Free Online ROP Gadgets Search

ropshell> use a1f9191578ccf9869a952e47591e1708 (download)
name         : SystemSurvey.exe (i386/PE)
base address : 0x401000
total gadgets: 21654

ropshell> suggest "load mem"
> 0x00428b64 : mov eax, [edx]; ret
> 0x0040b7db : mov eax, [ecx]; cdq ; ret
> 0x004253ff : mov eax, [esi]; pop esi; ret
> 0x004db7a0 : mov eax, [ecx + 0x1c]; ret
> 0x00462f5e : mov edx, [eax]; push 1; call edx; ret
> 0x004bbfbc : mov eax, [edx + 8]; call eax; ret
> 0x005216b1 : mov eax, [esi + 0x44]; pop esi; ret
> 0x004bb4b1 : mov eax, [ebp + 8]; pop ebp; ret
> 0x00517362 : movzx ecx, [edx]; sub eax, ecx; pop ebp; ret
> 0x00447bb5 : mov eax, [edi + 0x30]; pop edi; pop esi; ret
> 0x004fe4ec : mov edx, [eax + 0x20]; jmp edx
> 0x0041bbd8 : mov edx, [ecx + 8]; push eax; call edx; ret
> 0x0051b9f9 : mov ebp, [ebx + 0x20]; jmp eax
> 0x004dd92c : mov eax, [ebx]; add [ebx + 0x5e5f04c4], al; ret
> 0x0048e74a : mov eax, [edi]; pop edi; pop esi; pop ebp; pop ebx; ret
> 0x0044525b : mov ecx, [eax]; push ecx; call ebx
> 0x004ab2d3 : mov ecx, [esi]; push eax; call ecx
> 0x004a835e : mov ecx, [edi]; push eax; call ecx
> 0x00424034 : mov edx, [ecx]; push edx; call esi
> 0x00498c17 : mov edx, [esi]; mov [edx + 0x8e94], eax; ret
> 0x004a9602 : mov ecx, [eax + 0x10]; call ecx
> 0x00422968 : mov ecx, [edx + 0x5c]; call ecx
> 0x0047dea0 : movzx edx, [edi]; push ebx; push edx; call ebp
> 0x0045053e : mov edi, [edx]; or al, 0; mov esp, ebp; pop ebp; ret
> 0x004a7262 : mov eax, [ebx + 0x30]; push esi; call eax
> 0x004a6843 : mov ecx, [esi + 0x10]; push ecx; call eax
> 0x0049f73f : mov ecx, [edi + 0x300]; push ecx; call eax
> 0x0048a7a4 : mov ecx, [ebp + 0x2c]; push ecx; call eax
> 0x004fe07c : mov edx, [ebx + 0xc]; push eax; call edx
> 0x00449010 : mov edx, [esi + 0x1c]; push edx; call eax
> 0x0044a059 : mov edx, [edi + 0x1c]; push edx; call eax
> 0x004292d3 : mov edx, [ebp + 8]; push edx; call eax
> 0x0044704e : mov edi, [ecx + 0x20]; push 0; call edx
> 0x0052374f : mov edi, [ebp + 8]; push edi; call esi
> 0x004ff054 : mov esi, [ebx]; push eax; mov ecx, edi; call edx
> 0x004bb198 : mov ebx, [ebp + 8]; mov ecx, edi; call edx
> 0x0048c11d : mov ecx, [ebx + 8]; push 0; push ecx; call eax
> 0x004f3756 : mov esi, [ebp + 0x14]; mov ecx, edi; call edx
> 0x0043e999 : mov edi, [esi + 4]; mov ecx, esi; call eax
> 0x00441192 : mov ecx, [ebx]; push ecx; push esi; mov ecx, eax; call edx
> 0x00446a53 : mov ebx, [esi + 0x28]; push edi; mov ecx, esi; call eax
> 0x004b2849 : mov ebx, [eax]; push eax; mov eax, [edx + 8]; call eax
> 0x0041b55d : mov edx, [ebx]; mov eax, [edx + 4]; push ebx; call eax
> 0x004ff22e : mov esi, [edi]; push eax; mov eax, [edx + 4]; call eax
> 0x004fa784 : mov esi, [edi + 0x24]; push ebx; mov [ebp - 0xc], ebx; call edx
> 0x004d629f : mov edi, [ecx]; sub eax, edx; push eax; mov eax, [edi + 8]; call eax
> 0x0048a65e : mov edi, [eax + 1]; add [eax], al; push esi; push 0; push ecx; call eax
> 0x0051ea89 : mov esi, [edx + esi]; mov ecx, [esi + ecx]; add ecx, edx; add eax, ecx; pop esi; pop ebp; ret
> 0x004fe418 : mov esi, [ecx]; mov edx, [esi]; mov eax, [edx + 8]; mov ecx, esi; call eax
> 0x004fda5a : mov edi, [eax]; mov eax, [esi]; mov edx, [eax + 0x44]; mov ecx, esi; call edx
> 0x0051be1d : mov esi, [eax + 8]; add ecx, [edx + esi]; pop esi; mov eax, [eax]; add eax, ecx; pop ebp; ret
> 0x004ff22b : mov edi, [ebx + 0x18]; mov esi, [edi]; push eax; mov eax, [edx + 4]; call eax
> 0x004a88c0 : mov ebx, [esi]; mov edx, [edx + 0x8ee8]; mov ecx, [ecx + 0x408]; push ebx; push edx; push ecx; call eax
> 0x004051ea : mov esi, [eax]; mov eax, [edi]; mov edx, [eax + 0x44]; mov ecx, edi; mov [ebp - 0xb4], esi; call edx
> 0x004ab2b4 : mov ebx, [edi + 8]; mov ecx, [edi + 4]; add ebx, [esi + 0xc]; mov edx, [esi + 8]; push ecx; push ebx; call edx
> 0x004ab3a1 : mov esi, [ebx + 0xc]; add esi, [edi + 8]; mov eax, [edi + 4]; mov ecx, [ebx + 8]; push eax; push esi; call ecx