[sillysaurus2]

If your exploit needs a certain sequence of code, and the little dropbox hook doesn't have it, then the exploit's not going to work.

This is true, but meaningless, because an attacker is going to craft an exploit that targets the Dropbox DLL specifically.

I think you're thinking an exploit is something which is tried against different processes until one of them turns out to be vulnerable. That's true for some kinds of exploits. But in this case, we're trying to point out that an attacker is going to exploit the Dropbox DLL's certain sequence of code.

[Dylan16807]

I'm thinking about exploits that only have a limited range of motion. They need code to perform part of the action for them, that they can take advantage of. You can't just use arbitrary code for that, you need code that is vulnerable in very particular ways.

[tedunangst]

The assumption with rop exploits is that the targeted library will support any arbitrary sequence needed. So far, this seems to be a generally valid assumption.