No data
Chain Target API
Select the Win32 API your ROP chain will invoke
VirtualAlloc Placeholder Parameters
API address (slot 0) and return address (slot 1) are always patched by ROP chain steps. Other parameters: set mode to control patching.
Absolute: patched via POP/encode/MOV if value has bad chars. ESP-relative: value already in register — just MOV write to slot. No patching: value goes directly into placeholder.
WriteProcessMemory Placeholder Parameters
WPM address (slot 0) is always patched via IAT deref. Return address (slot 1) is handled by Steps 7-9. Set each parameter's patching mode below.
Absolute: patched via POP/encode/MOV if value has bad chars. ESP-relative: value already in register — just MOV write to slot. No patching: value goes directly into placeholder.
Shellcode
Paste your shellcode bytes here (Python format: \x90\x90...)
Move ESP to another register
Select register that has XCHG/MOV/PUSH-POP ESP gadget. Enable multi-hop if no direct ESP→target exists. Add more hops for longer chains.
Hop blocks appear above this block. This block is the final hop (last intermediate → target).
Pop offset value to register
We need to put an offset value to another register, which substracted from our stored ESP value will get us the address of the placeholder of the VirtualAlloc
Add/Subtract stored ESP value and Offset to the Placeholder
Add/Subtract stored ESP value and Offset to the Placeholder
Pop VA / WPM IAT entry address to register
POP the IAT entry pointer for VirtualAlloc (or WPM) — Step 4b will dereference it
Dereference IAT entry -> real function pointer
MOV reg, [reg] — read the actual VirtualAlloc / WriteProcessMemory address from the IAT entry loaded in Step 4
Write the dereferenced VA address to the placeholder
Direct memory write using base from Step 3 and dereferenced value from Step 4/4b
Increase base register (repeat x4)
Increase base register to align with the return address placeholder
Re-ESP mode active — sub-steps 6-R1, 6-R2, 6-R3 are separate draggable blocks below.
Move ESP to register
↓ Final hop (last intermediate → target) shown below.
POP offset to register
ADD/SUB stored ESP + offset
Copy base address to another register (optional)
Move/copy the base register value to another register before the return address calculation. Enable multi-hop if no direct gadget exists. Skip if not needed.
↓ Final hop (last intermediate → destination) shown below.
Pop offset value for return address calculation
Pop a value into a register for return address arithmetic (NOT the same as Step 2)
Arithmetic for return address calculation
Add/Subtract the base register (from Step 6) and the offset (from Step 7) to compute return address
Move result to another register (optional)
Move/copy the return address result (from Step 8) to another register before writing. Enable multi-hop if no direct gadget exists. Skip if not needed.
↓ Final hop (last intermediate → destination) shown below.
Write return address
Write the computed return address to the placeholder
INC gadget for slot navigation
Select the INC gadget used to navigate the base register between placeholder slots during patching. 4 INC operations per DWORD slot. All patched slots are visited in ascending order.
Write return address to lpBuffer slot
Write the computed return address (from Step 8) to the lpBuffer slot in the WPM placeholder — lpBuffer must equal the return address (both point to shellcode)
Realign register before patching (optional)
Copy/move a register value to restore or set up the base register for slot patching (e.g. after return address calculation clobbered it). Enable multi-hop if no direct gadget exists. Skip if not needed.
↓ Final hop (last intermediate → destination) shown below.
Shellcode Encoder & Decode Stub
Encodes shellcode to eliminate bad characters and generates a ROP-based decode stub that patches them back at runtime.
Bad Character Corrections
Each bad character is encoded by subtracting its correction value; the decode stub ADDs it back at runtime. Auto-computed values use the smallest correction that produces a safe encoded byte. Override per bad char if needed.
| Bad Char | Correction | Encoded As | Status |
|---|
Paste shellcode above and configure bad chars to see results.
Encoded Shellcode
Byte Patches (0 bad bytes found)
| Index | Original | Encoded | Method | Correction |
|---|
Decode Stub — Gadget Configuration
Select the registers and gadgets used by the decode stub. The stub navigates a pointer to each encoded byte and patches it back.
Decode loop — execution order per patch:
POP navReg — load offset into navigation register
Pop the byte-offset delta into the navigation register so we can advance the pointer.
NEG navReg — negate offset to avoid bad chars (auto per-patch)
Negate offset to avoid bad chars (e.g. \x00). Used automatically per-patch when the offset DWORD contains bad bytes. Select a NEG gadget below so it's available when needed.
ADD ptrReg, navReg — advance pointer to next byte
Add the loaded offset to the pointer register so it points at the next encoded byte.
MOV writeReg, ptrReg — copy pointer to write register (auto)
Only needed when the byte-patch gadget uses a different register than the pointer register. Shown automatically when required.
POP corrReg — load correction value
Pop the correction byte (packed in a DWORD) into the correction register's sub-register.
ADD BYTE [reg], subreg — apply correction patch (determines corrReg & writeReg)
The byte-patch gadget. Adds the correction value to the encoded byte, restoring the original. Selecting this determines the write register, correction sub-register, and memory offset for all steps.
Generated Decode ROP Chain
Pop offset value to register (ESP redirect)
Pop an offset value into a register; combined with stored ESP this gives the address to redirect ESP to
Add/Subtract stored ESP value and Offset to the Placeholder
Compute the final stack address (stored ESP ± offset) where parameters are laid out
Write the result to ESP (execute VirtualAlloc)
Set ESP to the computed parameter-block address so the next RET triggers VirtualAlloc/WPM with the prepared parameters