Hi, I'm trying to understand the substitutions but I don't understand whats the meaning in assembly of "jmp 3" (get_nops, size=3, bits=32)? or why it's considered a nop. Also, why you pop from the stack? Wouldn't it destroy the stack? (for example, if the executable tries to access some already pop'd variable)

return "jmp %s; pop %s" % (3 + prev_ins_size, random.choice(regs))

Thanks in advance.

Hello there!

That return is returning a 3 bytes size NOP sequence (as requested in the function parameter size). To do this, it creates a jmp+3 and inserts a random 1 byte instruction that will never be executed (because of the jmp).

For example, lets consider the random 1 byte instruction is 'pop eax'. The sequence would be as follows:

As we can see, when the code reaches the jmp, it will go directly to the nops, without executing the pop, giving us a 3 bytes NOP sequence (jmp + pop) because it doesn't affect any value in our execution context (registers, flags ...).

I got it, thank you so much!