Free Online ROP Gadgets Search

ropshell> use 7b93c623333f121dc9e689ccb1b7a733 (download)
name         : mfc71u.dll (i386/PE)
base address : 0x7c251000
total gadgets: 29480

ropshell> suggest "load mem"
> 0x7c268f59 : mov eax, [ecx]; ret
> 0x7c2534d7 : mov eax, [esi]; pop esi; ret
> 0x7c2c8926 : mov eax, [ecx + 0x10]; ret
> 0x7c2ee130 : mov eax, [edx + 0x1c]; ret 4
> 0x7c2bf7a6 : mov eax, [esi + 0x28]; pop esi; ret
> 0x7c2d404f : mov eax, [ebp + 0xc]; pop ebp; ret 0x10
> 0x7c304b10 : mov edx, [ebp + 0xc]; pop ebp; ret 0xc
> 0x7c299acb : mov esi, [eax + 0x5e5ffffd]; pop ebx; ret 8
> 0x7c305549 : mov ecx, [eax]; push eax; call [ecx]; ret 0xc
> 0x7c2e37d5 : mov edx, [ecx]; push eax; call [edx]; ret 4
> 0x7c30f8ad : mov eax, [ebx]; call [eax + 0x1c]
> 0x7c2a08e3 : mov eax, [edi]; call [eax + 0x20]
> 0x7c2f8d6c : mov ecx, [esi]; mov [eax + 4], ecx; pop esi; ret
> 0x7c27cf5e : mov edx, [eax]; mov [ecx], edx; add eax, 8; ret 4
> 0x7c2cbafd : movzx eax, [edi + eax]; pop edi; and eax, 1; pop esi; ret 4
> 0x7c300863 : mov eax, [ebp]; push ebp; call [eax + 0x20]
> 0x7c2b4b8e : mov ebx, [eax]; push eax; call [ebx + 0x18]
> 0x7c2b205c : mov ecx, [ebx]; push ebx; call [ecx + 0x1c]
> 0x7c255126 : mov ecx, [edi]; pop edi; mov [esi + ecx], eax; pop esi; ret 8
> 0x7c288f23 : mov edx, [esi]; push eax; call [edx + 0x60]
> 0x7c25390c : mov edx, [edi]; push eax; call [edx + 0x3c]
> 0x7c2a69c1 : mov edi, [eax]; cld ; call [ecx + 0x51]
> 0x7c2b3265 : mov edi, [ecx]; push ecx; call [edi + 0x20]
> 0x7c300cc0 : mov edi, [esi]; push eax; call [ecx + 0x14]
> 0x7c264307 : mov eax, [ebx + 4]; push eax; push ecx; call edi
> 0x7c306725 : mov ecx, [esi + 0x60]; call [ebp + 0xc]
> 0x7c2d1dc1 : mov ecx, [ebp + 0x14]; mov [ecx], eax; pop esi; pop ebp; ret 0x10
> 0x7c29becc : mov edx, [eax + 4]; mov [ecx], edx; add eax, 8; ret 4
> 0x7c2649a3 : mov ebx, [esi]; push eax; push [esi + 8]; call edi
> 0x7c2ac13a : mov ecx, [eax + 0x20]; mov eax, [ecx]; call [eax + 0x19c]; ret 4
> 0x7c2a634f : mov edi, [ebp + 8]; push [edi + 4]; call esi
> 0x7c2ee230 : mov edx, [ebx]; push eax; mov ecx, ebx; call [edx + 0x14]
> 0x7c259be3 : mov esi, [ecx]; mov [eax + edx], esi; mov [ecx], eax; pop esi; ret 4
> 0x7c2dc72d : mov ebx, [ebp + 0x10]; mov [ebx + 0xc], eax; call esi
> 0x7c2e02d0 : mov ecx, [edi + 0x4c]; add ecx, 0x40; call [ebp - 4]
> 0x7c2c1452 : mov edx, [ecx + 0xbc]; mov [eax], edx; mov eax, [ecx + 0xb0]; ret 4
> 0x7c25b92c : mov esi, [ebp + 8]; mov ecx, esi; call [ebp + 0x14]
> 0x7c2590b4 : mov edi, [edx + 0x108b0001]; mov ecx, eax; call [edx + 0xc]
> 0x7c2ea0b4 : mov ebp, [edx + 0x108bfff8]; mov ecx, eax; call [edx + 0xc]
> 0x7c28b8bc : mov ebx, [ecx]; sub eax, edx; push eax; push edx; call [ebx + 0x40]
> 0x7c2b884b : mov ecx, [ebx + 0x24]; mov eax, [ecx]; call [eax + 0x68]
> 0x7c2e36e0 : mov esi, [eax]; mov eax, [esi]; mov ecx, esi; call [eax + 0x5c]
> 0x7c2af837 : mov edi, [eax + 0x24]; mov eax, [esp + 0x10]; mov [eax], edi; pop edi; pop esi; ret 8
> 0x7c2b14ef : mov edi, [edx]; push esi; push eax; push [ecx + 0xc]; push edx; call [edi + 0x10]
> 0x7c287b31 : mov ebp, [ecx]; push ebx; push ebx; sub eax, edx; push eax; push 2; call [ebp + 0x58]
> 0x7c2e1f3c : movsx edx, [esi + 0xc]; push edx; lea edx, [ebp - 0x14]; push edx; call [eax + 0x4c]
> 0x7c307715 : mov esi, [edi + 0x20]; mov eax, [esi]; mov ecx, esi; call [eax + 0x68]
> 0x7c266591 : mov esi, [ebx + 8]; shl eax, 1; sub esi, eax; sub esi, [ebp - 0xc]; push 2; call edi
> 0x7c2e813d : mov esi, [ecx + 0x24]; sub esi, [ecx + 0x1c]; mov [eax + 4], edx; mov [eax], esi; pop esi; ret 4
> 0x7c30b2c0 : mov edi, [esi + 0x68]; push ebx; mov [esi + 0x68], ebx; mov ecx, [eax]; push eax; call [ecx + 0x10]
> 0x7c2e157a : mov ebx, [esi + 0x10]; mov [esi + 0x10], eax; mov eax, [edi]; push esi; mov ecx, edi; call [eax + 8]
> 0x7c2c5393 : mov edi, [ebx + 0x18]; mov esi, ecx; mov eax, [esi]; mov [ebp - 0x10], esp; mov [ebp - 0x24], esi; and edi, 1; call [eax + 0x38]