Free Online ROP Gadgets Search

ropshell> use cec1138c17426f9cbc55a984f3f57397 (download)
name         : rop_me_baby.exe (x86_64/PE)
base address : 0x401000
total gadgets: 8472

ropshell> suggest "load mem"
> 0x0040c6d0 : mov rax, [rcx]; ret
> 0x00418d20 : mov rax, [rdx]; ret
> 0x00418d1b : mov rax, [r10]; ret
> 0x0040c6d1 : mov eax, [rcx]; ret
> 0x00418d1c : mov eax, [rdx]; ret
> 0x00424ff0 : mov rax, [rcx + 0x10]; ret
> 0x00424ff1 : mov eax, [rcx + 0x10]; ret
> 0x0048df18 : mov rax, [rbp + 0x10]; pop rbp; ret
> 0x0048df19 : mov eax, [rbp + 0x10]; pop rbp; ret
> 0x0046e8f7 : mov eax, [rbx]; add [rax - 0x77], cl; ret
> 0x0040bfd0 : mov ecx, [rbx]; call rbp
> 0x0046ce32 : mov ebp, [rax]; call rsi
> 0x00429dc4 : mov rdx, [rcx]; lea rax, [rdx + rax - 1]; ret
> 0x00429dc5 : mov edx, [rcx]; lea rax, [rdx + rax - 1]; ret
> 0x0040b989 : mov rcx, [rax + 8]; call r12
> 0x00417cde : mov rcx, [rbx + 0xa8]; call rsi
> 0x004198ee : mov rcx, [rdi + 8]; call rax
> 0x0040b98a : mov ecx, [rax + 8]; call r12
> 0x00417cdf : mov ecx, [rbx + 0xa8]; call rsi
> 0x004198ef : mov ecx, [rdi + 8]; call rax
> 0x0047a3e1 : mov esi, [rbx + rax]; add [rax - 0x77], cl; ret
> 0x00433329 : mov rax, [rbx]; call [rax + 0x30]
> 0x0045567a : mov rax, [rsi]; call [rax + 0x10]
> 0x00470ae4 : mov rax, [rdi]; call [rax + 0x18]
> 0x0042f83f : mov rax, [r12]; call [rax + 0x10]
> 0x00459c42 : mov rax, [r14]; call [rax + 0x50]
> 0x0040c8b1 : mov r8, [rdi]; call [rdi + 0x10]
> 0x00436dce : mov r9, [rcx]; call [r9 + 0x10]
> 0x00439cb0 : mov r9, [rbp]; call [rax + 0x58]
> 0x0045567b : mov eax, [rsi]; call [rax + 0x10]
> 0x00470ae5 : mov eax, [rdi]; call [rax + 0x18]
> 0x00439cb1 : mov ecx, [rbp]; call [rax + 0x58]
> 0x00459a74 : movzx edx, [rbx]; call [rax + 0x60]
> 0x004333c0 : movzx edx, [rsi]; call [rax + 0x60]
> 0x004834ac : movzx edx, [rbp]; mov rcx, rsi; call rax
> 0x00483ea1 : movzx edx, [r12]; mov rcx, rdi; call rax
> 0x00417b51 : mov ebp, [rbx]; mov rcx, rsi; call rbp
> 0x0041a080 : mov rdx, [rax + 0x1d8]; mov rax, rdx; add rsp, 0x28; ret
> 0x0040c5db : mov eax, [rdx + 0xc]; add rax, r11; add rsp, 0x28; ret
> 0x0041a081 : mov edx, [rax + 0x1d8]; mov rax, rdx; add rsp, 0x28; ret
> 0x0040bfe2 : mov rax, [rbx + 8]; mov rcx, rsi; call rax
> 0x0040bfe3 : mov eax, [rbx + 8]; mov rcx, rsi; call rax
> 0x00459a90 : movzx edx, [rbx + 2]; call [rax + 0x60]
> 0x004333e9 : movzx edx, [rsi + 2]; call [rax + 0x60]
> 0x00430880 : mov rax, [rbp]; mov rcx, rbp; call [rax + 0x48]
> 0x0042fb4e : mov rax, [r13]; mov rcx, r13; call [rax + 0x48]
> 0x0042d690 : mov rax, [r15]; mov rcx, r15; call [rax + 0x10]
> 0x0041e94e : mov rdx, [rax]; mov rcx, rax; call [rdx + 0x10]
> 0x0040c670 : mov r8, [rax]; mov edx, 0x1a; call [rax + 0x10]
> 0x0042fb4f : mov eax, [rbp]; mov rcx, r13; call [rax + 0x48]
> 0x0041e94f : mov edx, [rax]; mov rcx, rax; call [rdx + 0x10]
> 0x0040c724 : mov rax, [rdx + 0x10]; mov eax, [rax]; add rax, [rdx + 8]; ret
> 0x004198ea : mov rdi, [rbp + 0x28]; mov rcx, [rdi + 8]; call rax
> 0x004198eb : mov edi, [rbp + 0x28]; mov rcx, [rdi + 8]; call rax
> 0x0047b662 : mov rax, [r8]; movzx edx, si; mov rcx, r8; call [rax + 0x58]
> 0x0045d34a : mov r9, [rdi]; lea r8, [rdx + rsi]; call [rax + 0x58]
> 0x0043a024 : movzx eax, [r12]; movsxd rax, [r13 + rax*4]; add rax, r13; jmp rax
> 0x0045d34b : mov ecx, [rdi]; lea r8, [rdx + rsi]; call [rax + 0x58]
> 0x00431ab8 : movzx edx, [r13]; lea rdi, [r12 + 1]; call [rax + 0x60]
> 0x0042ab50 : mov rdx, [rcx + 8]; mov rax, [rcx]; lea rax, [rax + rdx*2 - 2]; ret
> 0x0048dfc7 : mov r8, [rcx + 8]; mov [rcx + 8], rax; mov [rdx + 8], r8; ret
> 0x0042a150 : mov r8, [rdx + 8]; add r8, [rdx]; mov rax, rcx; mov [rcx], r8; ret
> 0x004739f4 : mov ebx, [rax + 0x48000000]; mov eax, [rcx]; call [rax + 0x28]
> 0x0042ab51 : mov edx, [rcx + 8]; mov rax, [rcx]; lea rax, [rax + rdx*2 - 2]; ret
> 0x0047244c : mov r8, [rbx + 0xa0]; mov [rsp + 0x20], rax; call [r10 + 0x38]
> 0x00472de0 : mov r9, [rbx + 0xb0]; mov [rsp + 0x20], rax; call [r10 + 0x38]
> 0x00472de2 : mov esi, [rax + 0x48000000]; mov [rsp + 0x20], eax; call [r10 + 0x38]
> 0x00432533 : mov r9, [rbx]; mov edx, 1; mov rcx, rbx; movzx r8d, ax; call [r9 + 0x10]
> 0x00465fea : mov r10, [rax]; mov rdx, rax; mov [rsp + 0x20], 0x10; call [r10 + 0x20]
> 0x00475cb8 : mov rcx, [rsi + 0x98]; mov rdi, rax; mov rax, [rcx]; call [rax + 0x40]
> 0x00475cb9 : mov ecx, [rsi + 0x98]; mov rdi, rax; mov rax, [rcx]; call [rax + 0x40]
> 0x0042aef3 : mov rcx, [rdx + 8]; mov rdx, [rdx]; lea rdx, [rdx + rcx*2]; mov [rax], rdx; ret
> 0x0042aef4 : mov ecx, [rdx + 8]; mov rdx, [rdx]; lea rdx, [rdx + rcx*2]; mov [rax], rdx; ret
> 0x00472449 : mov r10, [rcx]; mov r8, [rbx + 0xa0]; mov [rsp + 0x20], rax; call [r10 + 0x38]
> 0x004a6e3b : mov rcx, [r8 + 0xe8]; mov rdx, r15; mov r8, r12; mov rax, [rcx]; call [rax + 0x60]
> 0x00439e14 : mov r10, [rbp]; lea r9, [r13 + rax*2]; mov r8, r13; mov rcx, rbp; mov edx, 8; call [r10 + 0x28]
> 0x0045ea7f : mov r10, [r12]; mov rcx, r12; mov r8, r13; mov edx, 8; lea r9, [r13 + rax*2]; call [r10 + 0x28]
> 0x00475133 : mov rdi, [rbx + 0xa0]; mov r10, [rcx]; mov r9, [rbx + 0xb0]; sar rax, 1; mov r8, rdi; mov [rsp + 0x20], rax; call [r10 + 0x38]
> 0x00475134 : mov edi, [rbx + 0xa0]; mov r10, [rcx]; mov r9, [rbx + 0xb0]; sar rax, 1; mov r8, rdi; mov [rsp + 0x20], rax; call [r10 + 0x38]
> 0x0041ef35 : mov r8, [rax + r8]; add r8, rbp; mov rcx, [r14 + r15 + 8]; mov r9, [rsp + 0x20]; mov rdx, [rsp + 0xa8]; mov rax, [rcx]; call [rax + 0x30]