- bad characters | OSCP prep


So hopefully I could get an answer on something that is a bit confusing.
I’ve working on various buffer overflow challenges (among them vulnserver,
Freefloat FTP, minishare etc.) using Windows XP machine + Immunity Debugger + mona.

Steps i’m usually taking -

  1. !mona bytearray -b ‘\x00’ //creating bytearray bin+txt files.
  2. sending my buffer/junk + bad characters that mona just created.
  3. !mona comapre location of the bin file -a ESP address

Before using mona, I’ve used to go over each char to see that is it
in the right order, which could take sometime.
When I’m using mona, it gave me the bad chars it found -
For example ‘\x00\x15\x16\x30\x31’.

Now, I’ve started to noticed that in fact this output (mona’s finding)
are not exactly accurate, and by accurate I mean - there are “extra” chars
which are not bad char. when grabbing these bad chars, I’m using a “pattern” that is ‘\x00\x15\x30’ (comparing the example above) - meaning that I’m eliminate each 2nd char after ‘\x00’.

What is the reason for it to happened ?
Is there any method verifying it instead instead creating another
byte array


I’m asking myself the same question.