Pop Pop Ret

Log data
Address Message
Immunity Debugger 1.85.0.0 : R'lyeh
Need support? visit http://forum.immunityinc.com/
Error accesing memory
File 'C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe'
[21:33:41] New process with ID 00000B3C created
Main thread with ID 00000A24 created
775BF27A New thread with ID 00000BA4 created
00400000 Modules C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe
62500000 Modules C:\Users\IEUser\Desktop\vulnserver-master\essfunc.dll
74C70000 Modules C:\Windows\system32\mswsock.dll
74FA0000 Modules C:\Windows\System32\wshtcpip.dll
75010000 Modules C:\Windows\syswow64\CRYPTBASE.dll
75020000 Modules C:\Windows\syswow64\SspiCli.dll
75430000 Modules C:\Windows\syswow64\ADVAPI32.dll
75690000 Modules C:\Windows\syswow64\msvcrt.dll
75930000 Modules C:\Windows\syswow64\USP10.dll
759D0000 Modules C:\Windows\syswow64\NSI.dll
75B30000 Modules C:\Windows\syswow64\LPK.dll
75B40000 Modules C:\Windows\syswow64\MSCTF.dll
75D80000 Modules C:\Windows\syswow64\kernel32.dll
75F20000 Modules C:\Windows\syswow64\RPCRT4.dll
76DC0000 Modules C:\Windows\SysWOW64\sechost.dll
76DE0000 Modules C:\Windows\syswow64\user32.dll
76F90000 Modules C:\Windows\syswow64\GDI32.dll
77020000 Modules C:\Windows\syswow64\KERNELBASE.dll
77070000 Modules C:\Windows\syswow64\WS2_32.DLL
770D0000 Modules C:\Windows\system32\IMM32.DLL
77520000 Modules C:\Windows\SysWOW64\ntdll.dll
7753000C [21:33:41] Attached process paused at ntdll.DbgBreakPoint
[21:33:51] Thread 00000BA4 terminated, exit code 0
00401848 New thread with ID 00000BA4 created
756A8DD2 [21:36:08] Access violation when writing to [02240000]
0BADF00D [+] Command used:
0BADF00D !mona findmsp
0BADF00D [+] Looking for cyclic pattern in memory
0BADF00D Cyclic pattern (normal) found at 0x00363602 (length 4086 bytes)
0BADF00D Cyclic pattern (normal) found at 0x0223f20a (length 3572 bytes)
0BADF00D - Stack pivot between 34 & 3606 bytes needed to land in this
pattern
0BADF00D [+] Examining registers
0BADF00D EBP (0x0223f9d8) points at offset 1998 in normal pattern (length
1576)
0BADF00D EDX contains normal pattern : 0x70453170 (offset 3574)
0BADF00D ECX (0x003643fc) points at offset 3578 in normal pattern (length
508)
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0223ffc4 overwritten with normal
pattern : 0x6e45316e (offset 3514), followed by 52 bytes of cyclic data after the
handler
0BADF00D [+] Examining stack (entire stack) - looking for cyclic pattern
0BADF00D Walking stack from 0x0223f000 to 0x0223fffc (0x00000ffc bytes)
0BADF00D 0x0223f20c : Contains normal cyclic pattern at ESP+0x24 (+36) :
offset 2, length 3572 (-> 0x0223ffff : ESP+0xe18)
0BADF00D [+] Examining stack (entire stack) - looking for pointers to cyclic
pattern
0BADF00D Walking stack from 0x0223f000 to 0x0223fffc (0x00000ffc bytes)
0BADF00D 0x0223f164 : Pointer into normal cyclic pattern at ESP-0x84 (-132) :
0x0223fc60 : offset 2646, length 928
0BADF00D 0x0223f168 : Pointer into normal cyclic pattern at ESP-0x80 (-128) :
0x0223f7a0 : offset 1430, length 2144
0BADF00D [+] Preparing output file 'findmsp.txt'
0BADF00D - Creating working folder c:\monalogs\vulnserver_2876
0BADF00D - Folder created
0BADF00D - (Re)setting logfile c:\monalogs\vulnserver_2876\findmsp.txt
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D
0BADF00D [+] This mona.py action took 0:00:01.891000
00400000 Unload C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe
62500000 Unload C:\Users\IEUser\Desktop\vulnserver-master\essfunc.dll
74C70000 Unload C:\Windows\system32\mswsock.dll
74FA0000 Unload C:\Windows\System32\wshtcpip.dll
75010000 Unload C:\Windows\syswow64\CRYPTBASE.dll
75020000 Unload C:\Windows\syswow64\SspiCli.dll
75430000 Unload C:\Windows\syswow64\ADVAPI32.dll
75690000 Unload C:\Windows\syswow64\msvcrt.dll
75930000 Unload C:\Windows\syswow64\USP10.dll
759D0000 Unload C:\Windows\syswow64\NSI.dll
75B30000 Unload C:\Windows\syswow64\LPK.dll
75B40000 Unload C:\Windows\syswow64\MSCTF.dll
75D80000 Unload C:\Windows\syswow64\kernel32.dll
75F20000 Unload C:\Windows\syswow64\RPCRT4.dll
76DC0000 Unload C:\Windows\SysWOW64\sechost.dll
76DE0000 Unload C:\Windows\syswow64\user32.dll
76F90000 Unload C:\Windows\syswow64\GDI32.dll
77020000 Unload C:\Windows\syswow64\KERNELBASE.dll
77070000 Unload C:\Windows\syswow64\WS2_32.DLL
770D0000 Unload C:\Windows\system32\IMM32.DLL
77520000 Unload C:\Windows\SysWOW64\ntdll.dll
Process terminated
"C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe"
Console file 'C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe'

[21:36:49] New process with ID 000008E0 created
00401130 Main thread with ID 00000BFC created
00400000 Modules C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe
62500000 Modules C:\Users\IEUser\Desktop\vulnserver-master\essfunc.dll
75010000 Modules C:\Windows\syswow64\CRYPTBASE.dll
75020000 Modules C:\Windows\syswow64\SspiCli.dll
75690000 Modules C:\Windows\syswow64\msvcrt.dll
759D0000 Modules C:\Windows\syswow64\NSI.dll
75D80000 Modules C:\Windows\syswow64\kernel32.dll
75F20000 Modules C:\Windows\syswow64\RPCRT4.dll
76DC0000 Modules C:\Windows\SysWOW64\sechost.dll
77020000 Modules C:\Windows\syswow64\KERNELBASE.dll
77070000 Modules C:\Windows\syswow64\WS2_32.DLL
77520000 Modules C:\Windows\SysWOW64\ntdll.dll
775301E8 [21:36:50] Single step event at ntdll.775301E8
00401130 [21:36:51] Program entry point
74C70000 Modules C:\Windows\system32\mswsock.dll
76DE0000 Modules C:\Windows\syswow64\user32.dll
76F90000 Modules C:\Windows\syswow64\GDI32.dll
75B30000 Modules C:\Windows\syswow64\LPK.dll
75930000 Modules C:\Windows\syswow64\USP10.dll
75430000 Modules C:\Windows\syswow64\ADVAPI32.dll
770D0000 Modules C:\Windows\system32\IMM32.DLL
75B40000 Modules C:\Windows\syswow64\MSCTF.dll
00401848 New thread with ID 000004FC created
756A8DD2 [21:37:20] Access violation when writing to [02440000]
0BADF00D !mona seh
---------- Mona command started on 2024-04-01 21:37:36 (v2.0, rev 636)

----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Querying 2 modules
0BADF00D - Querying module essfunc.dll
74660000 Modules C:\Windows\System32\wshtcpip.dll
0BADF00D - Querying module vulnserver.exe
0BADF00D [+] Setting pointer access level criteria to 'R', to increase search
results
0BADF00D New pointer access level : R
0BADF00D [+] Preparing output file 'seh.txt'
0BADF00D - Creating working folder c:\monalogs\vulnserver_2272
0BADF00D - Folder created
0BADF00D - (Re)setting logfile c:\monalogs\vulnserver_2272\seh.txt
0BADF00D [+] Writing results to c:\monalogs\vulnserver_2272\seh.txt
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 2
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret ' : 4
0BADF00D - Number of pointers of type 'pop ecx # pop ecx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ebx # ret ' : 2
0BADF00D - Number of pointers of type 'pop eax # pop edx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ecx # pop edx # ret ' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret ' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x04' : 1
0BADF00D - Number of pointers of type 'pop ecx # pop eax # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebp # pop ebp # ret ' : 1
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret 0x04' : 1
0BADF00D - Number of pointers of type 'pop eax # pop eax # ret ' : 1
0BADF00D [+] Results :
625010B4 0x625010b4 : pop ebx # pop ebp # ret | {PAGE_EXECUTE_READ}
[essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-
1.0- (C:\Users\IEUser\Desktop\vulnserver-master\essfunc.dll), 0x0
00402673 0x00402673 : pop ebx # pop ebp # ret | startnull,asciiprint,ascii
{PAGE_EXECUTE_READ} [vulnserver.exe] ASLR: False, Rebase: False, SafeSEH: False,
CFG: False, OS: False, v-1.0- (C:\Users\IEUser\Desktop\vulnserver-master\
vulnserver.exe), 0x0
6250172B 0x6250172b : pop edi # pop ebp # ret | asciiprint,ascii
{PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG:
False, OS: False, v-1.0- (C:\Users\IEUser\Desktop\vulnserver-master\essfunc.dll),
0x0
6250195E 0x6250195e : pop edi # pop ebp # ret | asciiprint,ascii
0x0
00402AFB 0x00402afb : pop edi # pop ebp # ret | startnull {PAGE_EXECUTE_READ}
[vulnserver.exe] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False,
v-1.0- (C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe), 0x0
00402D2E 0x00402d2e : pop edi # pop ebp # ret | startnull,asciiprint,ascii
6250120B 0x6250120b : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ}
625011BF 0x625011bf : pop ebx # pop ebx # ret | {PAGE_EXECUTE_READ}
625011D7 0x625011d7 : pop ebx # pop ebx # ret | {PAGE_EXECUTE_READ}
625011FB 0x625011fb : pop eax # pop edx # ret | {PAGE_EXECUTE_READ}
625011E3 0x625011e3 : pop ecx # pop edx # ret | {PAGE_EXECUTE_READ}
6250160A 0x6250160a : pop esi # pop ebp # ret | ascii {PAGE_EXECUTE_READ}
004029DA 0x004029da : pop esi # pop ebp # ret | startnull {PAGE_EXECUTE_READ}
0040119B 0x0040119b : pop ebx # pop ebp # ret 0x04 | startnull
625011EF 0x625011ef : pop ecx # pop eax # ret | {PAGE_EXECUTE_READ}
625011CB 0x625011cb : pop ebp # pop ebp # ret | {PAGE_EXECUTE_READ}
00402524 0x00402524 : pop edi # pop ebp # ret 0x04 | startnull,asciiprint,ascii
625011B3 0x625011b3 : pop eax # pop eax # ret | {PAGE_EXECUTE_READ}
0BADF00D Found a total of 18 pointers
0BADF00D
0BADF00D !mona seh
---------- Mona command started on 2024-04-01 21:37:47 (v2.0, rev 636)

----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Querying 2 modules
0BADF00D - Querying module essfunc.dll
0BADF00D - Querying module vulnserver.exe
0BADF00D [+] Setting pointer access level criteria to 'R', to increase search
results
0BADF00D New pointer access level : R
0BADF00D [+] Preparing output file 'seh.txt'
0BADF00D - (Re)setting logfile c:\monalogs\vulnserver_2272\seh.txt
0BADF00D [+] Writing results to c:\monalogs\vulnserver_2272\seh.txt
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 2
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret ' : 4
0BADF00D - Number of pointers of type 'pop ecx # pop ecx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ebx # ret ' : 2
0BADF00D - Number of pointers of type 'pop eax # pop edx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ecx # pop edx # ret ' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret ' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x04' : 1
0BADF00D - Number of pointers of type 'pop ecx # pop eax # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebp # pop ebp # ret ' : 1
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret 0x04' : 1
0BADF00D - Number of pointers of type 'pop eax # pop eax # ret ' : 1
0BADF00D [+] Results :
625010B4 0x625010b4 : pop ebx # pop ebp # ret | {PAGE_EXECUTE_READ}
00402673 0x00402673 : pop ebx # pop ebp # ret | startnull,asciiprint,ascii
6250172B 0x6250172b : pop edi # pop ebp # ret | asciiprint,ascii
0x0
6250195E 0x6250195e : pop edi # pop ebp # ret | asciiprint,ascii
0x0
00402AFB 0x00402afb : pop edi # pop ebp # ret | startnull {PAGE_EXECUTE_READ}
00402D2E 0x00402d2e : pop edi # pop ebp # ret | startnull,asciiprint,ascii
6250120B 0x6250120b : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ}
625011BF 0x625011bf : pop ebx # pop ebx # ret | {PAGE_EXECUTE_READ}
625011D7 0x625011d7 : pop ebx # pop ebx # ret | {PAGE_EXECUTE_READ}
625011FB 0x625011fb : pop eax # pop edx # ret | {PAGE_EXECUTE_READ}
625011E3 0x625011e3 : pop ecx # pop edx # ret | {PAGE_EXECUTE_READ}
6250160A 0x6250160a : pop esi # pop ebp # ret | ascii {PAGE_EXECUTE_READ}
004029DA 0x004029da : pop esi # pop ebp # ret | startnull {PAGE_EXECUTE_READ}
0040119B 0x0040119b : pop ebx # pop ebp # ret 0x04 | startnull
625011EF 0x625011ef : pop ecx # pop eax # ret | {PAGE_EXECUTE_READ}
625011CB 0x625011cb : pop ebp # pop ebp # ret | {PAGE_EXECUTE_READ}
00402524 0x00402524 : pop edi # pop ebp # ret 0x04 | startnull,asciiprint,ascii
625011B3 0x625011b3 : pop eax # pop eax # ret | {PAGE_EXECUTE_READ}
0BADF00D Found a total of 18 pointers
0BADF00D

Pop Pop Ret

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pop Pop Ret

Uploaded by

Copyright:

Available Formats

Log data

Console file 'C:\Users\IEUser\Desktop\vulnserver-master\vulnserver.exe'

---------- Mona command started on 2024-04-01 21:37:36 (v2.0, rev 636)

---------- Mona command started on 2024-04-01 21:37:47 (v2.0, rev 636)

You might also like