Free Online ROP Gadgets Search

ropshell> use 18403538a12facf8aced1dcfcccef1ba (download)
name         : libcrypto.so.1.0.0 (x86_64/ELF)
base address : 0x61e00
total gadgets: 13436

ropshell> suggest "load mem"
> 0x000d2870 : mov rax, [rdi]; ret
> 0x000d2871 : mov eax, [rdi]; ret
> 0x0011f5bd : mov edx, [rax]; pop rbx; ret
> 0x000d9d83 : mov rax, [rdx + rax]; ret
> 0x000dcfc0 : mov rax, [rdi + 0x10]; ret
> 0x00068a94 : mov eax, [rcx + 0x21]; ret
> 0x000d9d84 : mov eax, [rdx + rax]; ret
> 0x000dcfc1 : mov eax, [rdi + 0x10]; ret
> 0x00128022 : mov rax, [rbx + 0x20]; pop rbx; ret
> 0x00128023 : mov eax, [rbx + 0x20]; pop rbx; ret
> 0x00065a34 : movsxd rdx, [rbx]; pop rbx; xor rax, rdx; ret
> 0x0011bd2c : mov rdi, [rax]; call rbp
> 0x0011b6b6 : mov rdi, [rbx]; call r15
> 0x0013f25c : mov eax, [rbx]; pop rbx; pop rbp; pop r12; ret
> 0x00142f97 : mov eax, [rdx]; mov [rdx], esi; ret
> 0x0011bd2d : mov edi, [rax]; call rbp
> 0x0011b6b7 : mov edi, [rbx]; call r15
> 0x0012e770 : mov rdx, [rax + 0x38]; jmp rdx
> 0x0012e771 : mov edx, [rax + 0x38]; jmp rdx
> 0x00063284 : mov r8, [rax]; mov rsi, r10; jmp r9
> 0x00089ba6 : mov eax, [rbp]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0013f308 : mov rax, [rsi + 0x28]; mov [rdi], eax; ret
> 0x001838fc : mov rdx, [rdi + 0x10]; mov [rcx], rdx; ret
> 0x0014dc4d : mov rdx, [r8 + 0x10]; mov [rcx], rdx; ret
> 0x000d2d70 : mov rdi, [rax + 8]; call rcx
> 0x0013f309 : mov eax, [rsi + 0x28]; mov [rdi], eax; ret
> 0x001838fd : mov edx, [rdi + 0x10]; mov [rcx], rdx; ret
> 0x000d2d71 : mov edi, [rax + 8]; call rcx
> 0x0012d515 : mov rax, [rbx]; call [rax + 0x10]
> 0x0013a547 : mov rax, [r8]; mov [rcx], rax; mov eax, 1; ret
> 0x0014cf15 : movsxd rdx, [rdi]; xor edi, edi; call rax
> 0x00064f15 : mov r8, [r10]; call [r10 + 0x10]
> 0x0014035b : mov r14, [rbp]; mov rsi, rbp; call r13
> 0x00065f04 : mov esi, [rbx]; call [rax + 0x10]
> 0x00065dff : mov esi, [rbp]; call [rax + 0x10]
> 0x00114022 : mov esi, [r14]; mov rdi, rbp; call rbx
> 0x00100880 : mov rax, [rcx + 0x10]; jmp [rax + 0x10]
> 0x00067763 : mov rdx, [rsi]; mov eax, [rax]; sub eax, [rdx]; ret
> 0x00067764 : mov edx, [rsi]; mov eax, [rax]; sub eax, [rdx]; ret
> 0x00125436 : mov rdx, [rcx + 0x78]; mov [rdx + 0x140], rdx; pop rbx; ret
> 0x0010dd4b : mov rsi, [rdi + 8]; mov edi, [rdi]; jmp rax
> 0x00065a4c : mov rdi, [rbx + 8]; call [rax]
> 0x00139f10 : mov rbp, [rbx + 0x10]; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x0010fe38 : mov ecx, [rax + r15]; call [rbx + 0x60]
> 0x00125437 : mov edx, [rcx + 0x78]; mov [rdx + 0x140], rdx; pop rbx; ret
> 0x000d42b0 : mov edx, [rsi + 0x40]; xor eax, eax; test edx, edx; sete al; ret
> 0x0010dd4c : mov esi, [rdi + 8]; mov edi, [rdi]; jmp rax
> 0x00065a4d : mov edi, [rbx + 8]; call [rax]
> 0x00139f11 : mov ebp, [rbx + 0x10]; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x000d2d6d : mov rbp, [rax]; mov rdi, [rax + 8]; call rcx
> 0x000d2d6e : mov ebp, [rax]; mov rdi, [rax + 8]; call rcx
> 0x001662b8 : mov rax, [r12 + 8]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0011bd28 : mov rbx, [rax + 8]; mov rdi, [rax]; call rbp
> 0x0015df7d : mov rcx, [rax + 8]; pop rbp; pop r12; mov rdi, rax; jmp rcx
> 0x00143192 : mov rdx, [rbx + 8]; mov [r12], edx; pop rbx; pop rbp; pop r12; ret
> 0x0011bd29 : mov ebx, [rax + 8]; mov rdi, [rax]; call rbp
> 0x00143193 : mov edx, [rbx + 8]; mov [r12], edx; pop rbx; pop rbp; pop r12; ret
> 0x001382b0 : mov rax, [rsi]; mov [rax], dil; mov eax, 1; add [rsi], 1; ret
> 0x001382b1 : mov eax, [rsi]; mov [rax], dil; mov eax, 1; add [rsi], 1; ret
> 0x00142f81 : mov edx, [rdi]; mov rax, [rsi + 8]; mov eax, [rdx + rax]; ret
> 0x001869ec : mov rcx, [rdi + 8]; mov rcx, [rcx + 0x10]; mov [rdx], rcx; ret
> 0x00110bca : mov rsi, [rbx + 0x28]; mov rdi, rbp; call [rbx + 0x10]
> 0x001894fd : mov rsi, [r15 + 0x58]; mov rdi, r15; call [r15 + 0x50]
> 0x001869ed : mov ecx, [rdi + 8]; mov rcx, [rcx + 0x10]; mov [rdx], rcx; ret
> 0x00110bcb : mov esi, [rbx + 0x28]; mov rdi, rbp; call [rbx + 0x10]
> 0x001699d2 : movsxd rdx, [rbp]; add [rbx], rdx; add rsp, 8; pop rbx; pop rbp; mov rax, rdx; ret
> 0x000d2db8 : mov rbp, [rbx]; mov rdi, [rbx + 8]; call [rbx + 0x18]
> 0x000d2db9 : mov ebp, [rbx]; mov rdi, [rbx + 8]; call [rbx + 0x18]
> 0x00065dfb : mov rdi, [rbp + 8]; mov esi, [rbp]; call [rax + 0x10]
> 0x00064f11 : mov r9, [r10 + 8]; mov r8, [r10]; call [r10 + 0x10]
> 0x00112555 : mov eax, [rbp + 0x24]; mov [r12], eax; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x00064f12 : mov ecx, [rdx + 8]; mov r8, [r10]; call [r10 + 0x10]
> 0x00065dfc : mov edi, [rbp + 8]; mov esi, [rbp]; call [rax + 0x10]
> 0x000d2e7a : mov rax, [rbp]; mov rdi, rbx; mov [rbx], rax; call [rax + 0x48]
> 0x00104e75 : mov rax, [rbp + 0x18]; mov [rcx], rax; add rsp, 8; mov eax, 1; pop rbx; pop rbp; ret
> 0x0015cbc9 : mov rdx, [r15 + 8]; mov rsi, r13; mov rdi, rbx; call [rbx + 0x50]
> 0x00107411 : mov r8, [rbx + 8]; mov rsi, r13; mov rdi, rbx; call [rax + 0x18]
> 0x001070e1 : mov r8, [rbp + 8]; mov rsi, r15; mov rdi, rbp; call [rax + 0x18]
> 0x000f8459 : mov r9, [r15 + 0x78]; mov r8, rbx; mov rdi, r14; call [rax + 0x30]
> 0x00138b77 : movzx eax, [r14 + rdx]; mov edx, 2; mov [rsp + 0x17], al; call r12
> 0x0006327d : mov r9, [rsi]; mov rdi, [rdi + 0x30]; mov r8, [rax]; mov rsi, r10; jmp r9
> 0x0006327e : mov ecx, [rsi]; mov rdi, [rdi + 0x30]; mov r8, [rax]; mov rsi, r10; jmp r9
> 0x000bd39f : mov rdx, [rax]; xor rdx, rcx; and rdi, rdx; xor rcx, rdi; mov [rsi], rcx; xor [rax], rdi; ret
> 0x000b522a : mov rax, [r15 + 8]; xor [rbp + 0x18], rax; mov rsi, r14; mov rdi, r14; call rbx
> 0x00064da4 : mov r8, [rcx]; mov rsi, rbx; mov rdx, [rsp + 8]; mov ecx, r15d; mov rdi, rbp; call r11
> 0x00064da5 : mov eax, [rcx]; mov rsi, rbx; mov rdx, [rsp + 8]; mov ecx, r15d; mov rdi, rbp; call r11
> 0x00065df7 : mov rdx, [rbp + 0x10]; mov rdi, [rbp + 8]; mov esi, [rbp]; call [rax + 0x10]
> 0x00065df8 : mov edx, [rbp + 0x10]; mov rdi, [rbp + 8]; mov esi, [rbp]; call [rax + 0x10]
> 0x0014740c : mov rcx, [rbx + 0x20]; mov [rsp + 0x20], rcx; lea rcx, [rsp + 0x10]; call [rax + 0x18]
> 0x000f8455 : mov rcx, [r15 + 0x20]; mov r9, [r15 + 0x78]; mov r8, rbx; mov rdi, r14; call [rax + 0x30]
> 0x00065a84 : mov rdx, [rsi + 8]; lea ecx, [rax + 1]; mov [rsi + 4], ecx; mov [rdx + rax*8], rdi; ret
> 0x000f88a7 : mov r9, [rbx + 0x78]; mov rcx, rax; mov rsi, [rsp + 8]; mov rdi, r15; call [r10 + 0x30]
> 0x000f97b4 : mov r9, [r12 + 0x78]; mov r8, rbp; mov rdx, r10; mov rsi, r15; mov rdi, r13; call [rax + 0x30]
> 0x0014740d : mov ecx, [rbx + 0x20]; mov [rsp + 0x20], rcx; lea rcx, [rsp + 0x10]; call [rax + 0x18]
> 0x00064b3f : mov r8, [rbp]; mov ecx, r13d; mov rdx, r12; mov rsi, rax; mov rdi, [rsp + 8]; call [rbp + 0x18]
> 0x0010dd40 : mov rcx, [rsi + 8]; mov rdx, [rdi + 0x10]; mov rax, [rsi]; mov rsi, [rdi + 8]; mov edi, [rdi]; jmp rax
> 0x00064da0 : mov r9, [rcx + 8]; mov r8, [rcx]; mov rsi, rbx; mov rdx, [rsp + 8]; mov ecx, r15d; mov rdi, rbp; call r11
> 0x000ec024 : mov r10, [rdi + 0x88]; sbb r10, [rsi + 0x88]; add rax, r9; adc rdx, r10; mov [rdi + 0x80], rax; mov [rdi + 0x88], rdx; ret
> 0x0010dd41 : mov ecx, [rsi + 8]; mov rdx, [rdi + 0x10]; mov rax, [rsi]; mov rsi, [rdi + 8]; mov edi, [rdi]; jmp rax
> 0x000d3cb4 : mov rax, [r12]; mov r8, rbx; mov rcx, r13; mov rdx, [rsp + 0x10]; mov rsi, [rsp]; mov rdi, r12; call [rax + 0x30]
> 0x00064b3b : mov r9, [rbp + 8]; mov r8, [rbp]; mov ecx, r13d; mov rdx, r12; mov rsi, rax; mov rdi, [rsp + 8]; call [rbp + 0x18]
> 0x00064b3c : mov ecx, [rbp + 8]; mov r8, [rbp]; mov ecx, r13d; mov rdx, r12; mov rsi, rax; mov rdi, [rsp + 8]; call [rbp + 0x18]