[BITS 32]
[ORG 0]

   cld
   call over
db "aaaaaaaa", 0xFF,0xFF,0xFF,0xFF, "user32.dll", 0
over:
   pop esi
   mov edi, esi
   mov eax, 0x61616161
   mov ecx, 20
   rep scasd          ;scan aa.. string until 0xFF byte, 
   inc byte [edi-1]   ;[edi-1] = 0xFF offset, inc it so 0x00 to null terminate urlmon.dll

   push edi           ;should be offset of user32.dll
  
   push 0x7c801d7b  ;new scdbg k32 LoadLibrary
   pop edx
   call edx

;at end edi should point to user32, ecx = 0x11 and flags = CF






