Free Online ROP Gadgets Search

ropshell> use 5c42d7edad34b9a6fbc573699657f674 (download)
name         : iw4x.exe (i386/PE)
base address : 0x401000
total gadgets: 50584

ropshell> suggest "load mem"
> 0x004b1f8a : mov eax, [ecx]; ret
> 0x00403b0c : mov eax, [edx]; ret
> 0x006b6b4d : mov esi, [ebp]; ret
> 0x004e7808 : mov ebp, [edi]; ret
> 0x00644074 : mov eax, [esi]; pop esi; ret
> 0x004f4b4d : mov eax, [ecx + 0x10]; ret
> 0x004f4b5c : mov eax, [edx + 0x10]; ret
> 0x0057dc9c : mov eax, [esi + 0x2b4]; ret
> 0x00476d0d : mov edx, [ecx + 0x649d69c]; ret
> 0x00435c5c : mov edi, [ecx]; pop edi; pop esi; ret
> 0x0057dd37 : mov eax, [edi + 0x40]; pop edi; ret
> 0x006d38cd : mov eax, [ebp + 0xc]; pop ebp; ret
> 0x004c5243 : mov ecx, [eax + 0x18]; call edx; ret 4
> 0x005b9484 : mov ecx, [eax]; mov eax, [ecx]; ret
> 0x005bc55a : mov edx, [eax]; mov [ecx], edx; ret
> 0x005a2263 : mov edx, [ecx]; lea eax, [0]; ret 0x8b
> 0x00494675 : mov edx, [eax + 0x10]; jmp edx
> 0x006b9970 : mov ebp, [ebx + 0x20]; jmp eax
> 0x0060c68d : movsx eax, [ebx]; add [ebx + 0x1b00cc4], al; ret
> 0x0056be5d : mov eax, [edi]; pop edi; pop esi; pop ebp; pop ebx; ret
> 0x00672e14 : mov ebx, [edi + 0x5e]; pop ebp; pop ebx; pop ecx; ret
> 0x0054cb8d : mov ecx, [ebx + 0x1b4]; call ecx
> 0x0055440c : mov ecx, [edx + 0x148]; call ecx
> 0x0053cbc5 : mov ecx, [edi + 0x2c]; call ecx
> 0x0049b2dd : mov ecx, [ebx]; push eax; push ecx; call ebp
> 0x0049b2f4 : mov ecx, [esi]; push eax; push ecx; call ebp
> 0x0042a7a6 : mov ecx, [edi]; push ebx; push ecx; call ebp
> 0x0040fc27 : mov edx, [ebp]; push ecx; push edx; call ebx
> 0x00645bdf : movzx eax, [ebx + 0x645f70]; jmp [0]
> 0x005273a1 : mov ecx, [esi + 0x44c]; push ecx; call edx
> 0x0069172c : mov ecx, [ebp + 0x48]; push eax; call ecx
> 0x005bbbb6 : mov edx, [esi + 4]; push edx; call eax
> 0x0067d26f : movzx edx, [edi + 0x40]; mov [esi + 0x40], dx; ret
> 0x0042b565 : mov esi, [eax + 4]; push eax; call ebx
> 0x004ce26f : mov edx, [esi]; push eax; mov ecx, ebp; call edx
> 0x004f1594 : mov edx, [edi]; mov [esi + 0x18], edx; pop esi; pop edi; ret
> 0x005ed44d : mov ebx, [ecx + eax]; add [ecx + 0x5d78a944], cl; pop ebx; ret
> 0x0040b7e1 : mov edx, [ebx + 0x24]; push eax; push ecx; call edx
> 0x0069358e : mov edx, [ebp + 8]; push eax; push ecx; call edx
> 0x006baaaa : mov edi, [esi + 0xc]; and edi, 0x7fff; call ebx
> 0x006ad81a : mov ecx, [edx]; mov ecx, [ecx]; mov [edx], ecx; pop esi; ret
> 0x004ef762 : mov eax, [ebp]; mov [esi + 0x1c], eax; pop ebp; pop edi; pop esi; pop ebx; ret
> 0x0056d6b6 : mov edx, [ebx]; mov eax, [eax + 0x8297c]; push ecx; push edx; call eax
> 0x006b973a : mov ebx, [ebp + 0xc]; mov ebp, [ebp - 4]; mov esp, [ebx - 4]; jmp eax
> 0x005ae893 : mov esi, [edi + ecx]; mov edx, esi; pop esi; mov eax, ebx; pop ebx; add esp, 8; ret
> 0x0054cb88 : mov ebx, [ecx]; push edx; push eax; push ecx; mov ecx, [ebx + 0x1b4]; call ecx
> 0x004bdf32 : mov esi, [edi]; push esi; mov eax, esi; or eax, ebx; push eax; push edi; call ebp
> 0x00522502 : mov ebp, [eax]; push ecx; push 0; push eax; mov eax, [ebp + 0x190]; call eax
> 0x006c8abd : mov esi, [edx + esi]; mov ecx, [esi + ecx]; add ecx, edx; add eax, ecx; pop esi; ret
> 0x0055d504 : mov edi, [eax]; mov eax, [edi]; mov ecx, [eax + 0x14]; push eax; call ecx
> 0x004e8b62 : mov edi, [eax + 0x20]; push eax; mov eax, [edx + 0x14]; mov ecx, esi; call eax
> 0x004c2384 : mov edi, [ebx]; pushfd ; and al, -0x74; add [eax], al; add [edi], cl; xchg [ebp - 0x7d000000], al; ret
> 0x00682a2d : mov esi, [ecx + 0x80]; mov ecx, [ecx + 0x7c]; push esi; push ecx; mov ecx, eax; call edx
> 0x005475a8 : mov edi, [ebp + 0x14]; mov eax, [edi]; push eax; lea eax, [esi + 0x41910]; push eax; call ebx
> 0x0066a0af : mov edi, [ebx + 4]; lea eax, [esi + esi*4 - 0xf]; mov ecx, [eax*4 + 0x66540bc]; push edi; call ecx
> 0x00557cc0 : mov ecx, [ebp]; mov [ebp + 4], eax; mov edx, [ecx]; push eax; mov eax, [edx + 0x1a0]; push ecx; call eax
> 0x0066a0ab : mov esi, [ebp + 4]; push edi; mov edi, [ebx + 4]; lea eax, [esi + esi*4 - 0xf]; mov ecx, [eax*4 + 0x66540bc]; push edi; call ecx