Free Online ROP Gadgets Search

ropshell> use 13f6e93ae581129e5dbc1d4126de3767 (download)
name         : libspp.dll (i386/PE)
base address : 0x10001000
total gadgets: 37331

ropshell> suggest "load mem"
> 0x10007b50 : mov eax, [ecx + 0x100]; ret
> 0x10045876 : mov edx, [ecx + 0x1044]; ret
> 0x10154116 : mov eax, [esi + 8]; pop esi; ret
> 0x100988b4 : mov eax, [ecx]; push 1; call [eax]; ret
> 0x1012526e : mov eax, [ebx + 0xdc]; pop edi; pop ebx; ret
> 0x10128f1f : mov eax, [edi + 4]; pop edi; pop ebp; ret
> 0x10132e89 : mov eax, [esi]; push eax; call ebx
> 0x100de5d2 : mov eax, [edi]; add [ebx - 0x3974fb3c], al; pop esi; ret 4
> 0x10129ce3 : mov ecx, [eax]; push ecx; call edi
> 0x1009e622 : mov ecx, [ebx]; add [ebx - 0x3974fb3c], al; pop esi; ret 4
> 0x10129d8d : mov ecx, [esi]; push ecx; call ebx
> 0x10129cf2 : mov edx, [eax]; push edx; call edi
> 0x1001e552 : mov edx, [ebx]; add [ebx - 0x3974fb3c], al; pop esi; ret 4
> 0x100799f1 : mov edx, [ecx]; jmp [edx + 0x18]
> 0x10136c8a : mov edx, [esi]; push edx; call ebx
> 0x10136820 : mov esi, [eax]; push eax; call edi
> 0x1004d5ea : mov eax, [ebx]; call [eax + 0xc]
> 0x1004b771 : mov eax, [edx]; call [eax + 8]
> 0x1003eef4 : mov eax, [ebp]; call [eax + 0x24]
> 0x1009872d : mov ebx, [ecx]; call [ebx + 0x20]
> 0x10063530 : mov ebx, [esi]; call [eax + 0x1c]
> 0x10062915 : mov ebx, [edi]; call [eax + 0x1c]
> 0x1010059c : mov edx, [edi]; call [edx + 0x14]
> 0x1010064f : mov edx, [ebp]; call [edx + 0x14]
> 0x1006495a : mov edi, [ecx]; call [edi + 0x1c]
> 0x1004e2f4 : mov edi, [esi]; call [eax + 0x1c]
> 0x1004bac7 : mov ebp, [ebx]; call [edx + 0x18]
> 0x1004e673 : mov ebp, [edi]; call [eax + 0x1c]
> 0x101574aa : mov eax, [ebp + 0xc]; pop edi; pop esi; pop ebx; pop ebp; ret 0xc
> 0x10124080 : mov ecx, [ebx + 8]; push ecx; call edi
> 0x1012d579 : mov ecx, [esi + 0x10]; push ecx; call ebp
> 0x10129d5a : mov ecx, [edi + 0x10]; push ecx; call ebx
> 0x10132512 : mov ecx, [ebp + 0x10]; push ecx; call ebx
> 0x1013a7aa : mov edx, [ebx + 8]; push edx; call edi
> 0x10124163 : mov edx, [esi + 0x10]; push edx; call edi
> 0x10132ecf : mov edx, [edi + 0x14]; push edx; call ebx
> 0x1015815a : mov ecx, [eax + 8]; mov [eax + 0x10], ecx; pop esi; ret
> 0x100d64e1 : mov ecx, [edx + 4]; add ecx, esi; call [edx]; pop esi; ret 4
> 0x100e31fb : mov ebp, [eax + 0x14]; call [edx + 0x14]
> 0x1002ac7e : mov edx, [eax + 0x1a8c]; mov eax, 1; mov [ecx + 0x15d4], edx; ret
> 0x1004f05c : mov edx, [ebp + 0x2474]; pop esi; mov [eax + 0x2474], edx; pop ebp; ret 4
> 0x10053dab : mov esi, [edi]; adc [eax], al; add esp, 8; call eax
> 0x10043aab : mov edi, [edx]; adc [eax], eax; add esp, 8; call eax
> 0x1004dea4 : mov ebp, [ecx + 0x1c]; mov ecx, edi; call [edx + 8]
> 0x1004dff4 : mov ebp, [edx + 0x1c]; mov ecx, edi; call [eax + 8]
> 0x100b521a : mov ebx, [edx]; not ecx; push ecx; mov ecx, edx; call [ebx + 0x14]
> 0x10070d6d : mov esi, [edx]; not ecx; push ecx; mov ecx, edx; call [esi + 0x14]
> 0x100b51de : mov ebp, [edx]; not ecx; push ecx; mov ecx, edx; call [ebp + 0x14]
> 0x1002d771 : mov ebx, [eax + 0x4c8b000e]; and al, 8; pop esi; mov fs:[0], ecx; add esp, 0x10; ret
> 0x100a4d65 : mov esi, [ebp + 0x14]; mov edx, [ecx]; call [edx + 0xc]
> 0x1011ca18 : mov eax, [edx + 0x20]; lea ecx, [edx + 0x20]; call [eax + 8]
> 0x1008b6a5 : mov ebp, [edi + 0x14]; push -1; mov edx, [ecx]; call [edx + 8]
> 0x10089f2c : mov ecx, [ebp]; push ecx; mov ecx, esi; mov eax, [esi]; call [eax + 0x18]
> 0x1009aaa0 : mov ebx, [esi + 0xc]; mov ecx, ebx; mov eax, [ebx]; call [eax + 8]
> 0x1008b997 : mov edi, [esi + 0x14]; mov ecx, edi; mov eax, [edi]; call [eax + 0x1c]
> 0x1006352b : mov esi, [edi + 0xc]; mov eax, [ecx]; mov ebx, [esi]; call [eax + 0x1c]
> 0x1010802d : mov ebp, [ebx + 0xc]; push 0; mov ecx, ebp; mov eax, [ebp]; call [eax + 8]
> 0x10106b1e : mov edi, [edx + 0x30]; mov ecx, [edi + 8]; mov eax, [ecx]; call [eax + 8]
> 0x100fef52 : mov edi, [ebp + 0x40]; inc edi; mov [ebp + 0x40], edi; mov edx, [ecx]; call [edx + 0x14]
> 0x100febc6 : mov ebp, [esi + 0x40]; inc ebp; mov [esi + 0x40], ebp; mov eax, [ecx]; call [eax + 0x14]
> 0x101020b7 : mov edi, [eax + 0x18]; xor eax, eax; repne scasb al, es:[edi]; not ecx; push ecx; mov ecx, ebx; call [edx + 0x14]
> 0x10068bf6 : mov ebx, [edi + 0x30]; mov eax, [ebx + 0x1d4]; lea esi, [ebx + 0x1d4]; mov ecx, esi; call [eax + 8]
> 0x1012ef12 : mov esi, [edx + 0xc]; mov esi, [esi + 4]; mov [esi], eax; mov edx, [edx + 0xc]; pop esi; mov [edx + 4], ecx; ret
> 0x10079903 : mov esi, [ecx + 0x28]; mov [eax + 0x14], esi; mov ecx, [ecx + 0x2c]; mov [eax + 0x18], ecx; mov [eax + 4], edx; pop esi; ret 4
> 0x10068b5f : mov ebx, [ecx + 0x2e0]; mov [esp + 0x20], edx; lea edx, [esp + 0x14]; push edx; push eax; mov eax, [ecx]; call [eax + 0x1c]
> 0x1004dfeb : mov ebx, [edx + 0x18]; mov eax, [esi + 0x2c]; lea edi, [esi + 0x2c]; mov ebp, [edx + 0x1c]; mov ecx, edi; call [eax + 8]