ropshell> use 911ddf2e16761643a47225f654d811e5 (download) name : ntdll.dll (i386/PE) base address : 0x7c901000 total gadgets: 6968
ropshell> search ? esp % found 128 gadgets > 0x7c901211 : dec esp; ret > 0x7c9287e5 : inc esp; ret > 0x7c90e037 : add esp, 0x14; ret > 0x7c9012e1 : add esp, 0xc; ret > 0x7c96bf33 : jmp esp > 0x7c96961a : pop esp; pop ebp; ret 8 > 0x7c951c0c : adc esp, edi; dec ecx; ret > 0x7c90ea1a : add esp, 8; pop ebp; ret 4 > 0x7c92c663 : add esp, [ebx]; ret > 0x7c969548 : dec esp; pop esi; pop ebp; ret 0xc > 0x7c901a36 : inc esp; and al, 4; ret > 0x7c90e2cb : inc esp; and al, 8; ret > 0x7c90e502 : mov esp, ebp; pop ebp; ret > 0x7c903132 : mov esp, ebp; pop ebp; ret 0x14 > 0x7c97cdf0 : mov esp, ebp; pop ebp; ret 0xc > 0x7c97ce91 : mov esp, ebp; pop ebp; ret 4 > 0x7c97d14f : mov esp, ebp; pop ebp; ret 8 > 0x7c972e3d : mov esp, ebx; pop ebx; ret > 0x7c969659 : pop esp; pop esi; pop ebp; ret 0xc > 0x7c9223e4 : pop esp; pop esi; pop ebp; ret 8 > 0x7c90300f : push esp; and al, 0x10; ret 0x10 > 0x7c903237 : inc esp; and al, 4; cdq ; ret 4 > 0x7c901217 : inc esp; and al, 4; int3 ; ret 4 > 0x7c9015d5 : inc esp; and al, 4; mul ecx; ret 0x10 > 0x7c902483 : inc esp; and al, 8; pop edi; ret > 0x7c91bfd8 : inc esp; pop edi; pop esi; pop ebp; ret 4 > 0x7c927be7 : pop esp; add [eax], al; ret > 0x7c90e521 : push esp; and al, 8; int 0x2e; ret > 0x7c96e99c : adc esp, edi; dec [ebx + 0xb70ffc4d]; ret > 0x7c956f6e : dec esp; add [eax], eax; pop ebp; ret > 0x7c90269c : dec esp; and al, 4; sub eax, ecx; ret > 0x7c90323f : inc esp; and al, 4; xor edx, edx; ret 4 > 0x7c92cc3e : inc esp; std ; lcall [esi + 0x5d]; ret 4 > 0x7c92cc03 : inc esp; std ; lcall [esi + 0xffffffc9]; ret 4 > 0x7c920ab5 : inc esp; xor eax, eax; pop esi; pop ebp; ret 0xc > 0x7c97ccbb : push esp; xor dl, [eax]; pop ebp; ret 4 > 0x7c9033d2 : add esp, 0; add [eax], al; pop ebx; ret 4 > 0x7c91bfd4 : dec esp; add [ecx + 0x5e5f4448], cl; pop ebp; ret 4 > 0x7c9033ef : dec esp; and al, 8; mov [ecx], eax; ret 8 > 0x7c953a15 : dec esp; cld ; jmp [esi + 9] > 0x7c928352 : inc esp; add al, [eax]; pop esi; pop ebp; ret 4 > 0x7c903017 : inc esp; and al, 4; imul [esp + 8]; ret 8 > 0x7c902af9 : inc esp; and al, 4; mov eax, [eax]; ret 4 > 0x7c903023 : inc esp; and al, 4; mul [esp + 8]; ret 8 > 0x7c951cd9 : inc esp; dec ds:[edx + 0x5e088808]; pop edi; pop ebp; ret 0xc > 0x7c93d65e : inc esp; std ; jmp [esi + 0xffffff8b] > 0x7c92d9e6 : lea esp, [esi + edi*8]; dec ecx; ret 0x10 > 0x7c901109 : lea esp, [esp]; dec [edx + 4]; ret 4 > 0x7c902b2c : lea esp, [esp]; mov eax, ecx; bswap eax; ret > 0x7c972e3a : mov esp, ebp; pop ebp; mov esp, ebx; pop ebx; ret > 0x7c90118a : mov esp, esi; pop ebx; pop edi; pop esi; pop ebp; ret 0x10 > 0x7c9694b0 : push esp; add bh, bh; dec ecx; pop eax; pop ebp; ret 4 > 0x7c90e255 : push esp; and al, 6; fldcw [esp + 6]; ret > 0x7c941982 : push esp; std ; jmp [esi + 0xffffff83] > 0x7c9015ed : inc esp; and al, 8; mul ecx; add edx, ebx; pop ebx; ret 0x10 > 0x7c9031d7 : inc esp; and al, 8; xor edx, edx; shr eax, cl; ret 0xc > 0x7c953e04 : inc esp; cld ; call [ebx + 0xffffff8d] > 0x7c951d13 : inc esp; or bh, bh; mov al, [eax]; pop ebp; ret 0xc > 0x7c94c830 : mul esp; std ; call [eax + 0xffffffff] > 0x7c9031af : push esp; and al, 4; xor eax, eax; shl edx, cl; ret 0xc > 0x7c90300b : push esp; and al, 8; adc edx, [esp + 0x10]; ret 0x10 > 0x7c903213 : push esp; and al, 8; neg edx; neg eax; sbb edx, 0; ret 8 > 0x7c90322b : push esp; and al, 8; sbb edx, [esp + 0x10]; ret 0x10 > 0x7c96e174 : sbb esp, edi; call [esi + 0x68] > 0x7c903184 : add esp, 4; pop esi; mov edx, eax; mov eax, ecx; pop ebp; ret 0xc > 0x7c902569 : inc esp; and al, 8; mov [edi + 2], 0; pop edi; ret > 0x7c90e51c : lea esp, [esp]; lea edx, [esp + 8]; int 0x2e; ret > 0x7c9032a9 : mov esp, [0]; pop fs:[0]; mov esp, ebp; pop ebp; ret 0x14 > 0x7c9032a8 : mov esp, fs:[0]; pop fs:[0]; mov esp, ebp; pop ebp; ret 0x14 > 0x7c963007 : pop esp; cmpsd [esi], es:[edi]; call edi > 0x7c953e35 : pop esp; inc esp; cld ; call [ebx + 0xffffff8d] > 0x7c9031a3 : push esp; and al, 8; shld edx, eax, cl; shl eax, cl; ret 0xc > 0x7c903203 : push esp; and al, 8; shrd eax, edx, cl; sar edx, cl; ret 0xc > 0x7c9031cb : push esp; and al, 8; shrd eax, edx, cl; shr edx, cl; ret 0xc > 0x7c957f4b : push esp; dec ebp; cld ; call [esi + 0x68] > 0x7c975809 : xchg esp, edx; add [eax], al; add [ebx], bh; ret > 0x7c94f924 : xchg esp, esi; sar ch, 1; jmp [ebx] > 0x7c918e02 : dec esp; add al, [eax]; mov eax, edi; pop edi; pop esi; pop ebp; ret 4 > 0x7c90330b : dec esp; and al, 4; mov ecx, [ecx]; mov fs:[0], ecx; ret 4 > 0x7c9223dc : inc esp; inc ecx; add cl, [ecx + 0x42895872]; pop esp; pop esi; pop ebp; ret 8 > 0x7c901102 : lea esp, [esp]; lea esp, [esp]; dec [edx + 4]; ret 4 > 0x7c902b25 : lea esp, [esp]; lea esp, [esp]; mov eax, ecx; bswap eax; ret > 0x7c931293 : pop esp; add [ebx + 0xfffdd085], cl; jmp [esi + 0xffffff89] > 0x7c9694d6 : push esp; mov [eax + 0x50], ecx; inc [eax + 0x58]; pop ebp; ret 8 > 0x7c946816 : push esp; xchg eax, esp; std ; call [ebx + 0x58] > 0x7c90d31f : dec esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx]; ret 0xc > 0x7c901a5d : dec esp; or [edi], eax; add [ebx + 0x44dd10c4], al; and al, 4; ret > 0x7c90d29f : inc esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx]; ret 0x1c > 0x7c91a509 : inc esp; and [eax + 4], 0; and [eax + 8], 0; pop ebp; ret 8 > 0x7c915745 : lea esp, [edx]; or al, [eax]; add [edi + 0xffffffc9], bl; ret 0x10 > 0x7c92046a : lea esp, [esp]; push ebx; push esi; call [ebp + 0x10] > 0x7c90162c : mov esp, ecx; mov ecx, [eax]; mov eax, [eax + 4]; push eax; ret > 0x7c90d41f : pop esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx]; ret 4 > 0x7c90d39f : push esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx]; ret 0x28 > 0x7c9226fc : dec esp; push ecx; add bl, [esi + 0xffffff89]; dec eax; and [ebx + 0x5d], bl; ret 8 > 0x7c90cedb : inc esp; add [eax + 0x8b8], dl; add [edx + 0x7ffe0300], bh; call [edx]; ret 0xc > 0x7c93de40 : inc esp; add ch, cl; xor ah, [edi + 0xfffffffd]; jmp [esi + 0xffffff89] > 0x7c90320f : inc esp; and al, 4; mov edx, [esp + 8]; neg edx; neg eax; sbb edx, 0; ret 8 > 0x7c960bb5 : lea esp, [edi + edi*8 + 0xffffffff]; call [ecx + 0xffffffff] > 0x7c90e515 : lea esp, [esp]; lea esp, [esp]; lea edx, [esp + 8]; int 0x2e; ret > 0x7c90319f : inc esp; and al, 4; mov edx, [esp + 8]; shld edx, eax, cl; shl eax, cl; ret 0xc > 0x7c9031ff : inc esp; and al, 4; mov edx, [esp + 8]; shrd eax, edx, cl; sar edx, cl; ret 0xc > 0x7c9031c7 : inc esp; and al, 4; mov edx, [esp + 8]; shrd eax, edx, cl; shr edx, cl; ret 0xc > 0x7c90ea6d : inc esp; and al, 8; mov edx, [esp + 0x10]; mov [edx], eax; mov eax, 3; ret > 0x7c90d31f : dec esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx] > 0x7c90d29f : inc esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx] > 0x7c90d41f : pop esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx] > 0x7c90d39f : push esp; add [eax], al; add [edx + 0x7ffe0300], bh; call [edx] > 0x7c92a197 : dec esp; add [eax], al; mov ecx, [ebp + 0xc]; mov [ecx], eax; mov al, 1; pop ebp; ret 8 > 0x7c90cedb : inc esp; add [eax + 0x8b8], dl; add [edx + 0x7ffe0300], bh; call [edx] > 0x7c966e4d : inc esp; movsb es:[edi], [esi]; stc ; dec [ebp + 0xfffed885]; call [eax + 0xffffff8d] > 0x7c93d654 : inc esp; std ; inc [ebx + 0xf00fc7d]; test bh, [esi]; inc esp; std ; jmp [esi + 0xffffff8b] > 0x7c9411c8 : push esp; adc edx, [esp + edi*2 + 0xfee99ee8]; lcall [ecx + 0xffffff8b]; test ebp, [eax + 0x3bfffffd]; ret > 0x7c903003 : inc esp; and al, 4; add eax, [esp + 0xc]; mov edx, [esp + 8]; adc edx, [esp + 0x10]; ret 0x10 > 0x7c903223 : inc esp; and al, 4; sub eax, [esp + 0xc]; mov edx, [esp + 8]; sbb edx, [esp + 0x10]; ret 0x10 > 0x7c90ea68 : add esp, 8; pop ebp; mov eax, [esp + 8]; mov edx, [esp + 0x10]; mov [edx], eax; mov eax, 3; ret > 0x7c9033e3 : dec esp; and al, 4; mov [ecx], eax; mov eax, fs:[4]; mov ecx, [esp + 8]; mov [ecx], eax; ret 8 > 0x7c9032cf : dec esp; and al, 8; mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 2; ret 0x10 > 0x7c9032f6 : dec esp; and al, 8; mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 3; ret 0x10 > 0x7c901094 : add esp, 4; mov ecx, fs:[0x18]; mov eax, [ecx + 0x24]; mov [edx + 0xc], eax; mov [edx + 8], 1; xor eax, eax; ret 4 > 0x7c90e460 : add esp, 4; pop edx; mov eax, fs:[0x18]; mov eax, [eax + 0x30]; mov eax, [eax + 0x2c]; call [eax + edx*4] > 0x7c950f65 : dec esp; std ; dec [ecx]; push es; ret > 0x7c91a84c : dec esp; pop edi; pop esi; pop ebx; leave ; ret 4 > 0x7c969824 : inc esp; pop edi; pop esi; pop ebx; leave ; ret 8 > 0x7c97aa2e : push esp; stc ; dec [ebx + 0x5e5ffc45]; leave ; ret 0x14 > 0x7c92c45a : pop esp; std ; inc [ebx + 0xc0330cc4]; pop esi; leave ; ret 8 > 0x7c92abb6 : inc esp; mov ecx, [ebp + 0x10]; mov [ecx], eax; leave ; ret 0xc > 0x7c951c45 : adc esp, edi; inc [ebx + 0x875003e]; mov ecx, [ebp + 0xffffff64]; mov [esi], ecx; pop esi; leave ; ret 8