ROPSHELL 
ropshell> use 0d7af30d0a42165ee37f1311e6fbe1d1 (download)
name         : ntdll_test.dll (x86_64/RAW)
base address : 0x0
total gadgets: 7301

ropshell> suggest "load mem"
> 0x0006df80 : movzx eax, [rcx]; ret
> 0x001320bd : mov edx, [rbx]; ret
> 0x00122e08 : mov ebp, [rax]; ret
> 0x000fb23d : mov rax, [r10 + 0x38]; ret
> 0x00080456 : mov eax, [rcx + 0x16b0]; ret
> 0x000fb23e : mov eax, [rdx + 0x38]; ret
> 0x001e5938 : mov esi, [rdi + 0x62]; ret
> 0x00093eb6 : movzx ecx, [rdx]; sub eax, ecx; ret
> 0x0007ad90 : mov rax, [rdx]; mov [rcx], rax; ret
> 0x0007ad91 : mov eax, [rdx]; mov [rcx], rax; ret
> 0x000a1400 : mov rax, [rcx + 8]; and al, 0xf0; ret
> 0x0010c3e2 : movzx eax, [r8]; mov [r10 + 0x20], ax; ret
> 0x000a29a9 : mov rax, [r9 + 0x30]; call rax
> 0x000decae : mov rbx, [r11 + 0x20]; mov rsp, r11; pop rbp; ret
> 0x0002d99d : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x0005c6d9 : mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x00084772 : mov rbp, [r11 + 0x28]; mov rsp, r11; pop rdi; ret
> 0x0006fae3 : mov r14, [r11 + 0x28]; mov rsp, r11; pop r15; ret
> 0x000dce21 : mov r15, [r11 + 0x28]; mov rsp, r11; pop rbp; ret
> 0x0002d99e : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x0005c6da : mov edi, [rbx + 0x18]; mov rsp, r11; pop rbp; ret
> 0x00084773 : mov ebp, [rbx + 0x28]; mov rsp, r11; pop rdi; ret
> 0x00100075 : mov ecx, [rax]; add [rax], al; xor eax, eax; ret
> 0x00067a78 : mov rax, [rdx + 0x38]; mov [rdx + 0x38], rcx; ret
> 0x000f45af : mov eax, [r9 + 0x194]; mov [rdx + 0x194], eax; ret
> 0x000f5aa1 : mov rcx, [r8]; mov [r11 + 0x4e8], rcx; mov eax, r10d; ret
> 0x0007eec9 : mov rcx, [rax + 0x48]; cmp [rip + 0xdfa34], rcx; sete al; ret
> 0x000f0f5d : mov rcx, [r10 + 0x18]; mov [r9], rcx; mov rax, r11; ret
> 0x00017d12 : mov r12, [r11 + 0x38]; mov rsp, r11; pop r15; pop r14; pop r13; ret
> 0x00081174 : mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a18ef : mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x0007eeca : mov ecx, [rax + 0x48]; cmp [rip + 0xdfa34], rcx; sete al; ret
> 0x000f0f5e : mov ecx, [rdx + 0x18]; mov [r9], rcx; mov rax, r11; ret
> 0x00081175 : mov esi, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a18f0 : mov edi, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x000fb19e : movzx ecx, [r9]; add r8d, ecx; mov [rdx], r9; mov eax, r8d; ret
> 0x000a439c : mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x000a2a03 : mov edx, [rax + 0x48]; mov [r9 + 0x48], r10d; mov eax, 3; ret
> 0x000a439d : mov ebp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x000fbc5a : mov eax, [r9]; mov rbx, [rsp + 8]; mov rdi, [rsp + 0x10]; ret
> 0x000a13b7 : mov edx, [rcx]; mov rcx, [rcx + 8]; mov eax, 1; int 0x2d; int3 ; ret
> 0x00071b5f : mov rax, [rbx + 0x20]; mov r8, [rip + 0x109896]; call r8
> 0x0008aef9 : mov rax, [r14 + 8]; mov r8, [rip + 0xf04fc]; call r8
> 0x0006a679 : mov rcx, [rdi + 0x58]; mov r8, [rip + 0x110d7c]; call r8
> 0x00071b60 : mov eax, [rbx + 0x20]; mov r8, [rip + 0x109896]; call r8
> 0x0008aefa : mov eax, [rsi + 8]; mov r8, [rip + 0xf04fc]; call r8
> 0x0006a67a : mov ecx, [rdi + 0x58]; mov r8, [rip + 0x110d7c]; call r8
> 0x00092084 : mov rcx, [rdx + rcx]; bswap rax; bswap rcx; cmp rax, rcx; sbb eax, eax; sbb eax, -1; ret
> 0x0007b173 : mov eax, [r10 + 0x98]; and [r10 + 0x64], 0; mov [r10 + 0x68], eax; ret
> 0x00081170 : mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x00078151 : mov r8, [rdx + 8]; sub r8, [rcx + 0x18]; xor eax, eax; test r8, r8; sete al; ret
> 0x000a18eb : mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x000a18ec : mov esi, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x00081171 : mov edi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a4398 : mov rdx, [rcx + 0x50]; mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x000a4399 : mov edx, [rcx + 0x50]; mov rbp, [rcx + 0x18]; mov rsp, [rcx + 0x10]; jmp rdx
> 0x00071b5b : mov rcx, [rbx + 0x28]; mov rax, [rbx + 0x20]; mov r8, [rip + 0x109896]; call r8
> 0x0008aef5 : mov rcx, [r14 + 0x10]; mov rax, [r14 + 8]; mov r8, [rip + 0xf04fc]; call r8
> 0x00071b5c : mov ecx, [rbx + 0x28]; mov rax, [rbx + 0x20]; mov r8, [rip + 0x109896]; call r8
> 0x0008aef6 : mov ecx, [rsi + 0x10]; mov rax, [r14 + 8]; mov r8, [rip + 0xf04fc]; call r8
> 0x00057a85 : mov edx, [rsi + 0x10]; mov rcx, rbx; mov rax, r15; mov r10, [rip + 0x12396b]; call r10
> 0x00057a84 : mov edx, [r14 + 0x10]; mov rcx, rbx; mov rax, r15; mov r10, [rip + 0x12396b]; call r10
> 0x00122a59 : mov eax, [rdi]; cmpsb [rsi], [rdi]; add [rax], al; add [rax], al; adc [rax + 0x7e], bh; ret
> 0x0008116c : mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a18e7 : mov r13, [rcx + 0x20]; mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x000a6599 : mov rcx, [rbp + 0x28]; mov rax, [rcx + 8]; mov rax, [rax]; mov rdx, [rip + 0xd4e55]; call rdx
> 0x000a29fa : mov r10, [rax + 0x40]; mov [r9 + 0x40], r10; mov r10d, [rax + 0x48]; mov [r9 + 0x48], r10d; mov eax, 3; ret
> 0x000a659a : mov ecx, [rbp + 0x28]; mov rax, [rcx + 8]; mov rax, [rax]; mov rdx, [rip + 0xd4e55]; call rdx
> 0x00078feb : mov rcx, [rsi + 0xf0]; mov rdx, r14; mov rcx, [rcx + rbx*8]; mov rax, r15; mov r8, [rip + 0x1023fd]; call r8
> 0x0006a66d : mov rax, [rdi + 0x18]; mov rdx, r12; mov rdi, [rsp + 0x28]; mov rcx, [rdi + 0x58]; mov r8, [rip + 0x110d7c]; call r8
> 0x00081168 : mov rbx, [rbp + 0x30]; mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a18e3 : mov r12, [rcx + 0x18]; mov r13, [rcx + 0x20]; mov r14, [rcx + 0x28]; mov r15, [rcx + 0x30]; mov rbp, [rcx - 8]; add rsp, 0x138; ret
> 0x0006a66e : mov eax, [rdi + 0x18]; mov rdx, r12; mov rdi, [rsp + 0x28]; mov rcx, [rdi + 0x58]; mov r8, [rip + 0x110d7c]; call r8
> 0x00081169 : mov ebx, [rbp + 0x30]; mov rsi, [rbp + 0x38]; mov rdi, [rbp + 0x40]; mov r14, [rbp + 0x48]; lea rsp, [rbp + 0x20]; pop rbp; ret
> 0x000a6999 : mov rax, [rbp + 0x58]; lea rax, [rax + rax*4]; lea rcx, [rip + 0x71778]; mov rax, [rcx + rax*8 + 0x20]; mov rcx, [rip + 0xd4a4c]; call rcx
> 0x000a699a : mov eax, [rbp + 0x58]; lea rax, [rax + rax*4]; lea rcx, [rip + 0x71778]; mov rax, [rcx + rax*8 + 0x20]; mov rcx, [rip + 0xd4a4c]; call rcx

© 2014 - 2019 - Powered by ROPEME | Contact