As said in the advisory the bug has different effects, so I will show only some of them. The following is a practical example using drag'n'drop and DirectMusic device (other details are the usage of Win98SE and Directx9.0b): The MIDI file used is the same of the example in the advisory (it must be long at least about 200 bytes). The exception happens exactly in DMIME.DLL 0x77303F9F: :77303F99 8B11 mov edx, dword ptr [ecx] :77303F9B 85D2 test edx, edx :77303F9D 740C je 77303FAB :77303F9F 8B02 mov eax, dword ptr [edx] :77303FA1 8D4DEC lea ecx, dword ptr [ebp-14] :77303FA4 51 push ecx :77303FA5 52 push edx :77303FA6 FF500C call [eax+0C] :... ECX is a pointer to the bytes in the malicious MIDI file (offset 0xa9 of the file) :77303F99 EDX will point to the 4 bytes pointed by ECX :77303F9F EAX will point to the 4 bytes pointed by EDX :77303FA6 And now the DLL will call the address pointed by EAX + 0xc The 4 bytes pointed by the EDX register at offset 77303F9F are exactly at offset 0xa9 of the MIDI file used and this offset is the same also using a longer file. So from this example is possible to give the custom addresses that will be pointed by the registers used in these 8 instructions. The other example I wanna shown is the usage of the manual opening of a MIDI file using the midiOut device (every midiOut device has the same effect): Here I have found some differences, in fact the position where are located the 4 bytes that will overwrite the return address depends by the length of the MIDI file. In my example I use a MIDI file (the same of the advisory) with a length of 128 bytes. After opening Winamp there will be one exception and after it there will be another one reporting the EIP equal to 0x61616161. In fact 0x61616161 are the bytes we have at offset 0x54 of the MIDI file. I have not deeply tested all the effects of the bug because I'm too lazy, but the exploitation is a reality (also if probably a bit limited). BYEZ