What is the core principle behind bypassing DEP using the VirtualProtect function?

The bypass relies on Return-Oriented Programming (ROP) to call VirtualProtect and change the shellcode's memory page permissions to executable (PAGE_EXECUTE_READWRITE). Instead of jumping directly to the shellcode, the exploit constructs a ROP chain that first invokes VirtualProtect with appropriate parameters, then transfers control to the shellcode. This technique is detailed in Windows Shellcode Study Notes - Bypassing DEP via VirtualProtect, while an alternative using VirtualAlloc is covered in Windows Shellcode Study Notes - Bypassing DEP with VirtualAlloc.