Hey David, DL> Assuming the server did stay up, though. You've got to go through 0x7FFFFFFF DL> addresses looking for your code or something that will get you back to your DL> code. There'll be maybe 50 addresses with "jmp esp" - or whatever DL> instruction you're looking for - giving you a 1 in 42949672 chance or so. DL> Brute forcing is not reliable therefore. With all those attempts - someone's DL> going to notice something going on - or so one would hope, anyway. Your math is broken :-) DLL's are (as you stated) based mod 64k, so there's only 0x80000000 / 64k - 1 different addresses on which a DLL can start. That's less than 32k, and your chance is 1 in 32768. On average, you get a hit after 16384 tries. Oh, btw, this method could be optimized as you can be pretty sure that large DLL's aren't mapped closely underneath 0x80000000. How do you deal with EXE's that have been stripped of relocation information ? (simple answer, not at all) Cheers, Halvar
