ROPSHELL 
ropshell> use 09b4f7d234859cf6dd55bd4a4275d152 (download)
name         : binex_vuln_custom (x86_64/ELF)
base address : 0x6050
total gadgets: 4134

ropshell> suggest "load mem"
> 0x000385c0 : mov rax, [rdi + 0x10]; ret
> 0x00036b04 : mov rdx, [rdi + 0x28]; ret
> 0x000385c1 : mov eax, [rdi + 0x10]; ret
> 0x00036b05 : mov edx, [rdi + 0x28]; ret
> 0x000385b0 : mov rax, [rdi]; mov rdx, [rdi + 8]; ret
> 0x000385b1 : mov eax, [rdi]; mov rdx, [rdi + 8]; ret
> 0x0001e34a : mov rdi, [rbx + r13]; call rax
> 0x0001e34b : mov edi, [rbx + rbp]; call rax
> 0x0003a028 : mov rax, [rbx + 0x28]; call [rax + 0x18]
> 0x0002b802 : mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x00038c7f : mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x00038e84 : mov rax, [r12 + 0x28]; call [rax + 0x18]
> 0x00039608 : mov rdx, [rax + 8]; call [rcx + 0x18]
> 0x0003a029 : mov eax, [rbx + 0x28]; call [rax + 0x18]
> 0x0002b803 : mov eax, [rsi + 0x28]; call [rax + 0x28]
> 0x00038c80 : mov eax, [rbp + 0x28]; call [rax + 0x18]
> 0x00039609 : mov edx, [rax + 8]; call [rcx + 0x18]
> 0x00038639 : mov rax, [r15 + 8]; mov rdi, r13; call [rax + 0x18]
> 0x0002b897 : mov rcx, [rdi + 8]; mov rdi, rax; call [rcx + 0x18]
> 0x0002b898 : mov ecx, [rdi + 8]; mov rdi, rax; call [rcx + 0x18]
> 0x0000837f : mov rcx, [rax]; movsxd rcx, [r13 + rcx*4]; add rcx, r13; jmp rcx
> 0x00039605 : mov rsi, [rax]; mov rdx, [rax + 8]; call [rcx + 0x18]
> 0x00007c21 : mov rdi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x0001caf6 : mov rdi, [rbp]; mov rax, [rbp + 8]; call [rax]
> 0x00008380 : mov ecx, [rax]; movsxd rcx, [r13 + rcx*4]; add rcx, r13; jmp rcx
> 0x0001aafb : movzx ecx, [rdx]; movsxd rax, [r13 + rcx*4]; add rax, r13; jmp rax
> 0x0001aafa : movzx ecx, [r10]; movsxd rax, [r13 + rcx*4]; add rax, r13; jmp rax
> 0x00039606 : mov esi, [rax]; mov rdx, [rax + 8]; call [rcx + 0x18]
> 0x00007c22 : mov edi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x0001caf7 : mov edi, [rbp]; mov rax, [rbp + 8]; call [rax]
> 0x0002b343 : mov rdi, [rax]; mov rax, [rax + 8]; mov rax, [rax + 0x18]; jmp rax
> 0x0002b344 : mov edi, [rax]; mov rax, [rax + 8]; mov rax, [rax + 0x18]; jmp rax
> 0x0003a7a5 : mov rcx, [rsi + 0x28]; mov rcx, [rcx + 0x20]; mov esi, eax; pop rax; jmp rcx
> 0x0002b7fe : mov rdi, [rsi + 0x20]; mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x00038c7b : mov rdi, [rbp + 0x20]; mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x00038e7f : mov rdi, [r12 + 0x20]; mov rax, [r12 + 0x28]; call [rax + 0x18]
> 0x0003a7a6 : mov ecx, [rsi + 0x28]; mov rcx, [rcx + 0x20]; mov esi, eax; pop rax; jmp rcx
> 0x0002b7ff : mov edi, [rsi + 0x20]; mov rax, [rsi + 0x28]; call [rax + 0x28]
> 0x00038c7c : mov edi, [rbp + 0x20]; mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x00038636 : mov r13, [r15]; mov rax, [r15 + 8]; mov rdi, r13; call [rax + 0x18]
> 0x00032ffb : movsx eax, [rbx]; add [rax], al; add [rcx + rcx*4 - 1], cl; call r13
> 0x00033236 : movsx eax, [rdx]; add [rax], al; add [rcx + rcx*4 - 0x19], cl; call r13
> 0x00038637 : mov ebp, [rdi]; mov rax, [r15 + 8]; mov rdi, r13; call [rax + 0x18]
> 0x00039ac5 : mov rax, [r13 + 0x28]; mov rsi, [rsp + 0x10]; mov rdx, r15; call [rax + 0x18]
> 0x0003c551 : mov rax, [r14 + 0x28]; lea rsi, [rip + 0x4e5a]; mov edx, 1; call [rax + 0x18]
> 0x0001f059 : mov r12, [rdx + 0x48]; lea r14, [rsp + 0x48]; mov rdi, r15; mov rsi, r14; call r12
> 0x0001b9c0 : mov rax, [rsi]; lea rcx, [rip + 0x224f2]; movsxd rax, [rcx + rax*4]; add rax, rcx; jmp rax
> 0x0002b618 : mov rbx, [rdi]; mov rdi, [rbx + 0x40]; mov rax, [rbx + 0x48]; call [rax]
> 0x00017eb1 : mov rsi, [r14]; add rsi, rbx; cmp rbp, r12; mov rdx, r12; cmovb rdx, rbp; mov edi, 1; call r15
> 0x00022f02 : mov rdi, [rsi]; mov rax, [rsi + 8]; lea rsi, [rsp + 8]; call [rax + 0x20]
> 0x0001b9c1 : mov eax, [rsi]; lea rcx, [rip + 0x224f2]; movsxd rax, [rcx + rax*4]; add rax, rcx; jmp rax
> 0x0002b619 : mov ebx, [rdi]; mov rdi, [rbx + 0x40]; mov rax, [rbx + 0x48]; call [rax]
> 0x0001b17e : movzx edx, [rcx]; lea rsi, [rip + 0x22d1c]; movsxd rdx, [rsi + rdx*4]; add rdx, rsi; jmp rdx
> 0x00022f03 : mov edi, [rsi]; mov rax, [rsi + 8]; lea rsi, [rsp + 8]; call [rax + 0x20]
> 0x00007c1d : mov rbx, [rdi + 8]; mov rdi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x00007c1e : mov ebx, [rdi + 8]; mov rdi, [rbx]; mov rax, [rbx + 8]; call [rax]
> 0x00008164 : mov rax, [r12]; lea r13, [rip + 0x34ed1]; movsxd rcx, [r13 + rax*4]; add rcx, r13; mov rax, r12; jmp rcx
> 0x0001a743 : movzx edx, [rax]; mov edi, 6; lea rcx, [rip + 0x236c2]; movsxd rdx, [rcx + rdx*4]; add rdx, rcx; jmp rdx
> 0x0001aeb0 : movzx edx, [r12]; mov ecx, 6; lea rsi, [rip + 0x22fcb]; movsxd rdx, [rsi + rdx*4]; add rdx, rsi; jmp rdx
> 0x0001a82d : movzx esi, [rdx]; mov ecx, 6; lea rdi, [rip + 0x235f0]; movsxd rsi, [rdi + rsi*4]; add rsi, rdi; jmp rsi
> 0x0001ac37 : mov rsi, [rbx + 8]; mov edi, 6; lea rax, [rip + 0x23215]; movsxd rdx, [rax + rcx*4]; add rdx, rax; jmp rdx
> 0x0003c79b : mov rdi, [rax + 0x20]; mov rax, [rax + 0x28]; lea rsi, [rip + 0x4c05]; mov edx, 1; call [rax + 0x18]
> 0x00039ac1 : mov rdi, [r13 + 0x20]; mov rax, [r13 + 0x28]; mov rsi, [rsp + 0x10]; mov rdx, r15; call [rax + 0x18]
> 0x0003c54d : mov rdi, [r14 + 0x20]; mov rax, [r14 + 0x28]; lea rsi, [rip + 0x4e5a]; mov edx, 1; call [rax + 0x18]
> 0x00038fac : mov rdi, [r15 + 0x20]; mov rax, [r15 + 0x28]; lea rsi, [rip + 0x83fb]; mov edx, 1; call [rax + 0x18]
> 0x0001ac38 : mov esi, [rbx + 8]; mov edi, 6; lea rax, [rip + 0x23215]; movsxd rdx, [rax + rcx*4]; add rdx, rax; jmp rdx
> 0x0003c79c : mov edi, [rax + 0x20]; mov rax, [rax + 0x28]; lea rsi, [rip + 0x4c05]; mov edx, 1; call [rax + 0x18]

© 2014 - 2019 - Powered by ROPEME | Contact