Free Online ROP Gadgets Search

ropshell> use 0d2e302910fccc2094dcab8e24739dc8 (download)
name         : TEFW.exe (i386/PE)
base address : 0x401000
total gadgets: 19404

ropshell> suggest "load mem"
> 0x00458bf4 : mov eax, [ebp]; ret
> 0x0040772c : mov ecx, [ebx]; ret
> 0x00449668 : mov eax, [esi]; pop esi; ret
> 0x00403436 : mov eax, [ecx + 0x10]; ret
> 0x0040939d : mov eax, [edx + 0x350]; ret 4
> 0x00414604 : mov eax, [ecx]; add eax, ecx; ret
> 0x0044b55f : mov eax, [ebx + 0x94]; pop ebx; ret
> 0x0044e194 : mov eax, [esi + 0x88]; pop esi; ret
> 0x00467b48 : mov eax, [ebp + 0xc]; pop ebp; ret
> 0x004557d7 : mov ecx, [eax]; push eax; call [ecx]; ret 8
> 0x0041ea82 : mov edx, [eax + 0x154]; jmp edx
> 0x004672d7 : mov ebp, [ebx + 0x20]; jmp eax
> 0x0040af74 : mov eax, [edx]; push ebp; call eax
> 0x00407baf : mov edx, [eax]; push 1; call edx
> 0x0040abaf : mov eax, [edi + 8]; call eax
> 0x0041d9cb : mov edx, [ecx + 8]; call edx
> 0x0044d0fd : mov esi, [eax + 8]; mov eax, esi; pop esi; ret
> 0x00452f7b : mov eax, [ebx]; call [eax + 0x58]
> 0x0044d189 : mov eax, [edi]; call [eax + 0x14]
> 0x004218b9 : mov ecx, [eax + 0x20]; push ecx; call ebp
> 0x0041c4ce : mov ecx, [edx + 0x20]; push eax; call ecx
> 0x0040b5cd : mov ecx, [esi + 0x344]; push ecx; call edi
> 0x00413794 : mov edx, [esi + 4]; push edx; call edi
> 0x0041d153 : mov edx, [ebp + 0x90]; push edx; call ebx
> 0x00453e0c : mov edi, [ebx + 1]; add [ecx + 0x868444d], cl; ret
> 0x0045c605 : mov ebx, [eax]; push eax; call [ebx + 0x18]
> 0x0040c68f : mov edx, [ebx]; mov [esi + edx], 0; pop esi; pop ebx; ret 8
> 0x0047e44a : mov edx, [ecx]; add [eax], al; xor eax, eax; pop ebp; ret
> 0x00462755 : mov edx, [esi]; push eax; call [edx + 0x58]
> 0x0044ad02 : mov edx, [edi]; push eax; call [edx + 0x34]
> 0x0045b1e8 : mov edi, [ecx]; push ecx; call [edi + 0x20]
> 0x004434fd : mov ebx, [ebp + 0x10]; call [ebx]
> 0x004092a3 : mov ecx, [ebp + 0x27c]; push ecx; push 0; call esi
> 0x0046b798 : mov edi, [esi + 0xc]; and edi, 0x7fff; call ebx
> 0x00475420 : mov ecx, [edx]; movzx eax, [ecx]; inc ecx; mov [edx], ecx; ret
> 0x0045e4e2 : mov ecx, [edi + 0x4c]; push eax; call [esi]
> 0x004543be : mov ecx, [esi]; mov [eax], ecx; mov [esi], edi; pop edi; pop esi; ret 4
> 0x0046934b : mov esi, [ebp + 8]; mov ecx, esi; call [ebp + 0x14]
> 0x0043ba7e : mov ebx, [ecx]; sub eax, edx; push eax; push edx; call [ebx + 0x38]
> 0x0041448b : mov edx, [ebp]; mov eax, [edx + 0x1c]; mov ecx, ebp; call eax
> 0x0040b424 : mov ecx, [ebx + 0x360]; lea edi, [ebx + 0xc]; push eax; call ecx
> 0x0042efd5 : mov edx, [ebx + 0x134]; add esp, 4; push eax; mov ecx, edi; call edx
> 0x0045fed6 : mov esi, [eax]; mov eax, [esi]; mov ecx, esi; call [eax + 0x54]
> 0x00471639 : mov esi, [edx + esi]; mov ecx, [esi + ecx]; add ecx, edx; add eax, ecx; pop esi; ret
> 0x0045e773 : mov edi, [eax + 0x24]; mov eax, [esp + 0x10]; mov [eax], edi; pop edi; pop esi; ret 8
> 0x00461692 : mov ebp, [eax + 0xc]; movzx eax, [esi + 0x44]; push eax; push ebp; call edi
> 0x00414d06 : mov ecx, [edi]; mov edx, [ecx]; mov eax, [edx + 4]; push edi; call eax
> 0x0043ba91 : mov ebp, [ecx]; push ebx; push ebx; sub eax, edx; push eax; push 2; call [ebp + 0x50]
> 0x00408b44 : mov edx, [edi + 0x10]; push 1; lea ecx, [esp + 0x18]; push ecx; push esi; mov [esp + 0x24], eax; call edx
> 0x0047d18c : mov edi, [ebp + 8]; push ebx; push edi; push [esi + 0x88]; mov [ebp + 0x10], eax; call [esi + 0x10]
> 0x00451a4e : mov ebx, [esi + 0x4c]; and [esi + 0x4c], 0; mov eax, [edi]; push 0; push esi; mov ecx, edi; call [eax + 0x70]