ropshell> use 3566a8daafa27af944f5d705eaa64894 (download) name : tunnel.sys (x86_64/PE) base address : 0x11000 total gadgets: 1226
ropshell> suggest "load reg" > 0x00013b61 : pop rax; ret > 0x00011537 : pop rbx; ret > 0x000122cc : pop rsi; ret > 0x000116a1 : pop rdi; ret > 0x00011205 : pop rbp; ret > 0x00011491 : pop rsp; ret > 0x00011490 : pop r12; ret > 0x00018d2f : pop r13; ret > 0x00013630 : pop r14; ret > 0x00018d2b : pop r15; pop r14; pop r13; ret > 0x00012ed3 : mov rbx, [rsp + 8]; mov eax, r8d; ret > 0x00012ed4 : mov ebx, [rsp + 8]; mov eax, r8d; ret > 0x0001c2c1 : mov rdx, [rsp + 0x40]; mov rax, [rcx + 0x20]; call [rax + 0x10] > 0x0001cc50 : mov eax, [rsp + 0x80]; mov r9, rbp; mov rdx, rsi; call [rax + 0x58] > 0x0001c2c2 : mov edx, [rsp + 0x40]; mov rax, [rcx + 0x20]; call [rax + 0x10] > 0x00014d4f : mov rcx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18] > 0x00014d50 : mov ecx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18] > 0x00012aed : mov rax, [rsp + 0x80]; xor edx, edx; mov rcx, rbx; mov [rsp + 0x20], rax; call [r10 + 0x20]