
address in our attack string, we can copy the value of this register into EIP, which now
points to our attack string.
The process involved with the shared library method is somewhat more complex
than returning directly to the stack. Instead of overwriting the return address with an
address on the stack, the return address is overwritten with the address of an instruction
that will copy the value of the register pointing to the payload into the EIP register.To
redirect control of EIP with the shared library technique, you need to follow these steps
(see Figure 12.17):
1. Assume register EAX points to our payload and overwrite the saved return
address ...