@28:52 I guess instead of storing A in the memory we need to store A-4 , then when pop happens first esp = A-4 and then A since pop consists of two steps then on ret call since esp = A, eip = A and esp will increment , again because ret also comprises of two steps.

Just a small correction....the gadgetaddr2 doesn't get overwritten....push decrements esp first , so esp = esp-4 , then it gets written by push edi ...anyways we don't have gadget2 now to subvert execution to .

amazing video sir

Extremely high Quality lecture, such nice and simple presentation. kudos Sir

@18:08, I think he is wrong ? The contents of eax register is copied into a location edx + 64.