This is a proof-of-concept of a stack overflow vulnerability that I found in the 2012s in the multiplayer client of Age of Empires II: The Conquerors (v1.0, v1.0c). To execute the payload successfully, you must be running the game in Windows XP SP3 (English/Spanish language), because we need a jmp esp instruction at kernel32:0x7c874413. For newer Windows versions this should lead to just a crash due to the specific shellcode involved and further memory protections (ASLR).
The project includes a library (aoclib) that manages game messages invoking Direct Play (https://en.wikipedia.org/wiki/DirectPlay) written in flat assembler (https://flatassembler.net/), a sample shellcode that is also hardcoded in this project, and a client written in C++ that mimics the original one from the game (after a huge amount of unnecessary reverse engineering). The GUI was developed using Qt (https://www.qt.io/product/development-tools).
I also kept together this project, some .txt files that contain further information about exploit memory gadgets and the related rop chain. I used the Immunity Debugger (https://www.immunityinc.com/products/debugger/) plugin mona.py (https://github.com/corelan/mona/blob/master/mona.py) for automated memory gadget searching.
Just fix the include path in the flat assembler files (.asm) and compile the client with Qt Creator.