ROPSHELL 
ropshell> use 0dc2a9882540dea4a55b08785e09d8fc (download)
name         : afd.sys (x86_64/PE)
base address : 0x11000
total gadgets: 1293

ropshell> suggest "load mem"
> 0x0001e560 : mov eax, [rcx]; cmp ax, -0x11; sete al; ret
> 0x000149e0 : mov rcx, [r10 + 0x28]; call r9
> 0x0001e267 : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x0001539a : mov rdi, [r11 + 0x28]; mov rsp, r11; pop r12; ret
> 0x000149e1 : mov ecx, [rdx + 0x28]; call r9
> 0x0001e268 : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x0001539b : mov edi, [rbx + 0x28]; mov rsp, r11; pop r12; ret
> 0x00015372 : mov rcx, [rbx + 0x28]; call [rax + 8]
> 0x00013d03 : mov rcx, [rbp + 0x40]; call [rax + 8]
> 0x0001325c : mov rcx, [r9 + 0x28]; call [r8 + 0x20]
> 0x00016549 : mov rbp, [r11 + 0x30]; mov rsp, r11; pop r12; pop rdi; pop rsi; ret
> 0x00015373 : mov ecx, [rbx + 0x28]; call [rax + 8]
> 0x00013d04 : mov ecx, [rbp + 0x40]; call [rax + 8]
> 0x0001654a : mov ebp, [rbx + 0x30]; mov rsp, r11; pop r12; pop rdi; pop rsi; ret
> 0x0001e263 : mov rbx, [r11 + 0x10]; mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x00021c24 : mov rcx, [rdi + 0x10]; mov rdx, rbx; call [rax + 0x18]
> 0x0001ec65 : mov eax, [rdx + 0x10]; mov [rsp + 0x20], eax; call r11
> 0x0001ec64 : mov eax, [r10 + 0x10]; mov [rsp + 0x20], eax; call r11
> 0x00021c25 : mov ecx, [rdi + 0x10]; mov rdx, rbx; call [rax + 0x18]
> 0x00017276 : mov rdx, [rdi]; mov rcx, [rbx + 0x40]; call [rax + 0x10]
> 0x00017277 : mov edx, [rdi]; mov rcx, [rbx + 0x40]; call [rax + 0x10]
> 0x0001e0c0 : mov rax, [rcx + 0x48]; mov rcx, [rcx + 0x40]; jmp [rax + 0x10]
> 0x0001e0c1 : mov eax, [rcx + 0x48]; mov rcx, [rcx + 0x40]; jmp [rax + 0x10]
> 0x0001536e : mov rax, [rbx + 0x38]; mov rcx, [rbx + 0x28]; call [rax + 8]
> 0x0001a8ee : mov rax, [rsi + 0x38]; mov [rsp + 0x28], rbp; call [rax + 0x20]
> 0x00013cff : mov rax, [rbp + 0x48]; mov rcx, [rbp + 0x40]; call [rax + 8]
> 0x00016693 : mov rax, [r9 + 0x38]; mov rcx, [r9 + 0x28]; call [rax + 0x18]
> 0x00014258 : mov rcx, [rsi + 0x40]; mov [rsp + 0x20], rbp; call [r10]
> 0x00022ac5 : mov r8, [rcx + 0x28]; mov rcx, [rcx + 0x20]; call [r8 + 0x10]
> 0x00013258 : mov r8, [r9 + 0x38]; mov rcx, [r9 + 0x28]; call [r8 + 0x20]
> 0x0001536f : mov eax, [rbx + 0x38]; mov rcx, [rbx + 0x28]; call [rax + 8]
> 0x0001a8ef : mov eax, [rsi + 0x38]; mov [rsp + 0x28], rbp; call [rax + 0x20]
> 0x00013d00 : mov eax, [rbp + 0x48]; mov rcx, [rbp + 0x40]; call [rax + 8]
> 0x00014259 : mov ecx, [rsi + 0x40]; mov [rsp + 0x20], rbp; call [r10]
> 0x00021c20 : mov rax, [rdi + 0x18]; mov rcx, [rdi + 0x10]; mov rdx, rbx; call [rax + 0x18]
> 0x00021c21 : mov eax, [rdi + 0x18]; mov rcx, [rdi + 0x10]; mov rdx, rbx; call [rax + 0x18]
> 0x0001382d : mov r8, [rdi + 0x38]; mov rcx, [rdi + 0x28]; lea rdx, [rsp + 0x20]; call [r8]
> 0x000149d0 : mov rax, [r11 + 0xb8]; lea rdx, [rsp + 0x20]; or [rax + 3], 1; mov rcx, [r10 + 0x28]; call r9
> 0x000180e7 : mov edx, [rbx + 0x2c]; mov r8d, [rbx + 0x28]; mov ecx, [rbx + 0x24]; inc [rbx + 0x18]; call [rbx + 0x30]
> 0x00014e16 : mov rax, [r14 + 0xb8]; or [rax + 3], 1; mov rax, [rcx + 0x28]; mov rcx, [rcx + 0x20]; call [rax + 0x10]
> 0x0001e0ea : mov r8, [rdx + 0x18]; mov rcx, [rcx + 0x40]; mov rbx, rdx; mov r9, rdx; mov rdx, [rdx + 0x10]; call [rax + 8]
> 0x00013000 : mov r9, [rdi + 0x18]; mov r8, [rdi + 0x10]; mov rcx, [rbp + 0x40]; lea r13, [rdi + 0x20]; mov edx, ebx; mov [rsp + 0x20], r13; call [rax]

© 2014 - 2019 - Powered by ROPEME | Contact