ropshell> use d3a21f576bd28cf1ab5ef85f67746df5 (download)
name         : msctf_.dll (i386/PE)
base address : 0x10001000
total gadgets: 10164
ropshell> suggest
call
    > 0x10015441 : call eax
    > 0x10016c63 : call ebx
    > 0x1002ad03 : call ecx
    > 0x1001015a : call esi
    > 0x10016399 : call edi
jmp
    > 0x1008ad48 : push esp; ret
    > 0x10019031 : jmp eax
    > 0x1001f6bd : jmp ebx
    > 0x100e45fb : jmp edx
    > 0x100096e8 : jmp edi
load mem
    > 0x1004bf42 : mov eax, [ecx]; ret
    > 0x1004bf50 : mov eax, [edx]; ret
    > 0x10051c20 : mov eax, [esi]; pop esi; ret
    > 0x1004edc0 : mov eax, [ecx + 0x14]; ret
    > 0x1003d21a : mov eax, [esi + 0x10]; pop esi; ret
load reg
    > 0x1004523c : pop eax; ret
    > 0x10010021 : pop ebx; ret
    > 0x1000fdea : pop ecx; ret
    > 0x1006260e : pop edx; ret
    > 0x100109ec : pop esi; ret
pop pop ret
    > 0x1004523c : pop eax; ret
    > 0x10025408 : pop ebx; pop ebp; ret
    > 0x10055a1b : pop ebx; pop ecx; pop ebp; ret
    > 0x10025406 : pop edi; pop esi; pop ebx; pop ebp; ret
    > 0x1007e3a0 : pop edi; pop esi; pop ebx; pop ecx; pop ebp; ret 0x10
sp lifting
    > 0x100d9fb3 : add esp, 0xc; ret
stack pivoting
    > 0x1001897d : xchg eax, esp; ret
    > 0x1001079c : mov esp, ebp; pop ebp; ret
    > 0x10067316 : xchg esp, edi; call [ebx - 0x75]
    > 0x100a52cd : lea esp, [edi + edi*8 - 1]; call [eax + 0x6a]
    > 0x1002b138 : lea esp, [ebp + edi*8 - 1]; call [ecx + 0x68]
write mem
    > 0x1000fec8 : add [eax], edx; ret
    > 0x10072826 : add [ebx], eax; ret
    > 0x1003ead2 : add [ebx], edi; ret
    > 0x100615df : add [edx], edi; ret
    > 0x1002d5ba : add [edi], ecx; cwde ; ret