ropshell> use 911ddf2e16761643a47225f654d811e5 (download) name : ntdll.dll (i386/PE) base address : 0x7c901000 total gadgets: 6968
ropshell> search mov r32 [r32 %] found 118 gadgets > 0x7c902488 : mov eax, [esp + 4]; ret > 0x7c90e2ca : mov eax, [esp + 8]; ret > 0x7c90330e : mov ecx, [ecx]; mov fs:[0], ecx; ret 4 > 0x7c90269b : mov ecx, [esp + 4]; sub eax, ecx; ret > 0x7c9032a3 : mov ecx, [ebp + 0x18]; call ecx > 0x7c952a0b : mov ecx, [ebp + 0xffffffdc]; mov [eax], ecx; ret > 0x7c9033ee : mov ecx, [esp + 8]; mov [ecx], eax; ret 8 > 0x7c902b13 : mov edx, [edx + 4]; cmpxchg8b [ebp]; pop ebp; pop ebx; ret 4 > 0x7c9031ae : mov edx, [esp + 4]; xor eax, eax; shl edx, cl; ret 0xc > 0x7c90300a : mov edx, [esp + 8]; adc edx, [esp + 0x10]; ret 0x10 > 0x7c903212 : mov edx, [esp + 8]; neg edx; neg eax; sbb edx, 0; ret 8 > 0x7c90322a : mov edx, [esp + 8]; sbb edx, [esp + 0x10]; ret 0x10 > 0x7c90e46d : mov eax, [eax + 0x2c]; call [eax + edx*4] > 0x7c9032d6 : mov eax, [ecx + 8]; mov [edx], eax; mov eax, 2; ret 0x10 > 0x7c9032fd : mov eax, [ecx + 8]; mov [edx], eax; mov eax, 3; ret 0x10 > 0x7c966711 : mov eax, [ecx]; pop esi; mov [ecx], ebx; pop ebx; pop ebp; ret 4 > 0x7c969615 : mov ecx, [ecx + 0xc]; add [eax + 0x5c], ecx; pop ebp; ret 8 > 0x7c919aee : mov ecx, [ecx + 4]; mov [eax + 0xfb0], ecx; pop ebp; ret 4 > 0x7c9695e1 : mov ecx, [ecx + 8]; add [eax + 0x1c], ecx; pop ebp; ret 8 > 0x7c969575 : mov ecx, [ecx + 8]; add [eax + 0x3c], ecx; pop ebp; ret 8 > 0x7c9518eb : mov ecx, [ebp + 0xc]; add [eax + 0xb0], ecx; pop ebp; ret 8 > 0x7c918a89 : mov ecx, [ebp + 0xc]; mov [eax + 4], ecx; pop ebp; ret 0xc > 0x7c920f27 : mov ecx, [ebp + 0xc]; mov [ecx], esi; pop esi; pop ebp; ret 8 > 0x7c90fe3b : mov ecx, [ebp + 8]; mov [eax + 0x34], ecx; pop ebp; ret 4 > 0x7c951d93 : mov ecx, [ebp + 8]; mov [eax + 0xf24], ecx; pop ebp; ret 4 > 0x7c90ea70 : mov edx, [esp + 0x10]; mov [edx], eax; mov eax, 3; ret > 0x7c9031a2 : mov edx, [esp + 8]; shld edx, eax, cl; shl eax, cl; ret 0xc > 0x7c903202 : mov edx, [esp + 8]; shrd eax, edx, cl; sar edx, cl; ret 0xc > 0x7c9031ca : mov edx, [esp + 8]; shrd eax, edx, cl; shr edx, cl; ret 0xc > 0x7c969654 : mov ecx, [ecx + 0xc]; sub [eax + 0x5c], ecx; pop esi; pop ebp; ret 0xc > 0x7c969543 : mov ecx, [ecx + 8]; sub [eax + 0x4c], ecx; pop esi; pop ebp; ret 0xc > 0x7c973165 : mov ecx, [edx]; movzx eax, [ecx]; inc ecx; mov [edx], ecx; ret > 0x7c963cc4 : mov ecx, [esi]; mov [eax], ecx; pop edi; pop esi; pop ebx; pop ebp; ret 8 > 0x7c965091 : mov ecx, [ebp + 0x10]; mov [ecx], eax; mov al, 1; pop ebp; ret 0xc > 0x7c9641f9 : mov ecx, [ebp + 0x10]; mov [ecx], esi; pop esi; pop edi; pop ebp; ret 0xc > 0x7c95e068 : mov ecx, [ebp + 0xc]; mov [ecx], al; mov al, 1; pop ebp; ret 8 > 0x7c92a1d2 : mov ecx, [ebp + 0xc]; mov [ecx], ax; xor eax, eax; pop ebp; ret 0xc > 0x7c92a19a : mov ecx, [ebp + 0xc]; mov [ecx], eax; mov al, 1; pop ebp; ret 8 > 0x7c91c25f : mov ecx, [ebp + 0xffffffcc]; mov [eax + 0x24], ecx; xor ecx, ecx; ret > 0x7c90330a : mov ecx, [esp + 4]; mov ecx, [ecx]; mov fs:[0], ecx; ret 4 > 0x7c96676d : mov edi, [ebp + 0xc]; push edi; call [esi + 0x3c] > 0x7c96969e : mov ecx, [ebp + 0x10]; pop edi; pop esi; mov [ecx], ebx; pop ebx; pop ebp; ret 0xc > 0x7c9188e5 : mov ecx, [ebp + 0x30]; mov [ecx], eax; xor eax, eax; pop ebx; pop ebp; ret 0x2c > 0x7c912e1e : mov ecx, [ebp + 0xc]; mov [ecx], eax; mov al, 1; pop esi; pop ebp; ret 8 > 0x7c915174 : mov ecx, [ebp + 0xc]; mov [ecx], eax; xor eax, eax; pop esi; pop ebp; ret 8 > 0x7c918280 : mov ecx, [ebp + 8]; lea eax, [ecx + eax*4 + 8]; pop ebp; ret 8 > 0x7c9131d4 : mov ecx, [ebp + 8]; mov [ecx], eax; xor eax, eax; pop esi; pop ebp; ret 0xc > 0x7c91e391 : mov ecx, [ebp + 8]; xor eax, eax; cmp [ecx], eax; sete al; pop ebp; ret 4 > 0x7c919b13 : mov edx, [eax]; mov [ecx + 4], edx; mov [eax], ecx; pop ebp; ret 4 > 0x7c910457 : mov eax, [eax + 0x30]; push [eax + 0x1c]; call [eax + 0x24] > 0x7c9161fe : mov eax, [edx]; add [ebp + 0xfffdcc85], cl; call [eax + 0xffffff8d] > 0x7c969897 : mov ecx, [ecx + 8]; add [eax + 0x6c], ecx; inc [eax + 0x68]; pop ebp; ret 8 > 0x7c92075a : mov ecx, [edi]; movzx eax, ax; mov [eax + ecx], 0; pop edi; pop esi; pop ebp; ret 0x14 > 0x7c920608 : mov ecx, [ebp + 0x10]; mov [ecx], eax; xor eax, eax; pop edi; pop esi; pop ebp; ret 0xc > 0x7c963b70 : mov ecx, [ebp + 0xc]; mov [ecx], eax; mov [ecx + 4], edx; pop ebp; ret 8 > 0x7c95cfde : mov ecx, [ebp + 0xc]; mov [ecx], eax; xor eax, eax; pop esi; pop ebx; pop ebp; ret 0xc > 0x7c9293b0 : mov ecx, [ebp + 8]; add eax, eax; mov [ecx], eax; xor eax, eax; pop ebp; ret 0xc > 0x7c914f27 : mov ecx, [ebp + 8]; shr eax, 1; and [ecx + eax*2], 0; pop ebp; ret 8 > 0x7c9640b3 : mov ecx, [ebp + 8]; xor eax, eax; cmp [ecx + 0x18], eax; sete al; pop ebp; ret 4 > 0x7c90e46a : mov eax, [eax + 0x30]; mov eax, [eax + 0x2c]; call [eax + edx*4] > 0x7c9618c0 : mov eax, [esi + 0x90]; push [eax + edi*4]; call [ebp + 8] > 0x7c9718d2 : mov ebx, [ebp + 0xc]; push ebx; push [ebp + 8]; call [ebp + 0x18] > 0x7c9206fa : mov ecx, [esi + 4]; shr eax, 1; and [ecx + eax*2], 0; pop esi; pop ebp; ret 8 > 0x7c92b14b : mov ecx, [ebp + 0x10]; mov [eax + 8], 1; mov [eax + 4], ecx; pop ebp; ret 0xc > 0x7c9032a3 : mov ecx, [ebp + 0x18]; call ecx; mov esp, fs:[0]; pop fs:[0]; mov esp, ebp; pop ebp; ret 0x14 > 0x7c919aeb : mov ecx, [ebp + 8]; mov ecx, [ecx + 4]; mov [eax + 0xfb0], ecx; pop ebp; ret 4 > 0x7c9032d2 : mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 2; ret 0x10 > 0x7c9032f9 : mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 3; ret 0x10 > 0x7c91c25c : mov eax, [ebx + 0xc]; mov ecx, [ebp + 0xffffffcc]; mov [eax + 0x24], ecx; xor ecx, ecx; ret > 0x7c90109e : mov eax, [ecx + 0x24]; mov [edx + 0xc], eax; mov [edx + 8], 1; xor eax, eax; ret 4 > 0x7c926a10 : mov eax, [ecx + eax*2]; movzx ecx, [ebp + 0xc]; movzx eax, ax; and eax, ecx; pop ebp; ret > 0x7c964ea6 : mov eax, [ebp + 0x20]; push esi; mov [esi + 0x40], eax; call [ebp + 0x14] > 0x7c91acf5 : mov ecx, [ebp + 0x10]; pop edi; mov [ecx], eax; mov [ecx + 4], edx; pop esi; pop ebp; ret 0xc > 0x7c92adf2 : mov ecx, [ebp + 0x14]; mov [ecx], edx; and [eax + 8], 0; mov al, 1; pop ebp; ret 0x10 > 0x7c951c8a : mov ecx, [ebp + 0xc]; mov [ecx], eax; mov [ecx + 4], edx; mov eax, ecx; pop ebp; ret 8 > 0x7c902c48 : mov ecx, [esp + 0xc]; mov eax, [esp + 0x10]; shr ecx, 2; rep stosd es:[edi], eax; pop edi; ret 0xc > 0x7c9695ae : mov edx, [ecx + 8]; sub [eax + 0x3c], edx; and [ecx + 0x24], 0; pop esi; pop ebp; ret 0xc > 0x7c91bb91 : mov edx, [ecx]; mov ax, [ebp + 8]; mov [edx], ax; add [ecx], 2; pop ebp; ret > 0x7c91bfcf : mov ecx, [esi + 8]; and [eax + 0x4c], 0; mov [eax + 0x44], ecx; pop edi; pop esi; pop ebp; ret 4 > 0x7c9183f1 : mov ecx, [ebp + 8]; mov [ecx], ax; mov eax, [ebp + 0xc]; sub eax, esi; pop esi; pop ebp; ret > 0x7c902b0d : mov edx, [esp + 0xc]; mov eax, [edx]; mov edx, [edx + 4]; cmpxchg8b [ebp]; pop ebp; pop ebx; ret 4 > 0x7c91ec0b : mov esi, [ecx + 8]; mov [ecx + esi*4 + 0x10], edx; inc [ecx + 8]; pop esi; pop ebp; ret 0xc > 0x7c924a86 : mov esi, [ebp + 8]; lea eax, [edi + 0x18]; push eax; push esi; call [esi + 0x1c] > 0x7c918a84 : mov ecx, [ebp + 0x10]; mov [eax], ecx; mov ecx, [ebp + 0xc]; mov [eax + 4], ecx; pop ebp; ret 0xc > 0x7c913156 : mov ecx, [ebp + 8]; mov [ecx], edx; mov eax, [eax + 4]; mov [ecx + 4], eax; pop ebp; ret 8 > 0x7c9536ae : mov edi, [eax]; lea ebx, [ebp + 0xfffffffc]; push ebx; push edx; push ecx; push eax; call [edi + 0x10] > 0x7c9128be : mov eax, [ecx + 0x14]; sub eax, [ecx + 0xc]; add eax, [ebp + 0xc]; add eax, [ebp + 0x10]; pop ebp; ret 0xc > 0x7c91a504 : mov ecx, [ecx + 0x10]; mov [ecx + 0x44], eax; and [eax + 4], 0; and [eax + 8], 0; pop ebp; ret 8 > 0x7c9214da : mov ecx, [ebp + 0x18]; mov [eax + 0x14], edx; mov [eax + 0x10], edx; mov [eax + 0x24], ecx; pop ebp; ret 0x14 > 0x7c9033e2 : mov ecx, [esp + 4]; mov [ecx], eax; mov eax, fs:[4]; mov ecx, [esp + 8]; mov [ecx], eax; ret 8 > 0x7c9032ce : mov ecx, [esp + 8]; mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 2; ret 0x10 > 0x7c9032f5 : mov ecx, [esp + 8]; mov edx, [esp + 0x10]; mov eax, [ecx + 8]; mov [edx], eax; mov eax, 3; ret 0x10 > 0x7c96960f : mov edx, [ecx + 8]; add [eax + 0x2c], edx; mov ecx, [ecx + 0xc]; add [eax + 0x5c], ecx; pop ebp; ret 8 > 0x7c9158aa : mov ecx, [ebp + 0xc]; mov [eax + 0x24], edi; mov [eax + 0x2c], ecx; mov [eax + 0x30], 1; pop esi; pop ebp; ret 8 > 0x7c96964e : mov edx, [ecx + 8]; sub [eax + 0x2c], edx; mov ecx, [ecx + 0xc]; sub [eax + 0x5c], ecx; pop esi; pop ebp; ret 0xc > 0x7c9641c4 : mov esi, [edi + 8]; lea eax, [esi + 0x10]; push eax; push [ebp + 0xc]; push edi; call [edi + 0x28] > 0x7c966766 : mov esi, [ebp + 8]; push edi; push [ebp + 0x10]; mov edi, [ebp + 0xc]; push edi; call [esi + 0x3c] > 0x7c902c44 : mov edi, [esp + 8]; mov ecx, [esp + 0xc]; mov eax, [esp + 0x10]; shr ecx, 2; rep stosd es:[edi], eax; pop edi; ret 0xc > 0x7c90e9b9 : mov eax, [edi + ecx*4 + 8]; xor ebx, ebx; xor ecx, ecx; xor edx, edx; xor esi, esi; xor edi, edi; call eax > 0x7c913154 : mov edx, [eax]; mov ecx, [ebp + 8]; mov [ecx], edx; mov eax, [eax + 4]; mov [ecx + 4], eax; pop ebp; ret 8 > 0x7c924a83 : mov edi, [ebp + 0x10]; mov esi, [ebp + 8]; lea eax, [edi + 0x18]; push eax; push esi; call [esi + 0x1c] > 0x7c910425 : mov ecx, [eax + 0x20]; mov [ebp + 0xffffffe4], ecx; and [ebp + 0xfffffffc], 0; push [eax + 0x1c]; call [ebp + 0xffffffe4] > 0x7c95cdcb : mov ecx, [ebp + 0x20]; mov [eax + 0x14], ecx; mov cl, [ebp + 0x18]; mov [eax + 0x19], 0; mov [eax + 0x18], cl; pop ebp; ret 0x1c > 0x7c964ea0 : mov eax, [ebp + 0x1c]; mov [esi + 0x3c], eax; mov eax, [ebp + 0x20]; push esi; mov [esi + 0x40], eax; call [ebp + 0x14] > 0x7c91041f : mov eax, [eax + 0x30]; mov [ebp + 0xffffffe0], eax; mov ecx, [eax + 0x20]; mov [ebp + 0xffffffe4], ecx; and [ebp + 0xfffffffc], 0; push [eax + 0x1c]; call [ebp + 0xffffffe4] > 0x7c9018dc : mov edx, [ebp + 0xfffffff8]; leave ; ret > 0x7c92abb7 : mov ecx, [ebp + 0x10]; mov [ecx], eax; leave ; ret 0xc > 0x7c951c4d : mov ecx, [ebp + 0xffffff64]; mov [esi], ecx; pop esi; leave ; ret 8 > 0x7c91a4ab : mov edx, [eax]; mov [ecx], edx; pop edi; pop esi; leave ; ret 4 > 0x7c95d5e2 : mov ecx, [ebp + 0x2c]; mov [ecx], al; xor eax, eax; leave ; ret 0x28 > 0x7c952738 : mov ecx, [ebp + 0xc]; mov [ecx], eax; xor eax, eax; leave ; ret 8 > 0x7c919772 : mov ecx, [ebp + 8]; mov [ecx], eax; mov al, 1; leave ; ret 4 > 0x7c91a4a9 : mov eax, [ecx]; mov edx, [eax]; mov [ecx], edx; pop edi; pop esi; leave ; ret 4 > 0x7c932bc3 : mov ecx, [ebp + 0xfffffff4]; mov [eax], ecx; xor eax, eax; pop edi; pop ebx; leave ; ret 0x34 > 0x7c9711e1 : mov ecx, [ebp + 0xfffffff4]; mov [edx + 0xc], ecx; pop edi; pop esi; pop ebx; leave ; ret 8 > 0x7c954644 : mov ecx, [ebp + 0xfffffff4]; mov [eax + 0x2c], ecx; mov eax, [ebp + 8]; pop esi; pop ebx; leave ; ret 8 > 0x7c9536df : mov edx, [ebp + 0x1c]; mov [edx], eax; mov [edx + 4], ecx; xor eax, eax; pop esi; leave ; ret 0x18 > 0x7c92abaf : mov edx, [ebp + 0xc]; mov [edx], ecx; mov eax, [eax + 0x44]; mov ecx, [ebp + 0x10]; mov [ecx], eax; leave ; ret 0xc