In the preceding section, we overwrote the EIP address with 72413372. Let's figure out the exact number of bytes required to overwrite the EIP with the pattern_offset tool. This tool takes two arguments; the first one is the address and the second one is the length, which was 1000, as generated using pattern_create. Let's find out the offset, as follows:
The exact match is found to be at 520. Therefore, any 4 bytes after 520 characters becomes the contents of the EIP register.