Using Python3 and Mona

mona command after creating that folder:

!mona config -set workingfolder c:\mona

bad characters:

!mona bytearray -cpb "\x00"

puts bytearray minus whichever we specified (\x00 in this case)

compare bad characters using mona:

!mona compare -f c:\mona\bytearray.bin -a 008FF9D8

008FF9D8 is the ESP address

result:

We can use 00 and 80 as bad characters

We can also find the jmp esp value in mona:

!mona jmp -r ESP -m "essfunc.dll"

result: