ropshell> use 1fab4c106642a4dfe4b8a489cc2b3334 (download)
name         : ncat.exe (i386/PE)
base address : 0x401000
total gadgets: 22194

ropshell> suggest "load mem"
> 0x0042e0b6 : mov eax, [ecx]; ret
> 0x00456396 : mov eax, [ecx + 0x10]; ret
> 0x004a0792 : mov eax, [edx + 0x108]; ret
> 0x0045a7b1 : mov eax, [esi + 0x14]; ret
> 0x004649af : mov eax, [esi]; pop edi; pop esi; ret
> 0x004373cd : mov ecx, [eax]; jmp ecx
> 0x00442109 : mov eax, [edi + 0x40]; pop edi; ret
> 0x0040910c : mov eax, [ebp + 0x10]; pop ebp; ret
> 0x004e1fcc : movzx ecx, [edx]; sub eax, ecx; pop ebp; ret
> 0x0043754d : mov ecx, [eax + 0x10]; jmp ecx
> 0x0042b6c8 : mov edx, [eax + 0x14]; jmp edx
> 0x0041a76e : mov edx, [ecx + 0x18]; jmp edx
> 0x0043acbb : mov eax, [edx]; mov eax, [ecx + eax]; ret
> 0x0040940c : mov eax, [edi]; push eax; call ebx
> 0x0046aba8 : mov edx, [eax]; push ecx; call edx
> 0x0042930a : mov edx, [ecx]; push eax; call edx
> 0x004094dd : mov edx, [edi]; push edx; call ebx
> 0x0045eaf1 : mov edi, [eax]; push ecx; call edx
> 0x0045eb87 : mov edi, [esi]; push eax; call ecx
> 0x004a0951 : mov eax, [ebx + 0x60]; call eax
> 0x004a5e32 : mov ecx, [esi + 0x54]; call ecx
> 0x0043b41a : mov edx, [esi + 0x10]; call edx
> 0x00471b4f : mov ebx, [esi]; pop edi; pop esi; mov eax, ebx; pop ebx; ret
> 0x004aab82 : mov edi, [ecx]; mov eax, edi; pop edi; pop esi; pop ebp; ret
> 0x00494601 : mov ebp, [ecx]; add [eax], al; add esp, 0xc; ret
> 0x00465954 : mov ebx, [edi + 0x5e]; mov eax, 1; pop ebx; pop ecx; ret
> 0x0041037b : mov ecx, [edi + 4]; push ecx; call esi
> 0x00422574 : mov ecx, [ebp + 0x10]; push eax; call ecx
> 0x0045e6b8 : mov edx, [ebx + 4]; push esi; call edx
> 0x00458185 : mov edx, [edi + 0x10]; push ebx; call edx
> 0x00429462 : mov esi, [eax + 4]; push ecx; call ebx
> 0x004c7069 : mov edi, [ebp + 8]; push edi; call esi
> 0x004573e9 : mov ecx, [edi]; mov [ecx + 0xc], eax; pop edi; pop esi; ret
> 0x00476f51 : mov edi, [edx]; add [eax], eax; add esp, 4; pop esi; ret
> 0x0044e448 : mov ecx, [edx + 0x18]; push eax; push ebx; call ecx
> 0x004df32f : mov edx, [ebp + 0x10]; mov [edx], ecx; pop esi; pop ebp; ret
> 0x004aab73 : mov edi, [eax + 0x198]; mov eax, edi; pop edi; pop esi; pop ebp; ret
> 0x004aab4b : mov edi, [edx + 0x19c]; mov eax, edi; pop edi; pop esi; pop ebp; ret
> 0x004aab3f : mov edi, [esi + 0x6c]; mov eax, edi; pop edi; pop esi; pop ebp; ret
> 0x004ba59f : mov ecx, [esi]; push edi; push 0; push ecx; push 0; call eax
> 0x0049b5a6 : mov ebx, [esi + 0x18]; pop edi; pop esi; pop ebp; mov eax, ebx; pop ebx; ret
> 0x0048d01a : mov ecx, [ebx + 0x80]; push edx; push eax; push esi; call ecx
> 0x0043275c : mov ebp, [esi + 0x10]; pop edi; pop esi; mov eax, ebp; pop ebp; pop ebx; ret
> 0x00405792 : mov ecx, [ebx]; add [ebx - 0x21137b], cl; call [eax - 0x18]
> 0x004649ab : mov edx, [esi]; add [edi], edx; mov eax, [esi]; pop edi; pop esi; ret
> 0x0044edf7 : mov eax, [ebp]; mov [ebp + 4], eax; mov [ebp + 0xc], 0; pop ebp; pop ebx; ret
> 0x004d3493 : mov ebx, [ebp + 8]; lea eax, [ebp - 4]; push eax; push ebx; push edi; push [ebp + 0xc]; call esi