Free Online ROP Gadgets Search

ropshell> use 0903490aa687f48220bcabd0f0e0285b (download)
name         : binex_vuln_custom (x86_64/ELF)
base address : 0x6050
total gadgets: 4203

ropshell> suggest "load mem"
> 0x00036cb0 : mov rax, [rdi + 0x10]; ret
> 0x00035244 : mov rdx, [rdi + 0x28]; ret
> 0x00036cb1 : mov eax, [rdi + 0x10]; ret
> 0x00035245 : mov edx, [rdi + 0x28]; ret
> 0x00009330 : mov rax, [rdi]; add [rax + 8], 1; ret
> 0x00009331 : mov eax, [rdi]; add [rax + 8], 1; ret
> 0x000176da : mov rdx, [rax + 0x10]; call rbp
> 0x0001cb4a : mov rdi, [rbx + r13]; call rax
> 0x000176db : mov edx, [rax + 0x10]; call rbp
> 0x0001cb4b : mov edi, [rbx + rbp]; call rax
> 0x000204f6 : mov ebx, [rax]; mov edi, ebx; call r13
> 0x00019326 : mov ebp, [rax]; mov edi, ebp; call r14
> 0x00013dd8 : mov eax, [rbx]; add [rdi], cl; or ecx, [rax - 0x77]; ret
> 0x00038718 : mov rax, [rbx + 0x28]; call [rax + 0x18]
> 0x00009b60 : mov rax, [rdx + 8]; call [rax]
> 0x00029ee2 : mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x0003736f : mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x00037574 : mov rax, [r12 + 0x28]; call [rax + 0x18]
> 0x00022efb : mov rax, [r14 + 8]; call [rax]
> 0x00009abb : mov rax, [r15 + 8]; call [rax]
> 0x00038719 : mov eax, [rbx + 0x28]; call [rax + 0x18]
> 0x00009b61 : mov eax, [rdx + 8]; call [rax]
> 0x00029ee3 : mov eax, [rsi + 0x28]; call [rax + 0x28]
> 0x00037370 : mov eax, [rbp + 0x28]; call [rax + 0x18]
> 0x000176d7 : mov rdi, [rbx]; mov rdx, [rax + 0x10]; call rbp
> 0x000176d8 : mov edi, [rbx]; mov rdx, [rax + 0x10]; call rbp
> 0x00029f77 : mov rcx, [rdi + 8]; mov rdi, rax; call [rcx + 0x18]
> 0x00029f78 : mov ecx, [rdi + 8]; mov rdi, rax; call [rcx + 0x18]
> 0x00037cf5 : mov rsi, [rax]; mov rdx, [rax + 8]; call [rcx + 0x18]
> 0x00009b5d : mov rdi, [rdx]; mov rax, [rdx + 8]; call [rax]
> 0x00018f73 : mov rdi, [rbp]; mov rax, [rbp + 8]; call [rax]
> 0x000193b3 : mov rdi, [r12]; mov rax, [r12 + 8]; call [rax]
> 0x00022ef8 : mov rdi, [r14]; mov rax, [r14 + 8]; call [rax]
> 0x00009ab8 : mov rdi, [r15]; mov rax, [r15 + 8]; call [rax]
> 0x00019eab : movzx ecx, [rdx]; movsxd rax, [r13 + rcx*4]; add rax, r13; jmp rax
> 0x00019eaa : movzx ecx, [r10]; movsxd rax, [r13 + rcx*4]; add rax, r13; jmp rax
> 0x00037cf6 : mov esi, [rax]; mov rdx, [rax + 8]; call [rcx + 0x18]
> 0x00009b5e : mov edi, [rdx]; mov rax, [rdx + 8]; call [rax]
> 0x00022ef9 : mov edi, [rsi]; mov rax, [r14 + 8]; call [rax]
> 0x00018f74 : mov edi, [rbp]; mov rax, [rbp + 8]; call [rax]
> 0x00029a43 : mov rdi, [rax]; mov rax, [rax + 8]; mov rax, [rax + 0x18]; jmp rax
> 0x00029a44 : mov edi, [rax]; mov rax, [rax + 8]; mov rax, [rax + 0x18]; jmp rax
> 0x00038e95 : mov rcx, [rsi + 0x28]; mov rcx, [rcx + 0x20]; mov esi, eax; pop rax; jmp rcx
> 0x00029ede : mov rdi, [rsi + 0x20]; mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x0003736b : mov rdi, [rbp + 0x20]; mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x0003756f : mov rdi, [r12 + 0x20]; mov rax, [r12 + 0x28]; call [rax + 0x18]
> 0x00038e96 : mov ecx, [rsi + 0x28]; mov rcx, [rcx + 0x20]; mov esi, eax; pop rax; jmp rcx
> 0x00029edf : mov edi, [rsi + 0x20]; mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x0003736c : mov edi, [rbp + 0x20]; mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x00036d26 : mov r13, [r15]; mov rax, [r15 + 8]; mov rdi, r13; call [rax + 0x18]
> 0x00031976 : movsx eax, [rdx]; add [rax], al; add [rcx + rcx*4 - 0x19], cl; call r13
> 0x00036d27 : mov ebp, [rdi]; mov rax, [r15 + 8]; mov rdi, r13; call [rax + 0x18]
> 0x000381b5 : mov rax, [r13 + 0x28]; mov rsi, [rsp + 0x10]; mov rdx, r15; call [rax + 0x18]
> 0x0001dedb : mov r13, [rdx + 0x48]; lea r14, [rsp + 0x40]; mov rdi, r15; mov rsi, r14; call r13
> 0x0001dedc : mov ebp, [rdx + 0x48]; lea r14, [rsp + 0x40]; mov rdi, r15; mov rsi, r14; call r13
> 0x0001aef0 : mov rax, [rsi]; lea rcx, [rip + 0x21f22]; movsxd rax, [rcx + rax*4]; add rax, rcx; jmp rax
> 0x00029d18 : mov rbx, [rdi]; mov rdi, [rbx + 0x40]; mov rax, [rbx + 0x48]; call [rax]
> 0x00021cd2 : mov rdi, [rsi]; mov rax, [rsi + 8]; lea rsi, [rsp + 8]; call [rax + 0x20]
> 0x0001aef1 : mov eax, [rsi]; lea rcx, [rip + 0x21f22]; movsxd rax, [rcx + rax*4]; add rax, rcx; jmp rax
> 0x00029d19 : mov ebx, [rdi]; mov rdi, [rbx + 0x40]; mov rax, [rbx + 0x48]; call [rax]
> 0x0001a52e : movzx edx, [rcx]; lea rsi, [rip + 0x228cc]; movsxd rdx, [rsi + rdx*4]; add rdx, rsi; jmp rdx
> 0x000099ae : mov rbx, [rdi + 0x10]; mov rdi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x000193af : mov r12, [rbx + 0x10]; mov rdi, [r12]; mov rax, [r12 + 8]; call [rax]
> 0x00009ab4 : mov r15, [rbx + 0x10]; mov rdi, [r15]; mov rax, [r15 + 8]; call [rax]
> 0x000099af : mov ebx, [rdi + 0x10]; mov rdi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x00019af3 : movzx edx, [rax]; mov edi, 6; lea rcx, [rip + 0x23272]; movsxd rdx, [rcx + rdx*4]; add rdx, rcx; jmp rdx
> 0x0001a260 : movzx edx, [r12]; mov ecx, 6; lea rsi, [rip + 0x22b7b]; movsxd rdx, [rsi + rdx*4]; add rdx, rsi; jmp rdx
> 0x00019bdd : movzx esi, [rdx]; mov ecx, 6; lea rdi, [rip + 0x231a0]; movsxd rsi, [rdi + rsi*4]; add rsi, rdi; jmp rsi
> 0x00019fe7 : mov rsi, [rbx + 8]; mov edi, 6; lea rax, [rip + 0x22dc5]; movsxd rdx, [rax + rcx*4]; add rdx, rax; jmp rdx
> 0x0003adcb : mov rdi, [rax + 0x20]; mov rax, [rax + 0x28]; lea rsi, [rip + 0x54d5]; mov edx, 1; call [rax + 0x18]
> 0x000381b1 : mov rdi, [r13 + 0x20]; mov rax, [r13 + 0x28]; mov rsi, [rsp + 0x10]; mov rdx, r15; call [rax + 0x18]
> 0x0003ac2d : mov rdi, [r14 + 0x20]; mov rax, [r14 + 0x28]; lea rsi, [rip + 0x567a]; mov edx, 1; call [rax + 0x18]
> 0x00019fe8 : mov esi, [rbx + 8]; mov edi, 6; lea rax, [rip + 0x22dc5]; movsxd rdx, [rax + rcx*4]; add rdx, rax; jmp rdx
> 0x0003adcc : mov edi, [rax + 0x20]; mov rax, [rax + 0x28]; lea rsi, [rip + 0x54d5]; mov edx, 1; call [rax + 0x18]
> 0x0002a2a9 : mov ebp, [rbx]; add al, [rax]; mov rbp, [rsp + 0x38]; mov rdi, rbp; xor esi, esi; mov rdx, [rsp + 0x30]; call rbx
> 0x00037699 : mov rax, [rbx]; mov rdi, [rax + 0x20]; mov rax, [rax + 0x28]; lea rsi, [rip + 0x8c0b]; mov edx, 1; call [rax + 0x18]
> 0x0001eec7 : mov rsi, [r14]; lea rdx, [rsp + 8]; mov [rsp + 8], rbx; movaps xmm0, xmm[rsp + 0x100]; movups xmm[rsp + 0x10], xmm0; mov [rsp], rsi; call [rax + 0x20]