Vmpwn |work| -

OP_LOAD reg, value // load immediate OP_STORE reg, offset // store to memory OP_ADD reg1, reg2 OP_JMP offset OP_CALL func_id

With this, you can set regs[reg_idx] to any address (e.g., &vm->code or a GOT entry) and write controlled data there. OP_LOAD reg, value // load immediate OP_STORE reg,