Free Online ROP Gadgets Search

ropshell> use 6fdac2c1a99265c7870f8425906a8496 (download)
name         : 7zxa.dll (x86_64/PE)
base address : 0x10001000
total gadgets: 4738

ropshell> suggest "load mem"
> 0x100010d7 : mov eax, [rcx + 0x10]; ret
> 0x10003060 : mov rax, [rcx]; jmp [rax + 0x18]
> 0x10003061 : mov eax, [rcx]; jmp [rax + 0x18]
> 0x10020040 : mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x10019c71 : mov rax, [rbp]; call [rax + 0x18]
> 0x10019078 : mov rax, [r9]; call [rax + 0x18]
> 0x10011ab1 : mov rax, [r15]; call [rax + 0x18]
> 0x10002d5e : mov rdx, [rcx]; call [rdx + 0x10]
> 0x10006577 : mov rdx, [r13]; call [r10 + 0x18]
> 0x10011ab2 : mov eax, [rdi]; call [rax + 0x18]
> 0x10019c72 : mov eax, [rbp]; call [rax + 0x18]
> 0x10002d5f : mov edx, [rcx]; call [rdx + 0x10]
> 0x10006578 : mov edx, [rbp]; call [r10 + 0x18]
> 0x10005236 : mov rax, [rcx + 8]; mov rax, [rax + 0x20]; ret
> 0x10023f30 : mov eax, [rdx + 0xc]; mov [rcx + 0xc], eax; ret
> 0x1000419e : mov rcx, [rax + 0x38]; xor eax, eax; mov [rdx], rcx; ret
> 0x1001fdac : mov rcx, [rbx + 0x30]; call [rax + 0x18]
> 0x10002cab : mov rdx, [rbx + 0x30]; call [rax + 0x20]
> 0x100077d8 : mov rdx, [rsi + 0x20]; call [rax + 0x18]
> 0x1000419f : mov ecx, [rax + 0x38]; xor eax, eax; mov [rdx], rcx; ret
> 0x1001fdad : mov ecx, [rbx + 0x30]; call [rax + 0x18]
> 0x10002cac : mov edx, [rbx + 0x30]; call [rax + 0x20]
> 0x100077d9 : mov edx, [rsi + 0x20]; call [rax + 0x18]
> 0x1001cd30 : mov rax, [rbx]; mov rcx, rax; call [rax + 8]
> 0x10008e10 : mov rax, [rdx]; mov rcx, rdx; call [rax + 0x10]
> 0x10009ec2 : mov rax, [rsi]; mov rcx, rsi; call [rax + 0x10]
> 0x1001d5c8 : mov rax, [rdi]; mov rcx, rax; call [rax + 8]
> 0x10011dd0 : mov rax, [r8]; mov rcx, r8; call [rax + 8]
> 0x10006bbf : mov rdx, [rax]; mov rcx, rax; call [rdx + 0x10]
> 0x100074df : mov rdx, [rbx]; mov rcx, rbx; call [rdx + 0x10]
> 0x10009b90 : mov rdx, [rsi]; mov rcx, rsi; call [rdx + 0x10]
> 0x1000aba5 : mov rdx, [rdi]; mov rcx, rdi; call [rdx + 0x10]
> 0x100201b6 : mov r12, [rdx]; mov rcx, rax; call [rax + 8]
> 0x1001cd31 : mov eax, [rbx]; mov rcx, rax; call [rax + 8]
> 0x10008e11 : mov eax, [rdx]; mov rcx, rdx; call [rax + 0x10]
> 0x10009ec3 : mov eax, [rsi]; mov rcx, rsi; call [rax + 0x10]
> 0x10006bc0 : mov edx, [rax]; mov rcx, rax; call [rdx + 0x10]
> 0x100074e0 : mov edx, [rbx]; mov rcx, rbx; call [rdx + 0x10]
> 0x10009b91 : mov edx, [rsi]; mov rcx, rsi; call [rdx + 0x10]
> 0x1000aba6 : mov edx, [rdi]; mov rcx, rdi; call [rdx + 0x10]
> 0x1000d3fd : mov rax, [rdx + rax]; mov [rcx + 0x10], r8; add rsp, 0x28; ret
> 0x10006574 : mov r8, [r14]; mov rdx, [r13]; call [r10 + 0x18]
> 0x10021d9e : mov rax, [rbx + 0x20]; mov rcx, rax; call [rax]
> 0x1001b7a9 : mov rax, [rsi + 0x10]; mov rcx, rax; call [rax]
> 0x100202a1 : mov rax, [rdi + 0x20]; mov rcx, rax; call [rax + 8]
> 0x1002040b : mov rax, [rbp + 0x20]; mov rcx, rax; call [rax + 8]
> 0x1002003c : mov rdi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x100200e7 : mov r8, [rax + 0x20]; mov rcx, r8; call [r8 + 8]
> 0x1001d964 : mov r8, [rdi + 0x90]; mov rcx, r9; call [r9]
> 0x10021d9f : mov eax, [rbx + 0x20]; mov rcx, rax; call [rax]
> 0x1001b7aa : mov eax, [rsi + 0x10]; mov rcx, rax; call [rax]
> 0x100202a2 : mov eax, [rdi + 0x20]; mov rcx, rax; call [rax + 8]
> 0x1002040c : mov eax, [rbp + 0x20]; mov rcx, rax; call [rax + 8]
> 0x1002003d : mov edi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x1001192c : mov r10, [rcx]; lea rdx, [rdi + rax]; call [r10 + 0x18]
> 0x1000cd91 : mov rcx, [rbp + 0x140]; mov rax, [rcx]; call [rax + 0x20]
> 0x10008ff5 : mov rcx, [r12 + 0x88]; mov rax, [rcx]; call [rax + 0x20]
> 0x10002c32 : mov rdx, [rdi + 0x38]; mov rax, [rcx]; call [rax + 0x20]
> 0x1000cd92 : mov ecx, [rbp + 0x140]; mov rax, [rcx]; call [rax + 0x20]
> 0x1001ad90 : mov edx, [rax + 0x48000000]; mov eax, [rcx]; call [rax + 0x18]
> 0x10002c33 : mov edx, [rdi + 0x38]; mov rax, [rcx]; call [rax + 0x20]
> 0x10020809 : mov rdx, [rcx + 0x40]; mov rbx, rcx; mov rcx, rax; call [rax + 8]
> 0x1002080a : mov edx, [rcx + 0x40]; mov rbx, rcx; mov rcx, rax; call [rax + 8]
> 0x1001f84b : mov edx, [r15 + 8]; mov rcx, [rbx + 0x30]; call [rax + 8]
> 0x10018eed : mov rax, [r10]; lea r9, [rbx + 0x54]; mov rcx, r10; call [rax + 0x18]
> 0x100200e4 : mov rbx, [rdx]; mov r8, [rax + 0x20]; mov rcx, r8; call [r8 + 8]
> 0x10006571 : mov r9, [r8]; mov r8, [r14]; mov rdx, [r13]; call [r10 + 0x18]
> 0x100200e5 : mov ebx, [rdx]; mov r8, [rax + 0x20]; mov rcx, r8; call [r8 + 8]
> 0x10006572 : mov ecx, [rax]; mov r8, [r14]; mov rdx, [r13]; call [r10 + 0x18]
> 0x1000a690 : mov rcx, [rdi + 0x40]; mov rax, [rcx]; mov edx, ebx; call [rax + 0x30]
> 0x1000293e : mov rdx, [rbp + 0x68]; mov r8d, ebx; mov rax, [rcx]; call [rax + 0x20]
> 0x1000a691 : mov ecx, [rdi + 0x40]; mov rax, [rcx]; mov edx, ebx; call [rax + 0x30]
> 0x1000293f : mov edx, [rbp + 0x68]; mov r8d, ebx; mov rax, [rcx]; call [rax + 0x20]
> 0x100156a7 : mov rdx, [r13 + 0x30]; lea r9, [rsp + 0x80]; mov rcx, r15; call [rax + 0x18]
> 0x10020038 : mov rsi, [rbp + 0x18]; mov rdi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x1001f1c0 : mov r8, [rbx + 0xd8]; mov rdx, [rbx + 0xd0]; mov rcx, rax; call [rax]
> 0x1001f0c6 : mov r8, [rsi + 0x18]; mov rdx, [rsi + 0x10]; mov rcx, rax; call [rax]
> 0x10020039 : mov esi, [rbp + 0x18]; mov rdi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x100201e3 : mov rbx, [r12]; mov rdx, r12; mov r8, [rax + 0x20]; mov rcx, r8; call [r8 + 8]
> 0x1001053e : mov rcx, [rsi]; mov rax, [rcx]; xor r9d, r9d; mov r8d, ebx; mov rdx, rbp; call [rax + 0x20]
> 0x1001053f : mov ecx, [rsi]; mov rax, [rcx]; xor r9d, r9d; mov r8d, ebx; mov rdx, rbp; call [rax + 0x20]
> 0x1000d1a2 : mov rax, [r9 + 0x70]; mov [rax], rdx; mov [rax + 8], r8; mov [rax + 0x10], 0; add rsp, 0x28; ret
> 0x1001571e : mov rax, [r12]; lea r8, [r13 + 0x40]; lea rdx, [r13 + 0x40]; mov rcx, r12; call [rax + 0x18]
> 0x100092c0 : mov rax, [r13]; lea r8, [rsp + 0x38]; lea rdx, [rip + 0x1e6f0]; mov rcx, r13; call [rax]
> 0x100029e6 : mov rax, [r14]; lea r8, [rsp + 0x20]; lea rdx, [rsp + 0x20]; mov rcx, r14; call [rax + 0x18]
> 0x10020034 : mov rbx, [rbp + 0x10]; mov rsi, [rbp + 0x18]; mov rdi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x1001d8bf : mov r9, [rdi + 0x70]; sub rbx, rdx; add rdx, [rdi + 0xe8]; mov rcx, r9; mov r8, rbx; call [r9]
> 0x10021ec9 : mov ebx, [rax + 4]; movzx edx, [rax + 2]; add rbx, [rcx + 0x40]; mov rcx, r12; call [r12]
> 0x10020035 : mov ebx, [rbp + 0x10]; mov rsi, [rbp + 0x18]; mov rdi, [rbp + 0x20]; mov r12, [rbp + 0x28]; mov rsp, rbp; pop rbp; ret
> 0x10006b17 : mov rcx, [rdx + 0x30]; mov rax, [rcx]; lea r8, [rsp + 0xa8]; lea rdx, [rip + 0x20e33]; call [rax]
> 0x10005d19 : mov rcx, [rsi + 8]; mov rax, [rcx]; lea r8, [rsp + 0x20]; lea rdx, [rip + 0x21d24]; call [rax]
> 0x10012dc5 : mov eax, [r8 + 0x70ec]; rol eax, 1; xor eax, [r8 + 0x70e8]; mov [r8 + 0x70ec], eax; mov [r8 + 0x3c], 2; xor eax, eax; ret
> 0x100112c7 : mov eax, [r9 + 0x20]; mov [rdi + 8], eax; mov rdi, [rsp + 0x48]; mov rsi, [rsp + 0x40]; xor eax, eax; add rsp, 0x28; ret
> 0x10006b18 : mov ecx, [rdx + 0x30]; mov rax, [rcx]; lea r8, [rsp + 0xa8]; lea rdx, [rip + 0x20e33]; call [rax]
> 0x10005d1a : mov ecx, [rsi + 8]; mov rax, [rcx]; lea r8, [rsp + 0x20]; lea rdx, [rip + 0x21d24]; call [rax]
> 0x100053b8 : mov rax, [r11]; mov [rsp + 0x28], rbp; mov [rsp + 0x20], r10; mov r8, [r8]; mov rdx, [rdx]; mov rcx, r11; call [rax + 0x18]
> 0x100058b6 : mov rdi, [rsi + 8]; mov [rsp + 0x60], rbp; mov rax, [rdi]; lea r8, [rsp + 0x60]; lea rdx, [rip + 0x22192]; mov rcx, rdi; call [rax]
> 0x100058b7 : mov edi, [rsi + 8]; mov [rsp + 0x60], rbp; mov rax, [rdi]; lea r8, [rsp + 0x60]; lea rdx, [rip + 0x22192]; mov rcx, rdi; call [rax]