ropshell> use 7450dd3ddf93a83f69c64c82b539212a (download)
name         : win32kfull.sys (x86_64/PE)
base address : 0x1c0001000
total gadgets: 13056
ropshell> suggest "load mem"
> 0x1c002b93f : mov rax, [rcx]; ret
> 0x1c02b62cd : mov rax, [r8]; ret
> 0x1c002b940 : mov eax, [rcx]; ret
> 0x1c0150d10 : mov eax, [rdx]; ret
> 0x1c012d910 : mov eax, [r8]; ret
> 0x1c00a868a : mov edi, [rdx]; ret
> 0x1c00857c4 : mov rax, [rcx + 0x10]; ret
> 0x1c0033ccb : mov rax, [rdx + 0x60]; ret
> 0x1c0117b49 : mov rax, [r8 + 0x10]; ret
> 0x1c00015bc : mov rsi, [r11 + 0x18]; ret
> 0x1c00857c5 : mov eax, [rcx + 0x10]; ret
> 0x1c0033ccc : mov eax, [rdx + 0x60]; ret
> 0x1c02588a6 : mov ecx, [rax + 0x2b]; ret
> 0x1c00015bd : mov esi, [rbx + 0x18]; ret
> 0x1c0041842 : mov rdx, [rax]; mov rax, rdx; ret
> 0x1c01507b3 : movzx ecx, [rdx]; sub eax, ecx; ret
> 0x1c0041843 : mov edx, [rax]; mov rax, rdx; ret
> 0x1c02404f1 : mov esi, [rcx]; sldt [rcx - 0xa]; ret
> 0x1c0066b3f : mov rax, [r9]; mov [r10], rax; ret
> 0x1c0034d81 : mov rcx, [rax]; inc [rcx + 0x1608]; ret
> 0x1c0034d82 : mov ecx, [rax]; inc [rcx + 0x1608]; ret
> 0x1c01f165f : mov rax, [r10 + 0x18]; add rsp, 0x28; ret
> 0x1c01f858f : mov rax, [r11 + 0x168]; add rsp, 0x28; ret
> 0x1c02861b4 : mov rdx, [rax + 8]; mov rax, rdx; ret
> 0x1c02861f1 : mov r8, [rax + 8]; mov rax, r8; ret
> 0x1c003daf5 : mov r9, [r8 + 0x10]; mov rax, r9; ret
> 0x1c01f8590 : mov eax, [rbx + 0x168]; add rsp, 0x28; ret
> 0x1c02ca79f : mov eax, [r8 + 8]; add eax, ecx; ret
> 0x1c02861b5 : mov edx, [rax + 8]; mov rax, rdx; ret
> 0x1c00bef56 : movzx edx, [rcx + r8]; and eax, edx; ret
> 0x1c027db8b : mov rax, [rdx]; mov [rcx + 0x68], rax; ret
> 0x1c021b802 : mov edx, [rbx]; add [rax + 0x63], cl; ret
> 0x1c026d146 : mov rdx, [rcx + 8]; mov [r11], rdx; ret
> 0x1c000e7b1 : mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1c00ccd61 : mov rbp, [r11 + 0x28]; mov rsp, r11; pop rsi; ret
> 0x1c00eb8af : mov r12, [r11 + 0x28]; mov rsp, r11; pop r14; ret
> 0x1c01467a4 : mov r14, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1c027a39b : mov r15, [r11 + 0x28]; mov rsp, r11; pop rbp; ret
> 0x1c000e7b2 : mov edi, [rbx + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1c00ccd62 : mov ebp, [rbx + 0x28]; mov rsp, r11; pop rsi; ret
> 0x1c00aca35 : mov eax, [rbx]; add [rax], al; add rsp, 0x28; ret
> 0x1c02b7df4 : mov rcx, [rax + 0x14]; mov [r8 + 4], ecx; ret
> 0x1c02db3c7 : mov rcx, [r10 + 8]; mov [rdx + rcx], al; ret
> 0x1c010bae6 : mov rcx, [r11 + 0x38]; mov [r10 + 0x38], rcx; ret
> 0x1c0040725 : mov r8, [rdx + 0x10]; cmp rax, r8; cmove rax, r9; ret
> 0x1c02c16d9 : mov eax, [r10 + 8]; mov rbx, [rsp + 8]; ret
> 0x1c010bae7 : mov ecx, [rbx + 0x38]; mov [r10 + 0x38], rcx; ret
> 0x1c00b04df : mov ecx, [rdx + 0xc]; sar eax, cl; add rsp, 0x38; ret
> 0x1c01028c5 : mov rdx, [rcx]; mov [r8 + 8], rdx; mov eax, 1; ret
> 0x1c016ba1c : mov ebx, [rsi]; add [rax - 0x75], cl; sbb [rax - 0x7f], cl; ret
> 0x1c01028c6 : mov edx, [rcx]; mov [r8 + 8], rdx; mov eax, 1; ret
> 0x1c0266893 : mov r13, [r11 + 0x38]; mov rsp, r11; pop r15; pop r14; pop rbp; ret
> 0x1c02a333d : mov r9, [r8]; add [rax - 0x75], cl; fld1 ; add esp, [rcx - 0x74b70016]; ret
> 0x1c01b4d5d : mov rax, [r9 + 0x20]; movsxd rcx, edx; movzx eax, [rax + rcx]; ret
> 0x1c00a4d1a : mov rcx, [rdx + 0x50]; add rcx, r9; mov [r8 + 0x68], rcx; ret
> 0x1c00a0638 : mov eax, [r11 + 0x30]; mov [r9 + 0x48], eax; mov eax, 0x7c; ret
> 0x1c01467a0 : mov rbx, [r11 + 0x10]; mov r14, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1c02c9ab0 : mov ecx, [r10 + 0x7c]; cmp [rdx + 8], ecx; setg r9b; mov eax, r9d; ret
> 0x1c0144829 : mov edi, [rsi + rbx]; add [rcx - 0x3e74b6ff], cl; add [rip + 0x1e3c7e], 4; ret
> 0x1c0178e9a : mov rcx, [r8 + 0xdd0]; mov rax, [rcx + 0x610]; mov [rcx + 0x610], rdx; ret
> 0x1c0063221 : mov ebx, [rcx + rdx]; mov rax, [r8 + 0x618]; mov [r8 + 0x618], rdx; ret
> 0x1c02ca795 : mov ecx, [r8 + 0x10]; div rcx; mov rcx, rax; mov eax, [r8 + 8]; add eax, ecx; ret
> 0x1c0005e88 : mov edx, [rbx + 0x30]; mov rax, r9; mov r9, [rip + 0x34effb]; call r9
> 0x1c001954b : mov rax, [r11]; mov rcx, r11; mov rax, [rax + 8]; call [rip + 0x33b935]; add rsp, 0x28; ret
> 0x1c01767b0 : mov rax, [r10]; mov rcx, [rax + 0x78]; mov eax, [rcx + 8]; mov [rdx + 8], eax; ret
> 0x1c02679ce : mov rcx, [rdx]; mov rax, [rcx + 0x3b8]; mov [rcx + 0x50], rax; and [rdx + 8], 0; ret
> 0x1c02ca755 : movsxd rcx, [r8]; add rax, rcx; mov ecx, [rdx + 0xb4]; xor edx, edx; div rcx; mov [r8], edx; ret
> 0x1c0160d03 : mov edx, [r9 + 8]; mov ecx, [r10 + 8]; sub rdx, rcx; test rdx, rdx; sete r8b; mov eax, r8d; ret
> 0x1c00b7416 : movzx eax, [r9 + 1]; add ax, dx; cwde ; mov [r10], eax; lea rax, [r9 + 2]; add [rip + 0x27108a], 4; ret
> 0x1c013d2aa : mov r8, [r9 + 0x98]; mov rdx, [rcx]; movzx ecx, [rdx + 0x362]; cmp [r8 + 8], cx; cmove r10, r9; mov rax, r10; ret
> 0x1c025758c : movzx ecx, [rsi + 3]; mov [rsi], cx; mov cl, [rsi + 5]; mov [rsi + 2], cl; mov rsi, [rsp + 0x10]; ret
> 0x1c0099de3 : mov rax, [r15 + 8]; lea r8, [rsp + 0x78]; mov edx, [rsp + 0xf0]; mov rcx, r15; mov r9, [rip + 0x2bb093]; call r9
> 0x1c0099de4 : mov eax, [rdi + 8]; lea r8, [rsp + 0x78]; mov edx, [rsp + 0xf0]; mov rcx, r15; mov r9, [rip + 0x2bb093]; call r9