ropshell> use 911ddf2e16761643a47225f654d811e5 (download) name : ntdll.dll (i386/PE) base address : 0x7c901000 total gadgets: 6968
ropshell> search add r32, [r32 %] found 43 gadgets > 0x7c92c663 : add esp, [ebx]; ret > 0x7c972c69 : add ebx, [eax + 0x5d]; ret > 0x7c952cb6 : add ecx, [ebx + 0xc95efc45]; ret > 0x7c92a040 : add ecx, [edi]; pop ebp; ret 8 > 0x7c92adb3 : add eax, [edx + 8]; pop ebp; ret 4 > 0x7c95e0cb : add edi, [edi + 0x140c6]; pop ebp; ret 8 > 0x7c971341 : add eax, [ecx]; add [eax], al; pop ebp; ret > 0x7c92c65f : add ebx, [ebx + 0xffffff83]; rol [ebx], 0x23; ret > 0x7c95e332 : add ecx, [eax + 0x458bff5d]; or [ebx], bh; ret > 0x7c910537 : add ebp, [ebx]; mov eax, esi; pop esi; pop edi; pop ebp; ret 0xc > 0x7c902bb6 : add eax, [ebx + 0x7c2b04ef]; and al, 8; mov eax, edi; pop edi; ret 0xc > 0x7c97c4e8 : add ecx, [ebp + 0xffe7c885]; call [eax + 0xffffff8d] > 0x7c947119 : add ecx, [ebp + 0xfffb6485]; call [eax + 0xffffff8d] > 0x7c91fb81 : add ecx, [ebp + 0xfffd9485]; call [eax + 0xffffff8d] > 0x7c931225 : add ecx, [ebp + 0xfffda085]; call [eax + 0xffffff8d] > 0x7c923363 : add ecx, [ebp + 0xfffe7c85]; call [eax + 0xffffffe8] > 0x7c93f846 : add ecx, [ebp + 0xfffe9485]; call [eax + 0xffffffff] > 0x7c9605a1 : add eax, [ecx]; add [eax], al; pop edi; pop esi; pop ebx; pop ebp; ret 4 > 0x7c92d35b : add esi, [ebp + 8]; mov [edx], eax; mov al, 1; pop ebp; ret 0x10 > 0x7c931994 : add eax, [eax]; add [ebx + 0xfffeac85], cl; jmp [esi + 0xffffff83] > 0x7c902912 : add esi, [ebp + 0xffffff85]; mov eax, [esp + 0x10]; pop ebx; pop esi; pop edi; ret > 0x7c97c66e : add eax, [eax]; add [ebp + 0xffe7ec8d], cl; call [ecx + 0x50] > 0x7c925804 : add eax, [eax]; add [ebx + 0xfffdc8bd], cl; call [eax + 0xffffff8d] > 0x7c903006 : add eax, [esp + 0xc]; mov edx, [esp + 8]; adc edx, [esp + 0x10]; ret 0x10 > 0x7c92e06b : add ebx, [edi]; add [ebp + 0xfffd1485], cl; call [eax + 0xffffffe8] > 0x7c94878a : add ecx, [ecx + 0xfffe4cb5]; dec [ebp + 0xfffec48d]; call [ecx + 0x56] > 0x7c923279 : add eax, [ebx + 0x665ffce3]; mov [eax], ecx; add [esi], ebx; pop esi; pop ebx; pop ebp; ret 0x10 > 0x7c9225f4 : add eax, [edx + 4]; and ecx, 7; mov dl, 1; shl dl, cl; or [eax], dl; pop ebp; ret 8 > 0x7c930309 : add edx, [ebx + 0x6de8507c]; add bh, dh; dec [ebp + 0xfffdf885]; call [eax + 0xffffffe8] > 0x7c91522d : add eax, [ebp + 0xc]; mov esi, eax; push esi; push [ebp + 8]; call [ebp + 0x18] > 0x7c970e98 : add edi, [ebx]; inc ebp; adc [edi + 0xc], dh; push edi; push ebx; call [ebp + 8] > 0x7c97a07a : add eax, [eax]; add [ebx + 0x7501b07d], al; xor cl, [ebp + 0xfffcd085]; call [eax + 0xffffff8d] > 0x7c97c7a2 : add ebp, [eax + 0xffffff80]; add [eax], al; add [ebp + 0xffe7d885], cl; dec [ecx + 0xffe7b885]; call [ebx + 0xffffff8d] > 0x7c942499 : add eax, [eax]; add [ebp + 0xffff5485], cl; dec [ecx + 0xffff6085]; dec [ebp + 0xffff4885]; dec [ecx + 0xffff6485]; call [esi + 0xffffff8d] > 0x7c9761f9 : add ecx, [ecx + 0x7539dc4d]; fdiv [eax + edx + 0x53]; lea eax, [ebp + 0xffffffd0]; push eax; push [ebp + 0xffffffcc]; push 4; call [ebp + 0xffffffdc] > 0x7c951d67 : add esi, [ebx + 0xc88bfffb]; mov eax, ecx; leave ; ret > 0x7c975135 : add ebp, [edx + 0x57]; pop eax; pop esi; pop edi; leave ; ret 0x10 > 0x7c9020ba : add ecx, [eax + 0x458b0347]; or [esi + 0x5f], bl; leave ; ret > 0x7c9020cd : add ecx, [edx + 0x47880246]; add cl, [ebx + 0x5f5e0845]; leave ; ret > 0x7c97aadb : add ebp, [edx + 8]; pop esi; mov eax, esi; pop esi; pop ebx; leave ; ret 8 > 0x7c9020ca : add ecx, [eax + 0x468a0347]; add cl, [eax + 0x458b0247]; or [esi + 0x5f], bl; leave ; ret > 0x7c9020e1 : add ecx, [edx + 0x47880246]; add cl, [edx + 0x47880146]; add [ebx + 0x5f5e0845], ecx; leave ; ret > 0x7c9020de : add ecx, [eax + 0x468a0347]; add cl, [eax + 0x468a0247]; add [eax + 0x458b0147], ecx; or [esi + 0x5f], bl; leave ; ret