ropshell> use 3566a8daafa27af944f5d705eaa64894 (download)
name         : tunnel.sys (x86_64/PE)
base address : 0x11000
total gadgets: 1226
ropshell> suggest "load reg"
> 0x00013b61 : pop rax; ret
> 0x00011537 : pop rbx; ret
> 0x000122cc : pop rsi; ret
> 0x000116a1 : pop rdi; ret
> 0x00011205 : pop rbp; ret
> 0x00011491 : pop rsp; ret
> 0x00011490 : pop r12; ret
> 0x00018d2f : pop r13; ret
> 0x00013630 : pop r14; ret
> 0x00018d2b : pop r15; pop r14; pop r13; ret
> 0x00012ed3 : mov rbx, [rsp + 8]; mov eax, r8d; ret
> 0x00012ed4 : mov ebx, [rsp + 8]; mov eax, r8d; ret
> 0x0001c2c1 : mov rdx, [rsp + 0x40]; mov rax, [rcx + 0x20]; call [rax + 0x10]
> 0x0001cc50 : mov eax, [rsp + 0x80]; mov r9, rbp; mov rdx, rsi; call [rax + 0x58]
> 0x0001c2c2 : mov edx, [rsp + 0x40]; mov rax, [rcx + 0x20]; call [rax + 0x10]
> 0x00014d4f : mov rcx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x00014d50 : mov ecx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x00012aed : mov rax, [rsp + 0x80]; xor edx, edx; mov rcx, rbx; mov [rsp + 0x20], rax; call [r10 + 0x20]