You get the idea right! We are going to enumerate all the ROP-Gadgets and then chain them together to craft our API call which will in turn disable DEP and allow us to execute our second stage payload

参考：http://www.fuzzysecurity.com/tutorials/expDev/7.html

ROP的利用分为两个阶段，首先关闭DEP；然后，进行第二阶段的正常的shellcode执行。