To make sure your attack code runs even when a computer tries to stop it from running from memory, what advanced trick do you use to jump between safe parts of the program?

To ensure attack code runs even when a computer tries to stop it from executing from memory, the advanced trick used to jump between safe parts of the program is called Return-Oriented Programming (ROP). This technique bypasses memory protection mechanisms like Data Execution Prevention (DEP), also known as Write XOR Execute (W^X), which prevents code from being executed from memory regions that are designated as writable. Normally, malicious code injection would place new instructions into a writable memory area, and DEP would block their execution. ROP overcomes this by not injecting new executable code. Instead, it reuses small sequences of instructions, known as "gadgets," that already exist within the legitimate program code or loaded libraries. Each gadget typically performs a very specific, small operation, such as moving data between registers or performing arithmetic, and crucially, each gadget ends with a `ret` (return) instruction. The attacker constructs a "gadget chain" by carefully arranging the memory addresses of these pre-existing gadgets on the program's "call stack." The call stack is a dedicated region of memory that manages function calls by storing, among other things, "return addresses"—the memory location to which the program should return after a function completes its execution. When a function attempts to return, instead of popping a legitimate return address from the stack, it pops the address of the first gadget from the attacker-controlled stack. The program then jumps to and executes this gadget. Upon completion of that gadget's operation, its own `ret` instruction causes the program to pop the address of the *nextgadget in the chain from the stack, and so forth. By chaining these existing, legitimate gadgets together in a specific sequence, the attacker can piece together arbitrary malicious logic, such as calling system functions to execute arbitrary commands. This works against DEP/W^X because the executed code (the gadgets) is already part of the legitimate, non-writable, and executable sections of the program's memory, thus not violating the memory protection principles. While Address Space Layout Randomization (ASLR) can make finding the exact memory addresses of these gadgets more difficult by randomizing memory locations, once an attacker has overcome ASLR through an information leak, ROP remains an effective technique.