ropshell> use 1a40c3f362d7f068d2a744b541e6c887 (download)
name         : winbox.exe (i386/PE)
base address : 0x401000
total gadgets: 35665

ropshell> suggest "load mem"
> 0x0049f2fa : mov eax, [ecx]; ret
> 0x00507cbe : mov eax, [edx]; ret
> 0x00475b62 : mov eax, [ecx + 0x10]; ret
> 0x0047b07b : mov eax, [edx + eax]; ret 4
> 0x004c72ba : movzx edx, [eax]; mov eax, edx; ret
> 0x0043ac53 : mov eax, [ebp + 8]; pop ebp; ret
> 0x004759ba : mov edx, [ecx + 0x14]; pop ebp; ret 8
> 0x00454d31 : mov eax, [ebx + edx]; pop ebx; pop ebp; ret 4
> 0x00496b8b : mov ecx, [ebp + 0xc]; call eax
> 0x004db02b : mov edx, [eax + 4]; mov eax, [eax]; ret 4
> 0x0040c2ae : mov eax, [ebx]; call [eax + 0x14]
> 0x00486163 : mov eax, [esi]; call [eax + 0x18]
> 0x0047d9d5 : mov eax, [edi]; call [eax + 0x38]
> 0x004700da : mov edx, [ecx]; call [edx + 0x1c]
> 0x004e3f1a : mov eax, [esi + 0x10]; pop esi; pop ebp; jmp eax
> 0x004abc7a : mov edx, [ebp + 0x10]; mov [edx], 4; pop ebp; ret 0xc
> 0x0040cea1 : mov edx, [ebx]; mov [eax], edx; pop edx; pop ebx; pop ebp; ret
> 0x004f7cb5 : mov edx, [esi]; mov [esp], edx; call eax
> 0x0047cf5e : mov ebx, [eax + 0x10]; call [eax + 0x28]
> 0x0041b8fd : mov ebx, [ebp + 8]; call [eax + 0x38]
> 0x0047cfa5 : mov esi, [eax + 0x54]; call [eax + 0x48]
> 0x0046ee83 : mov esi, [ebx + 0x44]; call [eax + 0x28]
> 0x0041e7b3 : mov esi, [ebp + 8]; call [eax + 0x38]
> 0x004508ce : mov edi, [eax + 0x14]; call [eax + 8]
> 0x0041c6cb : mov edi, [ebp + 8]; call [eax + 0x38]
> 0x00464c03 : mov eax, [edi + 4]; mov [esp], eax; call ebx
> 0x00503c05 : mov ecx, [ebx + 4]; mov [edx + 4], ecx; pop ebx; pop ebp; ret 0x10
> 0x00443e4f : mov edx, [ebx + 0x14]; lea esp, [ebp - 8]; pop ebx; pop esi; pop ebp; ret 8
> 0x0048836c : mov edx, [esi + 4]; mov [esp], edx; call eax
> 0x004c4a45 : mov ebx, [eax]; mov [ecx], ebx; mov [eax], edx; pop ebx; pop ebp; ret 4
> 0x004e6c60 : mov ebx, [edx]; mov [esp], edx; call [ebx + 0x14]
> 0x00451f34 : mov ecx, [eax]; mov eax, [ecx]; call [eax + 0x2c]
> 0x0046bf4f : mov ecx, [ebx]; mov eax, [ecx]; call [eax + 0x2c]
> 0x00454020 : mov ecx, [edx]; mov eax, [ecx]; call [eax + 0x1c]
> 0x00415847 : mov ecx, [edi]; mov eax, [ecx]; call [eax + 0x38]
> 0x004effb5 : mov edx, [edi]; mov [esp], eax; call [edx + 0x2c]
> 0x0041f08f : mov esi, [eax]; mov [esp], eax; call [esi + 0x34]
> 0x00407388 : mov esi, [ecx]; mov [esp], eax; call [esi + 0x20]
> 0x0047a431 : mov ebx, [ecx + 0x9c]; mov ecx, eax; call [edx + 0x3c]
> 0x00517007 : mov ecx, [eax + 0x18]; mov eax, [ecx]; jmp [eax + 0x14]
> 0x0047b2f1 : mov ebx, [esi + 0x10]; lea esp, [ebp - 8]; mov eax, ebx; pop ebx; pop esi; pop ebp; ret
> 0x004c526f : mov ecx, [edx + 4]; mov [ecx], eax; mov [edx + 4], eax; pop ebp; ret 8
> 0x00496590 : mov ecx, [esi + 0x10]; mov eax, [ecx]; call [eax + 0x3c]
> 0x004b28b6 : mov ecx, [edi + 0x1c]; mov eax, [ecx]; call [eax + 0x3c]
> 0x00412a11 : mov edx, [edi + 0x12c]; mov [esp], edx; call [eax + 0x5c]
> 0x0041b7c7 : mov esi, [edx + 0x108]; mov edx, [eax]; call [edx + 8]
> 0x004c5d7f : mov edi, [ebx + 4]; mov [esp], ebx; mov ebx, edi; call esi
> 0x004a041b : mov edi, [edx + eax]; add [ebp - 0x11b73], cl; call [edx - 0x39]
> 0x004177d0 : mov ecx, [esi]; add esi, 4; mov eax, [ecx]; call [eax + 0x3c]
> 0x0048be4c : mov edi, [esi + 0x18]; mov ecx, esi; sub esp, 0x10; call [eax + 0x68]
> 0x0040377b : mov edi, [eax]; mov eax, [ecx]; mov [esp], ebx; call [eax + 8]
> 0x00461a61 : mov edi, [esi]; lea ecx, [ebp - 0x20]; mov [esp], esi; call [edi + 0x14]
> 0x00481483 : mov esi, [ecx + 0x4c]; mov [esp], ecx; mov ecx, ebx; call [eax + 0x1c]
> 0x004f581a : mov esi, [edx]; mov [esp + 4], eax; mov [esp], edx; call [esi + 0xc]
> 0x0046f2ed : mov ebx, [edx + 5]; add [ebx + 0x18b104b], cl; mov [esp], esi; call [eax + 8]
> 0x00419165 : mov ebx, [edi + 0xc]; push esi; mov eax, [ecx]; mov [esp], ebx; call [eax + 0x68]
> 0x004415b1 : mov ebx, [ecx]; cmovs eax, edx; mov [ebp + 8], eax; mov eax, [ebx + 4]; pop ebx; pop ebp; jmp eax
> 0x00463b37 : mov edi, [edx]; mov [esp + 4], ecx; mov ecx, ebx; mov [esp], edx; call [edi + 0xc]
> 0x00406882 : mov esi, [edi]; lea eax, [eax + ebx*4]; mov ecx, edi; inc ebx; mov [esp], eax; call [esi]
> 0x0048bd0b : movzx edi, [ecx + 0x3d]; mov eax, [eax]; mov ebx, [eax + 0xc]; mov eax, [ecx]; call [eax + 0xc]
> 0x004bf717 : mov ebp, [eax + 0x1c]; mov [esp + 0x1c], edx; mov [esp + 4], ecx; mov ecx, ebx; mov [esp], edi; call [eax + 0x20]
> 0x00462d5c : mov edi, [ecx]; mov [ebp - 0x1c], edi; mov edi, [ebp + 8]; add edi, [edx + eax - 8]; mov eax, [ebp - 0x1c]; mov [esp], edi; call [eax + 0x24]
> 0x0050005f : mov edi, [ebx]; mov [esp + 4], eax; mov edx, [esi + 8]; mov eax, [ebp + 8]; add eax, [edx + 0x14]; mov [esp], eax; call [edi + 0x10]