n is simply a sequence where no string of n characters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the one possible match within the sequence to calculate the offset. Let's do this on the ret2win binary.radare2 comes with a nice command-line tool (called ragg2) that can generate it for us. Let's create a sequence of length 100.-P specifies the length while -r tells it to show ascii bytes rather than hex pairs.radare2 when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples.0x41534141; we can use radare2's in-built wopO command to work out the offset.dr eip is calculated first, before the wopO is run on the result of it.