Free Online ROP Gadgets Search

ropshell> use d7eef2c46a9880f21be01511024b53ab (download)
name         : MSCOMCTL.OCX (i386/PE)
base address : 0x27581000
total gadgets: 20271

ropshell> suggest "load mem"
> 0x275e5f1d : mov eax, [ecx + 0x20]; ret
> 0x2758cb77 : mov ecx, [eax]; call [ecx]; ret 8
> 0x2761a645 : movsx eax, [ebx + 0xb2]; pop ebx; ret 4
> 0x275aae6c : mov eax, [esi + 0x10]; pop esi; ret 4
> 0x275ce8de : mov eax, [ebp + 0x10]; pop ebp; ret 0xc
> 0x275cc8ea : mov eax, [ecx]; call [eax + 0x34]; ret 4
> 0x27592b97 : mov edx, [ecx]; call [edx + 0x84]; ret 8
> 0x275d03c7 : mov eax, [edi + 0x40]; pop edi; pop esi; ret
> 0x275d01d4 : mov ebx, [edi + 0x5e5fffff]; pop ebx; pop ebp; ret 8
> 0x275e5100 : mov eax, [edx]; xor eax, [edx + 4]; ret 8
> 0x275acbfc : mov eax, [esi]; call [eax]; pop edi; pop esi; ret 8
> 0x275a4559 : mov ecx, [esi]; mov [edx], ecx; pop esi; ret 8
> 0x275ca0d5 : mov ebx, [eax + 0x27]; mov eax, esi; pop esi; ret 0xc
> 0x275906f8 : mov eax, [ebx]; call [eax + 0x5c]
> 0x275ad371 : mov eax, [edi]; call [eax + 0x24]
> 0x2760878c : mov edx, [eax]; call [edx + 0x24]
> 0x27612b7b : movsx edi, [esi]; mov eax, edi; pop edi; pop esi; pop ebx; ret 8
> 0x275f0c8c : movzx ebx, [ebp + 0xc]; push edi; call esi
> 0x2761ccb4 : mov ecx, [ebp + 0x10]; mov [ecx], eax; pop ebp; ret 0xc
> 0x2759b329 : mov edx, [ebp + 8]; mov [ecx], dx; pop ebp; ret 8
> 0x275a61c0 : mov esi, [ebx + 0x24]; push eax; call edi
> 0x275ab428 : mov esi, [ebp + 8]; push esi; call edi
> 0x275ee54d : mov edi, [ebp + 8]; push edi; call esi
> 0x2759a1b5 : mov ecx, [ebx]; add eax, [eax]; xor eax, eax; pop esi; ret 8
> 0x275dce1d : mov ecx, [eax + 4]; mov [eax + 0xc], ecx; xor eax, eax; ret 4
> 0x275e512e : mov edx, [esi]; push eax; mov ecx, esi; call [edx + 8]
> 0x275a6f36 : mov esi, [eax]; add [ebp - 4], 4; push esi; push 0; call ebx
> 0x275f02ea : mov ecx, [esi + 0x14]; push 1; mov [ecx], ax; pop eax; pop edi; pop esi; ret 8
> 0x27614763 : mov edx, [eax + 4]; mov [eax], edx; mov [eax + 4], ecx; ret 4
> 0x2759aca3 : mov edi, [ebx + 0x14]; push eax; mov [ebp + 8], eax; call esi
> 0x275a9e1a : mov eax, [edx + 0x6a000001]; add dl, [ecx + 0x56]; call [eax + 0xc]
> 0x275d9810 : mov esi, [eax + 4]; push esi; push [eax + 8]; push ecx; call [edx + 0xc]; pop esi; ret
> 0x275ca6ca : mov edi, [eax + 0x20]; xor eax, eax; repe cmpsb [esi], es:[edi]; pop edi; pop esi; setne al; ret 8
> 0x275f82a1 : mov ecx, [edi]; mov eax, [esi]; mov [esi], ecx; mov [edi], eax; pop edi; pop esi; ret 0x10
> 0x275bf96b : mov ecx, [ebx + 0x14]; lea eax, [ebx + 0x14]; push eax; call [ecx + 0x28]
> 0x275c2cf2 : mov ecx, [edi + 0x14]; lea eax, [edi + 0x14]; push eax; call [ecx + 0x28]
> 0x275ba7b8 : mov edx, [esi + 0x64]; push edx; push eax; mov ecx, [eax]; call [ecx + 0x3c]
> 0x275d59b8 : mov edx, [ecx + 0x90]; mov ecx, [ecx + 0x94]; sub [eax], edx; sub [eax + 4], ecx; ret 4
> 0x27595c07 : mov edx, [edi + 0x58]; lea eax, [edi + 0x58]; push ecx; push eax; call [edx + 0x30]
> 0x275f81de : mov esi, [ecx + 4]; sub esi, edx; add esi, [ecx + 0xc]; mov [eax + 4], esi; pop esi; ret 8
> 0x275ae66a : mov edi, [ecx + eax]; add [edx + 2], ch; push ecx; push esi; call [eax + 0xc]
> 0x275ae6a5 : mov edi, [esi + 1]; add [eax], al; push 2; push ecx; push esi; call [eax + 0xc]