ropshell> use a27f2d7915fd455a2c4147e4b70bbd98 (download) name : EQNEDT32.EXE (i386/PE) base address : 0x401000 total gadgets: 4450
ropshell> suggest call > 0x0044c3ef : call eax > 0x00450a1a : call ebx > 0x0044dfef : call ecx > 0x0044e866 : call edx > 0x0044d195 : call esi jmp > 0x00423297 : jmp eax > 0x004150df : jmp [eax] > 0x0044c57c : jmp [ebx] > 0x0040fc06 : jmp [ecx] > 0x0044c425 : jmp [edx + 0x14] load mem > 0x0044c8b8 : mov ecx, [eax]; mov eax, [eax + 4]; push eax; ret > 0x0041ce67 : mov eax, [ebp + 8]; push eax; call [ebp + 0x10] > 0x0044e8c3 : mov eax, [edx]; sub eax, ecx; cmp eax, 1; sbb eax, eax; and eax, edx; ret > 0x0044dd6d : mov eax, [esi + 0x810]; pop esi; pop ebx; lea eax, [eax + edx + 0x100]; ret > 0x0044fe6b : mov eax, [edi]; pop edi; mov [eax + esi], ebx; xor eax, eax; pop esi; pop ebx; ret load reg > 0x0044c163 : pop ebx; ret > 0x0044bf00 : pop esi; ret > 0x0044c0b8 : pop edi; ret > 0x0040f794 : pop ebp; ret > 0x0044d0dd : pop ecx; pop ebx; ret 4 pop pop ret > 0x0040f794 : pop ebp; ret > 0x0044c4a7 : pop ebx; pop edi; ret > 0x0044c0b6 : pop ebx; pop esi; pop edi; ret > 0x0044c71a : pop ebp; pop edi; pop esi; pop ebx; ret sp lifting > 0x004510f6 : add esp, 0x1004; ret > 0x004510f6 : add esp, 0x1004; ret > 0x0044c581 : add esp, 0x20; ret > 0x00450052 : add esp, 0x418; ret stack pivoting > 0x0044ced0 : mov esp, ebp; pop ebp; ret > 0x0044c8b6 : mov esp, ecx; mov ecx, [eax]; mov eax, [eax + 4]; push eax; ret > 0x0041b568 : xchg eax, esp; xor ecx, ecx; mov cl, [eax + 0x41b58c]; jmp [0] > 0x0040127c : leave ; ret write mem > 0x0044e15d : add [eax], edi; pop esi; adc eax, -1; ret > 0x0044fc23 : add [edx], ebp; call esi > 0x0044fa5c : add [eax + 0x30], ebp; xor eax, [ebp]; push 1; call esi > 0x0044ea75 : add [edi], ecx; test esp, [edx - 0x7b000000]; push [ebp + 0x12]; call esi > 0x0044c651 : add [ebp + 0xb], esi; xor eax, eax; mov al, [esp + 4]; pop ebx; add esp, 8; ret