Free Online ROP Gadgets Search

ropshell> use 27bb6e8e11ba28265ea870b280cd9ed6 (download)
name         : VBoxC.dll (x86_64/PE)
base address : 0x180001000
total gadgets: 19001

ropshell> suggest "load mem"
> 0x18000c440 : mov rax, [rcx + 0x10]; ret
> 0x180150e3a : mov rax, [rdx + 0x160]; ret
> 0x18000c441 : mov eax, [rcx + 0x10]; ret
> 0x180150e3b : mov eax, [rdx + 0x160]; ret
> 0x18001e875 : movzx eax, [rcx]; add eax, 4; ret
> 0x18001a8cb : mov rcx, [rsi]; call r13
> 0x18001a2c6 : mov rcx, [rbp]; call r12
> 0x18001a356 : mov rdx, [rbp]; call r12
> 0x18001a8cc : mov ecx, [rsi]; call r13
> 0x18001a2c7 : mov ecx, [rbp]; call r12
> 0x18001a357 : mov edx, [rbp]; call r12
> 0x1800c1f40 : mov rax, [rcx]; jmp [rax + 0x10]
> 0x1800fa77c : mov rcx, [rbx + 0x100]; call rax
> 0x1800fa27d : mov rcx, [rdi + 0x100]; call rax
> 0x180010fdd : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x18004658d : mov rdi, [r11 + 0x20]; mov rsp, r11; pop r12; ret
> 0x1800bf4c5 : mov r12, [r11 + 0x28]; mov rsp, r11; pop rbp; ret
> 0x1800fa77d : mov ecx, [rbx + 0x100]; call rax
> 0x1800fa27e : mov ecx, [rdi + 0x100]; call rax
> 0x180010fde : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x18004658e : mov edi, [rbx + 0x20]; mov rsp, r11; pop r12; ret
> 0x180001d25 : mov rax, [rbx]; call [rax + 8]
> 0x180073fdf : mov rax, [rdi]; call [rax + 0x68]
> 0x1800959d5 : mov rax, [ecx]; call [rax + 0x10]
> 0x18001e791 : mov rcx, [rax]; call [rip + 0x169b9e]; add rsp, 0x28; ret
> 0x18002b8c4 : mov rdx, [rax]; call [r8 + 0x70]
> 0x1800023fb : mov rdx, [rbx]; call [rax + 0x30]
> 0x1800052cb : mov rdx, [rcx]; call [rdx + 0x10]
> 0x1800d8751 : mov r8, [rcx]; call [r8 + 0x58]
> 0x180032d6d : mov r10, [rcx]; call [r10]
> 0x180001d26 : mov eax, [rbx]; call [rax + 8]
> 0x180073fe0 : mov eax, [rdi]; call [rax + 0x68]
> 0x18001e792 : mov ecx, [rax]; call [rip + 0x169b9e]; add rsp, 0x28; ret
> 0x18002b8c5 : mov edx, [rax]; call [r8 + 0x70]
> 0x1800023fc : mov edx, [rbx]; call [rax + 0x30]
> 0x180032d6e : mov edx, [rcx]; call [r10]
> 0x18014d3c0 : mov rax, [rdx]; mov rcx, rdx; jmp [rax + 0x20]
> 0x18001a8c8 : mov rdx, [rdi]; mov rcx, [rsi]; call r13
> 0x18014d3c1 : mov eax, [rdx]; mov rcx, rdx; jmp [rax + 0x20]
> 0x18001a8c9 : mov edx, [rdi]; mov rcx, [rsi]; call r13
> 0x180095b5e : mov rbx, [r11 + 0x20]; mov rsp, r11; pop r14; pop r13; pop r12; ret
> 0x1800fe0d2 : mov rcx, [rsi + 8]; call [rsi]
> 0x1800d81f9 : mov rdx, [rbx + 0x18]; call [rax + 0x50]
> 0x18007a23c : mov rdx, [rsi + 0x228]; call [rax + 0x48]
> 0x180077ab9 : mov rdx, [rdi + 0x228]; call [rax + 0x50]
> 0x18001775d : mov rdi, [rcx + 0x28]; call [r9 + 8]
> 0x180008f0a : mov rbp, [r11 + 0x28]; mov rsp, r11; pop r12; pop rdi; pop rsi; ret
> 0x180001937 : mov ecx, [rax + 0x10]; xor eax, eax; mov [rdx], ecx; ret
> 0x1800fe0d3 : mov ecx, [rsi + 8]; call [rsi]
> 0x1800d81fa : mov edx, [rbx + 0x18]; call [rax + 0x50]
> 0x18007a23d : mov edx, [rsi + 0x228]; call [rax + 0x48]
> 0x180077aba : mov edx, [rdi + 0x228]; call [rax + 0x50]
> 0x18001775e : mov edi, [rcx + 0x28]; call [r9 + 8]
> 0x180008f0b : mov ebp, [rbx + 0x28]; mov rsp, r11; pop r12; pop rdi; pop rsi; ret
> 0x180038c84 : mov rax, [rsi]; mov edx, 1; call [rax]
> 0x180086fa9 : mov rax, [rbp]; mov rcx, rbp; call [rax]
> 0x180004924 : mov rax, [r8]; mov rcx, r8; call [rax + 8]
> 0x180007cfe : mov rax, [r11]; mov rcx, r11; call [rax + 0x10]
> 0x18000f06e : mov rax, [r12]; mov rcx, r12; call [rax + 0x10]
> 0x1800cc2a4 : mov rax, [r13]; mov rcx, r13; call [rax + 8]
> 0x18004a288 : mov rax, [r14]; mov rcx, r14; call [rax]
> 0x18001451d : mov rax, [r15]; mov rcx, r15; call [rax]
> 0x18003e22d : mov rdx, [rsi]; mov rcx, rsi; call [rdx + 0x10]
> 0x18000f019 : mov rdx, [r12]; mov rcx, r12; call [rdx + 8]
> 0x18003720f : mov rdx, [r13]; mov rcx, r13; call [rdx]
> 0x18001a7f3 : mov rdx, [r14]; mov rbp, rdi; mov rcx, rsi; call r12
> 0x180007dd1 : mov rdx, [r15]; mov rcx, r15; call [rdx]
> 0x180031a62 : mov r8, [rax]; mov rcx, rax; call [r8 + 8]
> 0x1800dc61a : mov r8, [rsi]; mov rcx, rsi; call [r8 + 8]
> 0x1800d551b : mov r8, [r12]; mov rcx, r12; call [r8 + 8]
> 0x1800334f0 : mov r9, [rax]; mov rcx, rax; call [r9 + 8]
> 0x180003a46 : mov r11, [rbx]; mov rcx, rbx; call [r11 + 0x10]
> 0x180013528 : mov r11, [rdi]; mov rcx, rdi; call [r11 + 0x10]
> 0x1800e637a : mov r11, [r12]; mov rcx, r12; call [r11 + 0x10]
> 0x180038c85 : mov eax, [rsi]; mov edx, 1; call [rax]
> 0x1800cc2a5 : mov eax, [rbp]; mov rcx, r13; call [rax + 8]
> 0x180013529 : mov ebx, [rdi]; mov rcx, rdi; call [r11 + 0x10]
> 0x18001a7f4 : mov edx, [rsi]; mov rbp, rdi; mov rcx, rsi; call r12
> 0x180018e4b : mov r8, [rax + 0x70]; mov rcx, r8; call [r8]; add rsp, 0x28; ret
> 0x1800bebc5 : movzx ecx, [rdx + 2]; mov eax, 1; shl eax, cl; imul eax, r8d; ret
> 0x18000e390 : mov rcx, [rdi]; mov rax, [rcx]; call [rax + 0x10]
> 0x180007e72 : mov rcx, [r12]; mov rax, [rcx]; call [rax + 0x50]
> 0x18000e391 : mov ecx, [rdi]; mov rax, [rcx]; call [rax + 0x10]
> 0x180019a5e : mov rax, [rbx + 0x40]; mov rcx, rax; call [rax]
> 0x180082fa3 : mov rax, [rdi + 0x10]; mov rcx, rax; call [rax + 0x40]
> 0x18002ad79 : mov rax, [rbp + 0x20]; mov rcx, rax; call [rax]
> 0x180008aba : mov rdx, [rcx + 8]; add rcx, 8; call [rdx + 0x10]
> 0x18002d8d0 : mov rdx, [r12 + 0x938]; mov rcx, rax; call [rax + 0x30]
> 0x180041ef1 : mov r8, [rbp + 0x17]; mov rcx, r8; call [r8]
> 0x18007ac83 : mov r9, [rax + 0x10]; mov rcx, r9; call [r9 + 0x60]
> 0x180019a5f : mov eax, [rbx + 0x40]; mov rcx, rax; call [rax]
> 0x180082fa4 : mov eax, [rdi + 0x10]; mov rcx, rax; call [rax + 0x40]
> 0x180041ef2 : mov eax, [rbp + 0x17]; mov rcx, r8; call [r8]
> 0x18008e8c8 : movzx edx, [rax + rbp]; mov rcx, rdi; call [rdi]
> 0x180008abb : mov edx, [rcx + 8]; add rcx, 8; call [rdx + 0x10]
> 0x18008e8c7 : movzx edx, [r8 + r13]; mov rcx, rdi; call [rdi]
> 0x1800fef22 : mov r8, [rbx]; mov edx, 1; mov rcx, rbx; call [r8 + 0x28]
> 0x18008db37 : mov r8, [rdi]; mov rdx, rax; mov rcx, rdi; call [r8 + 0x18]
> 0x18015cfd4 : mov rcx, [rbp + 0x40]; mov rdx, [rcx]; call [rdx + 8]
> 0x1800436bc : mov rcx, [r15 + 0xe8]; mov rax, [rcx]; call [rax + 0x40]
> 0x1800f9d35 : mov r8, [rdx + 0x40]; mov edx, ecx; mov rcx, rax; jmp [rax]
> 0x1800ad243 : mov ebx, [rax + rax]; mov rax, [rcx]; call [rax + 8]
> 0x18015cfd5 : mov ecx, [rbp + 0x40]; mov rdx, [rcx]; call [rdx + 8]
> 0x18001a7f0 : mov rsi, [rdi]; mov rdx, [r14]; mov rbp, rdi; mov rcx, rsi; call r12
> 0x18003c7fd : mov r11, [r13]; lea rdx, [rbp - 0x50]; mov rcx, r13; call [r11 + 0x48]
> 0x18003ddfd : mov r11, [r14]; lea rdx, [rbp - 0x48]; mov rcx, r14; call [r11 + 0x48]
> 0x18003ddfe : mov ebx, [rsi]; lea rdx, [rbp - 0x48]; mov rcx, r14; call [r11 + 0x48]
> 0x18003c7fe : mov ebx, [rbp]; lea rdx, [rbp - 0x50]; mov rcx, r13; call [r11 + 0x48]
> 0x18001a7f1 : mov esi, [rdi]; mov rdx, [r14]; mov rbp, rdi; mov rcx, rsi; call r12
> 0x180012e5d : mov rax, [rsi + 8]; lea rcx, [rsi + 8]; call [rax + 0x10]
> 0x180070b85 : mov rax, [r8 + 8]; lea rcx, [r8 + 8]; call [rax + 8]
> 0x180014115 : mov rax, [r11 + 0x450]; mov rdx, rbp; mov rcx, rax; call [rax + 8]
> 0x1800e4ecb : mov rax, [r12 + 8]; lea rcx, [r12 + 8]; call [rax + 0x10]
> 0x18007ba75 : mov rax, [r13 + 0x10]; mov rdx, rdi; mov rcx, rax; call [rax + 0x28]
> 0x1800fc8e1 : mov rdx, [rbp + 0x40]; mov rcx, rax; mov rbx, rax; call [rax + 8]
> 0x18002c8be : mov r8, [rdi + 0x940]; xor edx, edx; mov rcx, rax; call [rax + 0x30]
> 0x18002cfd2 : mov r8, [r12 + 0x940]; xor edx, edx; mov rcx, rax; call [rax + 0x30]
> 0x1800e4e8e : mov r11, [r12 + 8]; lea rcx, [r12 + 8]; call [r11 + 0x10]
> 0x180012e5e : mov eax, [rsi + 8]; lea rcx, [rsi + 8]; call [rax + 0x10]
> 0x1800fc8e2 : mov edx, [rbp + 0x40]; mov rcx, rax; mov rbx, rax; call [rax + 8]
> 0x1800badf3 : mov rcx, [rdx]; mov rax, [rcx]; lea rdx, [rbp - 0x48]; call [rax + 0x60]
> 0x180073947 : mov r9, [rcx]; mov r8, rax; lea rdx, [rip + 0x119ebc]; call [r9]
> 0x1800badf4 : mov ecx, [rdx]; mov rax, [rcx]; lea rdx, [rbp - 0x48]; call [rax + 0x60]
> 0x18015c436 : mov rbx, [rbp + 0xb0]; mov rax, [rbx]; mov rcx, rbx; call [rax + 0x20]
> 0x18015c437 : mov ebx, [rbp + 0xb0]; mov rax, [rbx]; mov rcx, rbx; call [rax + 0x20]
> 0x180004213 : mov rcx, [r8]; mov rax, [rcx]; lea rdx, [rsp + 0x70]; call [rax + 0x48]
> 0x180027264 : mov rcx, [r14]; mov rax, [rcx]; lea rdx, [rsp + 0x70]; call [rax + 0x38]
> 0x18015607b : mov eax, [r11]; shr rcx, 3; imul rcx, rax; mov [r11 + 8], rcx; mov rbx, [rsp + 8]; ret
> 0x18007f665 : mov r9, [rdi + 0x170]; mov r8d, r12d; mov edx, esi; mov rcx, r11; call [r11 + 0x48]
> 0x180018318 : mov r10, [rax + 0x70]; mov r9d, 1; mov rdx, rsi; mov rcx, r10; call [r10 + 0x10]
> 0x1800947f4 : mov rcx, [r13 + 0xc8]; mov [rsp + 0x88], rsi; mov rax, [rcx]; call [rax + 8]
> 0x1800396a4 : mov r11, [rdi + 0xc0]; lea rdx, [rbp - 0x21]; lea rcx, [rdi + 0xc0]; call [r11 + 0x38]
> 0x1800396a5 : mov ebx, [rdi + 0xc0]; lea rdx, [rbp - 0x21]; lea rcx, [rdi + 0xc0]; call [r11 + 0x38]
> 0x1800d8a78 : mov r10, [r9]; lea r8, [rbp - 0x51]; lea rdx, [rip + 0xd0ee2]; mov rcx, r9; call [r10]
> 0x1800031f3 : mov r8, [rcx + 0x18]; mov [rdx + 8], 0; mov [rdx], rax; mov [rdx + 0x10], r8; mov rax, rdx; ret
> 0x1800c516b : mov r11, [rbx + 0xc0]; lea rdx, [rsp + 0x40]; lea rcx, [rbx + 0xc0]; call [r11 + 0x38]
> 0x18001410e : mov r11, [rsi + 0xc8]; mov rax, [r11 + 0x450]; mov rdx, rbp; mov rcx, rax; call [rax + 8]
> 0x18001410f : mov ebx, [rsi + 0xc8]; mov rax, [r11 + 0x450]; mov rdx, rbp; mov rcx, rax; call [rax + 8]
> 0x1800132f1 : mov rax, [r9]; lea r8, [rsp + 0x20]; lea rdx, [rip + 0x17a720]; mov rcx, r9; call [rax]
> 0x180013218 : mov rax, [r10]; lea r8, [rsp + 0x48]; lea rdx, [rip + 0x17a7f9]; mov rcx, r10; call [rax]
> 0x180100730 : mov r9, [rsi]; lea r8, [rsp + 0x30]; lea rdx, [rip + 0xe32e9]; mov rcx, rsi; call [r9]
> 0x180072ab6 : mov rbx, [rdi + 0xe8]; mov [rbp - 0x40], rdi; lea rcx, [rdi + 8]; mov rax, [rcx]; call [rax + 8]
> 0x1800ef1bf : mov rdi, [rsi + 0x50]; call [rip + 0x99a6f]; mov rdx, [rdi]; mov rcx, rdi; mov rbx, rax; call [rdx + 0x20]
> 0x18009c6d1 : mov r9, [rsi + 8]; lea rcx, [rsi + 8]; lea rdx, [rip + 0xeccd0]; mov r8, rdi; call [r9]
> 0x180015d8f : mov r11, [rbp + 0xc8]; mov rax, [r11 + 0x450]; mov r8, r12; mov rdx, r13; mov rcx, rax; call [rax + 0x28]
> 0x1800ef1c0 : mov edi, [rsi + 0x50]; call [rip + 0x99a6f]; mov rdx, [rdi]; mov rcx, rdi; mov rbx, rax; call [rdx + 0x20]
> 0x180094d9c : mov r11, [rcx]; movzx r10d, bl; movzx r9d, r12b; movzx r8d, bpl; mov edx, edi; mov [rsp + 0x20], r10d; call [r11 + 0x10]
> 0x180094d9d : mov ebx, [rcx]; movzx r10d, bl; movzx r9d, r12b; movzx r8d, bpl; mov edx, edi; mov [rsp + 0x20], r10d; call [r11 + 0x10]
> 0x180052798 : mov rdi, [rax]; mov [rsp + 0x60], 0; mov rax, [rdi]; lea rdx, [rsp + 0x60]; mov rcx, rdi; call [rax + 0x50]
> 0x180052799 : mov edi, [rax]; mov [rsp + 0x60], 0; mov rax, [rdi]; lea rdx, [rsp + 0x60]; mov rcx, rdi; call [rax + 0x50]
> 0x180017d18 : mov rax, [r15 + 8]; mov rdx, [rsi + 0x10]; mov r8d, ebp; mov rax, [rax + 0x70]; mov rcx, rax; call [rax + 0x18]
> 0x180017c8a : mov rdi, [rax + 0x70]; mov eax, [rsi + 0x20]; mov r8d, ebp; mov rcx, rdi; mov [rsp + 0x20], eax; call [rdi + 0x20]
> 0x180017c8b : mov edi, [rax + 0x70]; mov eax, [rsi + 0x20]; mov r8d, ebp; mov rcx, rdi; mov [rsp + 0x20], eax; call [rdi + 0x20]
> 0x18003aada : mov rcx, [rax + 0xe8]; mov [rsp + 0x50], 0; mov rax, [rcx]; mov r8, [rip + 0x1a1544]; xor edx, edx; call [rax + 0x58]
> 0x180074ab1 : mov r9, [r8 + 8]; mov r8d, [r8]; mov edx, 2; mov [rsp + 0x28], rbx; mov [rsp + 0x20], eax; call [r10 + 0x60]
> 0x180060367 : mov r13, [rax]; xor eax, eax; mov [rsp + 0x3d0], eax; mov rax, [r13]; lea rdx, [rsp + 0x3d0]; mov rcx, r13; call [rax + 0x50]
> 0x180060368 : mov ebp, [rax]; xor eax, eax; mov [rsp + 0x3d0], eax; mov rax, [r13]; lea rdx, [rsp + 0x3d0]; mov rcx, r13; call [rax + 0x50]
> 0x180017d16 : mov ebp, [rbx]; mov rax, [r15 + 8]; mov rdx, [rsi + 0x10]; mov r8d, ebp; mov rax, [rax + 0x70]; mov rcx, rax; call [rax + 0x18]
> 0x180074aad : mov eax, [r8 + 0x10]; mov r9, [r8 + 8]; mov r8d, [r8]; mov edx, 2; mov [rsp + 0x28], rbx; mov [rsp + 0x20], eax; call [r10 + 0x60]