ropshell> use 18fc0e186ea02334f6f19f29d0a727ad (download)
name         : libc-2.28.so (x86_64/ELF)
base address : 0x22320
total gadgets: 17035

ropshell> suggest "load mem"
> 0x0007292c : mov eax, [rdx]; ret
> 0x000c2170 : mov eax, [rdi]; ret
> 0x000c2130 : mov rax, [rdi + 0x20]; ret
> 0x000e1c81 : mov eax, [rdx + 8]; ret
> 0x000c2131 : mov eax, [rdi + 0x20]; ret
> 0x00158c83 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00093133 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000ddf47 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0007ebfd : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000e32b1 : mov rcx, [r14]; call r12
> 0x00024025 : mov rdx, [rax]; call rbp
> 0x0009d700 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000e3104 : mov rdx, [r14]; call r15
> 0x000f569f : mov rdi, [rbx]; call rbp
> 0x000a3739 : mov rdi, [r12]; call rbp
> 0x00024026 : mov edx, [rax]; call rbp
> 0x000f56a0 : mov edi, [rbx]; call rbp
> 0x00151e3f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0007bb6b : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00039e96 : mov rdi, [rax + 0x20]; call rdx
> 0x00087648 : mov rdi, [rbx + 0x48]; call rax
> 0x00039e97 : mov edi, [rax + 0x20]; call rdx
> 0x00087649 : mov edi, [rbx + 0x48]; call rax
> 0x0011a40b : mov rax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0014a540 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000f59d3 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x00075ba7 : mov rdi, [rax]; call [r13 + 0x18]
> 0x0007c988 : mov rdi, [r14]; call [r15 + 0x18]
> 0x0011a40c : mov eax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0009a236 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x001246c0 : mov eax, [r8]; mov [rdx], eax; mov eax, 1; ret
> 0x000ff1f1 : mov edx, [rbx]; pop rbx; pop rbp; pop r12; mov eax, edx; ret
> 0x000a39ca : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x000f59d4 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x00075ba8 : mov edi, [rax]; call [r13 + 0x18]
> 0x0007c989 : mov edi, [rsi]; call [r15 + 0x18]
> 0x0007033f : mov rdx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x00070340 : mov edx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x000390d4 : mov rdi, [r13]; mov rax, [rsp]; call rax
> 0x000e9ac0 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x001009e9 : mov eax, [r12]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x000390d5 : mov edi, [rbp]; mov rax, [rsp]; call rax
> 0x00079414 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x000744f9 : mov rax, [rsi + 0x130]; call [rax + 0x68]
> 0x000793f7 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x001052c3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00079415 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x000744fa : mov eax, [rsi + 0x130]; call [rax + 0x68]
> 0x000793f8 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x001052c4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x001419b4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x000f96df : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0007da98 : movzx esi, [rdi]; mov rdi, r13; call [rax + 0x18]
> 0x0007da97 : movzx esi, [r15]; mov rdi, r13; call [rax + 0x18]
> 0x0014a666 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x00079451 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000eeb10 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x000d1186 : mov rdx, [rsi + 0x20]; mov [rax + 0x20], rdx; xor eax, eax; ret
> 0x00047752 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0009a2b9 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x001246ad : movzx eax, [r8 + 0x88]; mov [rdx + 0x6c], ax; mov eax, 1; ret
> 0x00047753 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00090c34 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x000f5a85 : mov rsi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x000f5a86 : mov esi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x0011f0ed : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0011f805 : mov rax, [r10 + 8]; mov rdi, r10; call [rax + 0x20]
> 0x00127730 : mov rax, [r14 + 0x70]; mov rdi, r12; call [rax + 0x20]
> 0x0011fafc : mov rax, [r15 + 0x38]; mov rdi, r15; call [rax + 0x20]
> 0x0009d844 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x00127a63 : mov rdx, [r8 + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x0005e7cf : mov rsi, [rax + 0x18]; mov rdi, rbx; call [r14 + 0x38]
> 0x00075faf : mov rbp, [r13 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0011f0ee : mov eax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0005e7d0 : mov esi, [rax + 0x18]; mov rdi, rbx; call [r14 + 0x38]
> 0x00127c3b : mov esi, [rbx + 0x88]; mov rdi, r14; call [rax + 0x28]
> 0x0011563a : mov rax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0012a7d0 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x0011cb1c : mov rdx, [r15]; mov r8, rbx; mov rcx, r14; mov rdi, r13; call r12
> 0x00124991 : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0011563b : mov eax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00134ae6 : mov ecx, [rdx]; mov rdx, r14; add r9, [rsp + 8]; call rax
> 0x00037632 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00105959 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x001059cb : mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x00105958 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000ec367 : mov rcx, [rdi]; mov rdx, [rsi]; xor eax, eax; cmp rcx, rdx; seta al; sbb eax, 0; ret
> 0x000ec368 : mov ecx, [rdi]; mov rdx, [rsi]; xor eax, eax; cmp rcx, rdx; seta al; sbb eax, 0; ret
> 0x0007c8d2 : mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r13 + 0x70]
> 0x00120b3c : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0002fd68 : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x001347f6 : mov r8, [rbx + 0x10]; call [rax + 0x178]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x000cf555 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x0012ed39 : mov ebx, [rax + 0x18]; mov [rip + 0x91a8a], 0; mov eax, ebx; pop rbx; pop rbp; pop r12; ret
> 0x0007c8d3 : mov edx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r13 + 0x70]
> 0x0002fd69 : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x000fc0ad : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xbf29e], 0; ret
> 0x000fc0ae : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xbf29e], 0; ret
> 0x00077667 : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0004e038 : mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x0004774e : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00116294 : movzx eax, [r10 + 1]; add r10, 2; mov [r8], eax; mov eax, edx; mov [r9], r10; ret
> 0x00077668 : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x00127a00 : mov rax, [r8 + 0x90]; mov eax, [rax]; bswap eax; mov eax, eax; mov [rdx], rax; mov eax, 1; ret
> 0x00073fe1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00075e87 : mov rdx, [r13 + 0x40]; sub rdx, rsi; mov [rsp + 0x10], rcx; mov rdi, r13; call rax
> 0x0011f67e : mov rsi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x000a3d72 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x00076173 : mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x00073fe2 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0011f67f : mov esi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x00076174 : mov edi, [rbp + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x0003762e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0012c108 : movsx rax, [rsi]; mov rsi, rsp; mov [rsp], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x00120b38 : mov rax, [r13 + 8]; mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00131777 : mov ebx, [rax]; mov eax, 2; cmp ebx, 3; cmove ebx, eax; mov rax, [rip + 0x8adc5]; call [rax + 0x28]
> 0x00047747 : mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0004e034 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x001059c2 : mov rdx, [r12 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x0007555e : mov rbp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x0003762a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0003762b : mov ebp, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00047ad6 : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00047ad7 : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0012af46 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x0007616a : mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x0012af47 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x00076166 : mov r8, [rax + 0x40]; mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]