Free Online ROP Gadgets Search

ropshell> use 1ab5406f33d8be8febd070750080329a (download)
name         : win32k.sys (i386/PE)
base address : 0xbf800380
total gadgets: 16986

ropshell> suggest "load mem"
> 0xbf868636 : mov eax, [ecx]; ret
> 0xbf8c4ec4 : mov eax, [edx]; ret 4
> 0xbf833af4 : mov eax, [esi]; pop esi; ret 4
> 0xbf8e9c46 : mov eax, [ecx + 4]; ret
> 0xbf934460 : mov eax, [edx + 0x38]; pop ebp; ret 8
> 0xbf807699 : mov eax, [ebp + 0x10]; pop ebp; ret 0xc
> 0xbf91fcea : mov eax, [edi]; pop esi; pop edi; pop ebp; ret 0x18
> 0xbf81f80d : mov ebx, [eax]; call edi
> 0xbf819611 : mov eax, [esi + 0xc]; pop esi; pop ebp; ret 4
> 0xbf8c563c : mov eax, [ebx]; pop edi; pop esi; pop ebx; pop ebp; ret 0x10
> 0xbf956009 : mov ecx, [edx]; mov [eax], cx; pop ebp; ret 0x14
> 0xbf933886 : mov eax, [edi + 4]; pop edi; pop esi; pop ebp; ret 8
> 0xbf8b7b7c : mov ebx, [edi + 8]; call ebx
> 0xbf8176e9 : mov ecx, [eax + 4]; call ebx
> 0xbf80cd0e : mov ecx, [ebp + 0xc]; and eax, ecx; pop ebp; ret 0xc
> 0xbf840fe8 : mov esi, [eax + 0x2c]; call edi
> 0xbf8232a0 : mov ecx, [esi]; add ecx, 8; call ebx
> 0xbf823299 : mov ecx, [edi]; add ecx, 8; call ebx
> 0xbf8fe0b1 : mov eax, [ebx + 0x680]; push ecx; call eax
> 0xbf81681d : mov edx, [ebp + 8]; call [ecx + 0x3c]; pop ebp; ret 8
> 0xbf838fc0 : mov esi, [ebp + 0x20]; push esi; call ebx
> 0xbf9480de : mov edi, [ebp + 0x10]; push edi; call esi
> 0xbf8fdf87 : mov ebx, [ebp + 0x10]; push ebx; push ecx; call eax
> 0xbf85bb5c : mov edx, [eax + 8]; mov eax, [edx + ecx*4]; ret
> 0xbf966cd2 : movzx edx, [ebx + 4]; call [ebp - 4]
> 0xbf91fad9 : mov edx, [esi + 0xc]; mov [ecx], edx; pop esi; pop ebp; ret 8
> 0xbf96da8f : mov ecx, [eax]; shl edx, 3; call [ecx + 0x40]
> 0xbf8b81ac : mov edx, [esi]; add dx, bx; call [ebp - 8]
> 0xbf868e41 : mov ecx, [esi + 4]; push edi; push edx; push eax; call ecx
> 0xbf868ff5 : mov ecx, [ebx]; push edi; push eax; push ecx; call [ebx + 4]
> 0xbf8dc349 : mov edx, [edi]; push ebx; push ecx; push edx; call [edi + 4]
> 0xbf94c532 : mov edi, [eax + 0x4c]; rep movsd es:[edi], [esi]; pop edi; pop esi; pop ebp; ret 4
> 0xbf988870 : mov edx, [eax]; add ecx, esi; push ecx; push edx; call [eax + 4]
> 0xbf966c84 : movzx edx, [ebx]; mov ecx, [ebp + 8]; call [ebp - 4]
> 0xbf988af0 : mov edx, [ecx]; add eax, ebx; push eax; push edx; call [ecx + 4]
> 0xbf8b7a7c : mov ecx, [edi + 0x1c]; push eax; push ecx; push esi; call [edi + 4]
> 0xbf8ca314 : mov edx, [ecx + 0x10]; xor eax, eax; test edx, edx; setg al; dec eax; and eax, 4; ret
> 0xbf84dd29 : mov ecx, [edx + 0x14]; mov [edx + 0x38], ecx; or [eax + 0x18], 1; pop ebp; ret 4
> 0xbf84ab7a : movsx edi, [ebx + 4]; push edi; push [ebp - 0x30]; push edx; push eax; push [ebp - 4]; call ecx
> 0xbf8b651b : mov edx, [edi + 0x14]; mov [esi + 0x14], edx; pop edi; mov [esi + 0x18], ecx; pop esi; pop ebp; ret 0x10
> 0xbf8b7a57 : mov esi, [edi]; mov ecx, [edi + 4]; push eax; mov eax, [edi + 0x14]; push eax; push esi; call ecx
> 0xbf8dc00a : mov esi, [eax]; lea eax, [esi + 1]; push eax; lea eax, [ebx + 8]; push eax; call [ebx + 0x10]
> 0xbf8e30ca : mov ebx, [ecx + 0x17c]; mov edx, eax; and eax, [ebp + 0xc]; not edx; and ebx, edx; or ebx, eax; call esi
> 0xbf8dbf80 : mov edi, [eax]; lea eax, [edi + 3]; push eax; lea eax, [ebx + 8]; push eax; mov [ebp - 8], edi; call [ebx + 0x10]