ropshell> use 2a003eca609be390f13cb47a10f0c966 (download)
name         : offsecsrv.exe (i386/PE)
base address : 0x401000
total gadgets: 3926

ropshell> suggest
call
    > 0x0040104c : call eax
    > 0x00405345 : call ebx
    > 0x0040e733 : call ecx
    > 0x0040503b : call edx
    > 0x0040ef88 : call esi
jmp
    > 0x0040eefb : jmp eax
    > 0x0040126a : jmp ecx
    > 0x004265e3 : jmp [eax]
    > 0x004409db : jmp [esi + 0x23]
    > 0x0043658d : jmp [edi]
load mem
    > 0x00414643 : mov eax, [ebp + 0xc]; pop ebp; ret
    > 0x00438343 : mov ecx, [eax + 0x1c]; jmp ecx
    > 0x0041f1e9 : mov ecx, [edx + 0x10]; jmp ecx
    > 0x00404fdc : mov eax, [edx]; mov [edx], ecx; pop ebp; ret
    > 0x0042a5a3 : mov ecx, [ebp + 0xc]; pop ebp; jmp ecx
load reg
    > 0x0040ffe5 : pop esi; ret
    > 0x00410093 : pop edi; ret
    > 0x00402325 : pop ebp; ret
    > 0x00403f71 : pop ebx; pop ebp; ret
    > 0x00403f70 : pop eax; pop ebx; pop ebp; ret
pop pop ret
    > 0x00402325 : pop ebp; ret
    > 0x00403f71 : pop ebx; pop ebp; ret
    > 0x00403f70 : pop eax; pop ebx; pop ebp; ret
    > 0x00402322 : pop ebx; pop esi; pop edi; pop ebp; ret
    > 0x00402511 : pop edx; pop ebx; pop esi; pop edi; pop ebp; ret
sp lifting
    > 0x0040ff77 : add esp, 0x1c; ret
    > 0x0040ff77 : add esp, 0x1c; ret
    > 0x0040ff3e : add esp, 0x2c; ret
stack pivoting
    > 0x0040e701 : xchg eax, esp; ret
    > 0x004025e9 : mov esp, ebp; pop ebp; ret
    > 0x0040231f : lea esp, [ebp - 0xc]; pop ebx; pop esi; pop edi; pop ebp; ret
    > 0x0040eef4 : mov esp, ecx; mov ecx, [eax]; mov eax, [eax + 4]; jmp eax
    > 0x0043a567 : lea esp, [eax - 0x76000002]; inc ecx; xor [ebx - 0x1676b], cl; dec [ebx + 0x24148902]; call [eax + 0x28]
write mem
    > 0x0040944a : add [eax], edx; pop ebp; ret
    > 0x004224aa : add [ebx + 0x5d5b14c4], eax; ret
    > 0x00433501 : add [ecx + 0x5b], ebx; pop ebp; ret
    > 0x00415c60 : add [ebx + 0x41890c42], ecx; add al, 0x5d; ret
    > 0x0042cc54 : add [ecx], eax; add [ebx + 0x758bf85d], cl; cld ; mov esp, ebp; pop ebp; ret