ropshell> use e404972bfa83d04ef4886ec87a98b96e (download)
name         : chal-1 (i386/RAW)
base address : 0x0
total gadgets: 4836

ropshell> suggest
call
    > 0x0000a2a6 : call eax
    > 0x0006ce52 : call esi
    > 0x000034fc : call edi
    > 0x000692d0 : call ebp
    > 0x00068b30 : call esp
jmp
    > 0x00003833 : push esp; ret
    > 0x0005d87f : jmp eax
    > 0x0006ecd9 : jmp edx
    > 0x0007356b : jmp esp
    > 0x00040d7c : jmp [eax]
load mem
    > 0x0006ce06 : mov edi, [edx]; ret
    > 0x00045df7 : mov ebx, [edi]; adc ebp, ebx; ret 1
    > 0x00053b8b : mov eax, [edi + 0x60]; add [ecx - 0x14fcfce1], dl; ret
    > 0x000049fb : mov ebp, [edi]; std ; call [edi]
    > 0x000526a3 : mov ebx, [eax + ecx]; inc eax; stc ; aad 0xff; call [edi]
load reg
    > 0x0000e3b8 : pop edx; ret
    > 0x000338d4 : pop edi; ret
    > 0x0000a66c : popal ; ret
    > 0x0003b344 : pop eax; std ; call [edi]; ret
    > 0x000292f5 : pop ebx; call [edi]
pop pop ret
    > 0x000338d4 : pop edi; ret
    > 0x0002dc8a : pop ds; pop eax; or al, 0; push ecx; test al, 0xff; call [edi]
stack pivoting
    > 0x0001ccf7 : xchg eax, esp; ret
    > 0x00049e9f : mov esp, edx; ret
    > 0x00022b57 : mov esp, esp; ret
    > 0x000047f0 : xchg esp, edi; call [edi]
    > 0x0001e187 : mov esp, eax; add al, [eax]; stc ; mov ch, 0xff; call [edi]
write mem
    > 0x0004d098 : add [ebx], ecx; ret 0x1a
    > 0x0000a696 : add [eax + 0x60350013], edx; ret
    > 0x00052980 : add [edi], eax; inc eax; stc ; ret
    > 0x000060b0 : add [eax + 0x3fa942], ecx; add ch, bl; ret
    > 0x0001d911 : adc [edi + 0x4000159a], ebx; stc ; jmp [edi]