 years ago I also thinks that the root issue is that at lines 13333 and 13343 we can see :
offset2 = "\xd3"
And :
offset2 = "\xd1"
These are the offsets for the JNZ "inc edx" in case of shellcode < 256 or < 65536.
But these offsets were calculated for the not usewow64 case, they're wrong for the usewow64 and win_ver == "7" case and usewow74 and win_ver == "10" case.
For the usewow64 and win_ver == "7" case :
For the usewow74 and win_ver == "10" case :
Hope this helps!
damif512
commented
5 years ago The issue is fixed, thx for the merge!
corelanc0d3r
commented
5 years ago awesome, thanks for your help in resolving the issue and improving mona.py :)
Hi,
I tried to use an egghunter with checksum verification generated by mona but it crashed. Through step by step execution I identified that the last conditional jump was wrong. You'll find the corresponding mona output attach to this message. You can easly see what I'm talking about by copying / pasting the egghunter into a debugger. You'll see that the last conditional jump points to an address between two instructions. I thought at first that it was a sort of code length optimization but this is not the case. To fix it I modified the jump to point to the "INC EDX".
egghunter.txt