POC Heap based buffer overflow

["Aaron C. Newman (Application Security, Inc.)" <anewman () appsecinc com>]

I am developing a POC exploit for an exist buffer overflow.

In the buffer overflow, I can write up to 32000 bytes of memory (it
allows my to write all noops - 0x90 - and I can embed payload anywhere
in those bytes). It is overwritten in several places, however it is
never consistently in the same place. I can get the payload to overwrite
a value that is loaded into ecx and then ecx is executed. So I am able
to change the direction of execution to any hard-coded address I want.
However I can not consistently change it to my attack code because the
payload is loaded to different places in memory each time. 

The payload is not written directly to ESP or EBP so I can not simply
call somewhere in the program where there is a "call esp" or "jmp esp".
One of the areas overwritten does seem to be consistently written to ESP
+ 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where
it executes:
add esp, 0x1D00
jmp esp

and other variations but have not had luck finding a useful match.

I could try brute forcing, but the overflow crashes the program so that
is not very practical, particularly for demos.

Anyone have any ideas of how to use and address that can consistently
find my attack code.

Regards,
Aaron