ROPSHELL 
ropshell> use 0d8349b94bfb02ba6e57abdfe8be0aed (download)
name         : ch34 (x86_64/ELF)
base address : 0x400360
total gadgets: 8157

ropshell> suggest "load mem"
> 0x00467a5b : mov eax, [rdx]; ret
> 0x004588e2 : mov eax, [rsi]; pop rbx; ret
> 0x0040ec20 : mov rax, [rdi + 0x68]; ret
> 0x0040ec21 : mov eax, [rdi + 0x68]; ret
> 0x0049001b : mov rax, [rdx]; add rsp, 8; ret
> 0x00490060 : mov rax, [rsi]; add rsp, 8; ret
> 0x004186e3 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x00424403 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x0041bf83 : movzx edx, [rsi]; sub eax, edx; ret
> 0x0040e8f0 : mov rcx, [rdi]; mov [rdx], rcx; ret
> 0x0042ad90 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0048fc6b : mov rsi, [rbp]; call r14
> 0x0048fc17 : mov rsi, [r15]; call r14
> 0x00436aa7 : mov rdi, [rbx]; call r12
> 0x00436a98 : mov rdi, [rbp]; call r12
> 0x00406e3c : mov rdi, [r12]; call r13
> 0x0047673b : mov rdi, [r13]; call r12
> 0x00434f26 : mov rdi, [r14]; call rbx
> 0x00434f67 : mov rdi, [r15]; call rbx
> 0x0040e8f1 : mov ecx, [rdi]; mov [rdx], rcx; ret
> 0x00458778 : mov edx, [rax]; mov eax, edx; pop rbx; ret
> 0x0048fc18 : mov esi, [rdi]; call r14
> 0x0048fc6c : mov esi, [rbp]; call r14
> 0x00436aa8 : mov edi, [rbx]; call r12
> 0x00434f27 : mov edi, [rsi]; call rbx
> 0x00436a99 : mov edi, [rbp]; call r12
> 0x0041880f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00439989 : mov rdi, [rbx + 0x18]; call rax
> 0x0043998a : mov edi, [rbx + 0x18]; call rax
> 0x0042e830 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x0048f148 : mov rdx, [r12]; mov edi, 1; call rax
> 0x00490a88 : mov rdx, [r15]; mov rdi, rbx; call rbp
> 0x004356f8 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x0042e8b1 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x00490a89 : mov edx, [rdi]; mov rdi, rbx; call rbp
> 0x004356f9 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x004763c0 : mov rax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x004763a0 : mov rdx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x004763b4 : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x004763c1 : mov eax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x00432f91 : mov eax, [rcx + 4]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00432f90 : mov eax, [r9 + 4]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0048f0e5 : mov ebx, [rax + 0x48000000]; add esp, 8; pop rbx; pop rbp; ret
> 0x004763a1 : mov edx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x004763b5 : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x00406e39 : mov rsi, [r14]; mov rdi, [r12]; call r13
> 0x00491918 : mov r8, [rax]; add rax, 8; mov [rbx], r8; pop rbx; ret
> 0x004698a7 : mov rax, [r13]; add rax, [rdx + 8]; call rax
> 0x0042ad24 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x0048f713 : mov rdx, [r13]; mov esi, 1; mov edi, 1; call rax
> 0x0043d5d8 : mov rdx, [r14]; mov rsi, r13; call [rbx + 8]
> 0x00435362 : mov rdi, [rax]; mov [rsp + 8], rax; call rbx
> 0x004698a8 : mov eax, [rbp]; add rax, [rdx + 8]; call rax
> 0x0048f714 : mov edx, [rbp]; mov esi, 1; mov edi, 1; call rax
> 0x00435363 : mov edi, [rax]; mov [rsp + 8], rax; call rbx
> 0x0042e956 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x00465ff3 : mov rax, [r12 + 0x10]; add rax, [rbx]; call rax
> 0x00465943 : mov rax, [r14 + 0x10]; add rax, [r15]; call rax
> 0x00465ec1 : mov rax, [r15 + 0x10]; add rax, [r14]; call rax
> 0x00439654 : mov rdi, [rax + 0x18]; mov [rbp - 0x68], rax; call rcx
> 0x00457a4b : mov eax, [rdx + 0x48]; cmp eax, [rdx + 0x4c]; cmovne eax, ecx; ret
> 0x00465944 : mov eax, [rsi + 0x10]; add rax, [r15]; call rax
> 0x004186c4 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00439655 : mov edi, [rax + 0x18]; mov [rbp - 0x68], rax; call rcx
> 0x00437105 : mov rax, [rbx]; mov [rip + 0x28a011], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x00437106 : mov eax, [rbx]; mov [rip + 0x28a011], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x004306d4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x004305e3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00447a0b : mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x0046a5f9 : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x0040911e : mov rbp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00409940 : mov r15, [rbx + 0x98]; mov rdi, r15; call [r15 + 0x20]
> 0x00447a0c : mov edx, [rbp + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x0046a5fa : mov esi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x0040911f : mov ebp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00490a84 : mov rsi, [r14 + 8]; mov rdx, [r15]; mov rdi, rbx; call rbp
> 0x0048fbbd : mov rdi, [rdx + 8]; sbb ecx, ecx; cmp [rsi + 8], rdi; cmovbe eax, ecx; ret
> 0x0046bb22 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00401bbc : mov eax, [rbp + 8]; sub eax, [rbx + 8]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0048fbbe : mov edi, [rdx + 8]; sbb ecx, ecx; cmp [rsi + 8], rdi; cmovbe eax, ecx; ret
> 0x004357aa : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x004357ab : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x00410593 : mov rax, [rdx + 0x868]; mov [rip + 0x2b216f], rax; add rsp, 8; mov rax, rdx; pop rbx; pop rbp; ret
> 0x0040b8cc : mov rax, [rbp + 0xd8]; mov rdx, r14; mov rsi, r12; mov rdi, rbp; call [rax + 0x78]
> 0x004583f1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0044bf69 : mov rcx, [rbx + 0x10]; mov [rcx + rdx*8], rax; add rsp, 8; mov eax, ebp; pop rbx; pop rbp; ret
> 0x0046a5f5 : mov rcx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x00447a07 : mov rsi, [r13 + 0x18]; mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x004583f2 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0044bf6a : mov ecx, [rbx + 0x10]; mov [rcx + rdx*8], rax; add rsp, 8; mov eax, ebp; pop rbx; pop rbp; ret
> 0x0046a5f6 : mov ecx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x00447a08 : mov esi, [rbp + 0x18]; mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x0043b94c : movsx r9, [rax + 0xa]; movsx eax, [rax + 0xb]; mov [rdx + 0x50], ecx; mov [rdx + 0x54], eax; ret
> 0x0046bb1e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x004670a4 : mov r15, [rax]; mov rbx, rax; mov [rip + 0x25c4cf], r13; mov rdi, rbp; mov [rax], 0; call r12
> 0x0048fc0a : mov rdx, [rbp]; mov rdi, [rsp + 8]; lea r15, [r12 + rcx*8]; mov rsi, [r15]; call r14
> 0x0044033e : mov rdi, [r13 + 0x18]; mov r8, r12; mov rcx, rbp; mov rdx, [r14]; mov rsi, rbx; call [r13 + 8]
> 0x0043c06e : mov rdi, [r14 + 0x18]; mov r8, r15; mov rcx, rbp; mov rdx, [r12]; mov rsi, rbx; call [r14 + 8]
> 0x0043bc26 : mov rdi, [r15 + 0x18]; mov r8, r12; mov rcx, rbx; mov rdx, [r13]; mov rsi, rbp; call [r15 + 8]
> 0x0043c06f : mov edi, [rsi + 0x18]; mov r8, r15; mov rcx, rbp; mov rdx, [r12]; mov rsi, rbx; call [r14 + 8]
> 0x0044033f : mov edi, [rbp + 0x18]; mov r8, r12; mov rcx, rbp; mov rdx, [r14]; mov rsi, rbx; call [r13 + 8]
> 0x0043e429 : mov rcx, [r14]; mov [rsp], rax; mov rsi, [rsp + 0x18]; mov rdi, [rsp + 0x68]; call [r13]
> 0x0046bb1a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x004583e9 : mov rdx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x004583ea : mov edx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret

© 2014 - 2019 - Powered by ROPEME | Contact