ropshell> help list
At the main page, input part of binary name or md5 hash to search for existing
gadget databases.

ropshell> help generate
Use Upload to upload a binary file to generate ROP gadgets.
Make sure your check for the queue status and recent binaries before uploading.
It may take a few seconds to generate gadgets, be patient. Both direct gadgets
(RET ending) and indirect gadgets (CALL/JMP ending) will be generated.

ropshell> help download
Generated ROP gadgets can be downloaded as text file for offline use. Text file is
named by its md5 hash and compressed as a gzip.

ropshell> help search
ROP gadgets can be searched by raw ASM instruction or high level ROP IL code.
General search terms

    Match one item: ?
        e.g: "add esp ?": search for register adjustment gadgets with destination is esp
    Match one or many items: %
        e.g: "mov eax [ %": search for dereference gadgets with destination is eax
    Match part of ASM mnemonic: $
        e.g: "mov$ eax ?": will match mov, movxz
        e.g: "popa$": will match popa, popal, popaw
    Filter result: -keyword
        e.g: "pop % ;; -leave": search for all pop gadgets without "leave"
    Register replacement: r64/r32/r16/r08 (64/32/16/08 bit register)
        e.g: "mov r32 r32 %": search for all data movement gadgets with 32 bits registers
    Search for all possible gadgets: append % to the end of search
        e.g: "add esp ? %"

ropshell> help raw ASM search
Gadgets can be searched by raw ASM instruction. Use specific ASM syntax on the
target arch to search. Below are some examples on x86:

    Stack pivoting search:
        "xchg esp %", or "xchg r32 esp %", or "? esp %"
    pop-pop-ret search:
        "pop ? pop ?"
    Load a register from stack:
        "pop ?", or "pop % ;; -leave"
    Load a register from memory:
        "mov r32 [r32 %]", or "add r32, [r32 %]"
    Store value in a register to memory:
        "mov [r32 %] r32", or "add [r32 %] r32"