Free Online ROP Gadgets Search

ropshell> use eafc3f67a1602eb1d35dde313578ab63 (download)
name         : ntdll.dll (x86_64/PE)
base address : 0x180001000
total gadgets: 6464

ropshell> suggest "load mem"
> 0x180074aa0 : movzx eax, [rcx]; ret
> 0x1800fccad : mov rax, [r10 + 0x38]; ret
> 0x180071636 : mov eax, [rcx + 0x16b0]; ret
> 0x1800fccae : mov eax, [rdx + 0x38]; ret
> 0x1800dca40 : mov ecx, [rax]; add cl, ch; ret 0
> 0x180095606 : movzx ecx, [rdx]; sub eax, ecx; ret
> 0x18007cd10 : mov rax, [rdx]; mov [rcx], rax; ret
> 0x18009f288 : mov rcx, [r9]; mov [rcx], eax; ret
> 0x18007cd11 : mov eax, [rdx]; mov [rcx], rax; ret
> 0x1800a4280 : mov rax, [rcx + 8]; and al, 0xf0; ret
> 0x18010deba : movzx eax, [r8]; mov [r10 + 0x20], ax; ret
> 0x1800a5829 : mov rax, [r9 + 0x30]; call rax
> 0x1800e063e : mov rbx, [r11 + 0x20]; mov rsp, r11; pop rbp; ret
> 0x180030e5b : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x18004c8f9 : mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1800861b2 : mov rbp, [r11 + 0x28]; mov rsp, r11; pop rdi; ret
> 0x180029266 : mov r14, [r11 + 0x28]; mov rsp, r11; pop r15; ret
> 0x1800de7b1 : mov r15, [r11 + 0x28]; mov rsp, r11; pop rbp; ret
> 0x180030e5c : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x18004c8fa : mov edi, [rbx + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1800861b3 : mov ebp, [rbx + 0x28]; mov rsp, r11; pop rdi; ret
> 0x180028d3c : mov rax, [rdx + 0x38]; mov [rdx + 0x38], rcx; ret
> 0x1800f601f : mov eax, [r9 + 0x194]; mov [rdx + 0x194], eax; ret
> 0x1800f7511 : mov rcx, [r8]; mov [r11 + 0x4e8], rcx; mov eax, r10d; ret
> 0x1800f9b6d : movzx eax, [rsi]; add [rbp + 3], dh; xor al, al; ret
> 0x180080d89 : mov rcx, [rax + 0x48]; cmp [rip + 0xdf844], rcx; sete al; ret
> 0x1800f29cd : mov rcx, [r10 + 0x18]; mov [r9], rcx; mov rax, r11; ret
> 0x180056a32 : mov r12, [r11 + 0x38]; mov rsp, r11; pop r15; pop r14; pop r13; ret
> 0x180082b74 : mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a476f : mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x180080d8a : mov ecx, [rax + 0x48]; cmp [rip + 0xdf844], rcx; sete al; ret
> 0x1800f29ce : mov ecx, [rdx + 0x18]; mov [r9], rcx; mov rax, r11; ret
> 0x180082b75 : mov esi, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a4770 : mov edi, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x1800fcc0e : movzx ecx, [r9]; add r8d, ecx; mov [rdx], r9; mov eax, r8d; ret
> 0x1800a721c : mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x1800a5883 : mov edx, [rax + 0x48]; mov [r9 + 0x48], r10d; mov eax, 3; ret
> 0x1800a721d : mov ebp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x1800fd6ca : mov eax, [r9]; mov rbx, [rsp + 8]; mov rdi, [rsp + 0x10]; ret
> 0x1800a4237 : mov edx, [rcx]; mov rcx, [rcx + 8]; mov eax, 1; int 0x2d; int3 ; ret
> 0x18002e91f : mov rax, [rbx + 0x20]; mov r8, [rip + 0x14e6d6]; call r8
> 0x18008c409 : mov rax, [r14 + 8]; mov r8, [rip + 0xf0bec]; call r8
> 0x180073759 : mov rcx, [rdi + 0x58]; mov r8, [rip + 0x10989c]; call r8
> 0x18002e920 : mov eax, [rbx + 0x20]; mov r8, [rip + 0x14e6d6]; call r8
> 0x18008c40a : mov eax, [rsi + 8]; mov r8, [rip + 0xf0bec]; call r8
> 0x18007375a : mov ecx, [rdi + 0x58]; mov r8, [rip + 0x10989c]; call r8
> 0x1800937d4 : mov rcx, [rdx + rcx]; bswap rax; bswap rcx; cmp rax, rcx; sbb eax, eax; sbb eax, -1; ret
> 0x18007d163 : mov eax, [r10 + 0x98]; and [r10 + 0x64], 0; mov [r10 + 0x68], eax; ret
> 0x180082b70 : mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x180079c4d : mov r8, [rdx + 8]; sub r8, [rcx + 0x18]; xor eax, eax; test r8, r8; sete al; ret
> 0x1800a476b : mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x180085f4d : mov edx, [rbx + 4]; add [rax + 0x7ffe02d8], bh; mov eax, [rax]; add rsp, 0x28; ret
> 0x1800a476c : mov esi, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x180082b71 : mov edi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a7218 : mov rdx, [rcx + 0x50]; mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x1800a7219 : mov edx, [rcx + 0x50]; mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x18002e91b : mov rcx, [rbx + 0x28]; mov rax, [rbx + 0x20]; mov r8, [rip + 0x14e6d6]; call r8
> 0x18008c405 : mov rcx, [r14 + 0x10]; mov rax, [r14 + 8]; mov r8, [rip + 0xf0bec]; call r8
> 0x18002e91c : mov ecx, [rbx + 0x28]; mov rax, [rbx + 0x20]; mov r8, [rip + 0x14e6d6]; call r8
> 0x18008c406 : mov ecx, [rsi + 0x10]; mov rax, [r14 + 8]; mov r8, [rip + 0xf0bec]; call r8
> 0x18005ded5 : mov edx, [rsi + 0x10]; mov rcx, rbx; mov rax, r15; mov r10, [rip + 0x11f11b]; call r10
> 0x18005ded4 : mov edx, [r14 + 0x10]; mov rcx, rbx; mov rax, r15; mov r10, [rip + 0x11f11b]; call r10
> 0x180082b6c : mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a4767 : mov r13, [rcx + 0x20]; mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x1800a961f : mov rcx, [rbp + 0x28]; mov rax, [rcx + 8]; mov rax, [rax]; mov rdx, [rip + 0xd39cf]; call rdx
> 0x1800a587a : mov r10, [rax + 0x40]; mov [r9 + 0x40], r10; mov r10d, [rax + 0x48]; mov [r9 + 0x48], r10d; mov eax, 3; ret
> 0x1800a9620 : mov ecx, [rbp + 0x28]; mov rax, [rcx + 8]; mov rax, [rax]; mov rdx, [rip + 0xd39cf]; call rdx
> 0x18007aefb : mov rcx, [rsi + 0xf0]; mov rdx, r14; mov rcx, [rcx + rbx*8]; mov rax, r15; mov r8, [rip + 0x1020ed]; call r8
> 0x18007374d : mov rax, [rdi + 0x18]; mov rdx, r12; mov rdi, [rsp + 0x28]; mov rcx, [rdi + 0x58]; mov r8, [rip + 0x10989c]; call r8
> 0x180082b68 : mov rbx, [rbp + 0x30]; mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a4763 : mov r12, [rcx + 0x18]; mov r13, [rcx + 0x20]; mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x18007374e : mov eax, [rdi + 0x18]; mov rdx, r12; mov rdi, [rsp + 0x28]; mov rcx, [rdi + 0x58]; mov r8, [rip + 0x10989c]; call r8
> 0x180082b69 : mov ebx, [rbp + 0x30]; mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x1800a980e : mov rax, [rbp + 0x58]; lea rax, [rax + rax*4]; lea rcx, [rip + 0x70553]; mov rax, [rcx + rax*8 + 0x20]; mov rcx, [rip + 0xd37d7]; call rcx
> 0x1800a980f : mov eax, [rbp + 0x58]; lea rax, [rax + rax*4]; lea rcx, [rip + 0x70553]; mov rax, [rcx + rax*8 + 0x20]; mov rcx, [rip + 0xd37d7]; call rcx