ropshell> use bd60b877337f77c49cbfe4f60b6dda94 (download)
name         : win32kbase.sys (x86_64/PE)
base address : 0x1c0001000
total gadgets: 9933

ropshell> suggest
call
    > 0x1c000f795 : call rax
    > 0x1c0160c4e : call rbx
    > 0x1c0009e47 : call rcx
    > 0x1c019f89d : call rsi
    > 0x1c00ff7ae : call rbp
jmp
    > 0x1c001ac78 : push rsp; ret
    > 0x1c0067f14 : jmp rax
    > 0x1c00b0605 : jmp rbx
    > 0x1c004f3d2 : jmp rcx
    > 0x1c01ce0c5 : jmp rsi
load mem
    > 0x1c004598c : mov rax, [rcx + 0x10]; ret
    > 0x1c004598d : mov eax, [rcx + 0x10]; ret
    > 0x1c01918a0 : mov eax, [rdx + 0x1c]; ret
    > 0x1c00959ad : mov rdx, [rax]; mov rax, rdx; ret
    > 0x1c01422bc : mov rdx, [r9]; mov rax, rdx; ret
load reg
    > 0x1c0043752 : pop rax; ret
    > 0x1c0001dcc : pop rbx; ret
    > 0x1c0073cb3 : pop rcx; ret
    > 0x1c01bc902 : pop rdx; ret
    > 0x1c0001534 : pop rsi; ret
pop pop ret
    > 0x1c00044d5 : pop r12; ret
    > 0x1c000a3f9 : pop r12; pop rbp; ret
    > 0x1c0002596 : pop r12; pop rdi; pop rbp; ret
    > 0x1c0001a99 : pop r12; pop rdi; pop rsi; pop rbp; ret
    > 0x1c0018077 : pop r12; pop rdi; pop rsi; pop rbp; pop rbx; ret
sp lifting
    > 0x1c01ae941 : add rsp, 0x108; ret
    > 0x1c01ae941 : add rsp, 0x108; ret
    > 0x1c00d197e : add rsp, 0x238; ret
    > 0x1c0005725 : add rsp, 0x38; ret
    > 0x1c0001551 : add rsp, 0x48; ret
stack pivoting
    > 0x1c0001db7 : xchg eax, esp; ret
    > 0x1c0008542 : mov rsp, r11; pop r14; ret
    > 0x1c0008543 : mov esp, ebx; pop r14; ret
    > 0x1c00c53bc : xchg ebp, esp; fild [rax + rax]; add rsp, 0x28; ret
    > 0x1c01f48bd : push rcx; pop rsp; bts [rcx + 0x10], 7; mov [r9], 1; ret
syscall
    > 0x1c0151fb2 : syscall ; std ; call [rip + 0x124ccc]; nop [rax + rax]; add rsp, 0x28; ret
write mem
    > 0x1c01af44a : adc [rbx], edi; ret
    > 0x1c000472a : add [rcx], eax; ret
    > 0x1c0142a13 : adc [rdx], eax; ret
    > 0x1c01aca5e : adc [rax + 0x14], ecx; ret
    > 0x1c0087eae : add [rax + 1], edi; ret