ROPSHELL 
ropshell> use 30730a50b95125d8b809d9116dd12973 (download)
name         : steamclient_short.dll (i386/PE)
base address : 0x38001000
total gadgets: 66153

ropshell> suggest "stack pivoting"
> 0x380568ff : xchg eax, esp; ret
> 0x3822a151 : mov esp, ebx; pop ebx; ret
> 0x3800e0da : mov esp, ebp; pop ebp; ret
> 0x382a6e9e : push eax; pop esp; pop ebp; ret 4
> 0x382a6ec7 : push edx; pop esp; pop ebp; ret 4
> 0x383447ce : xchg ebx, esp; lcall [esi + 0x5d]; ret 0xc
> 0x381d49b8 : lea esp, [eax - 0x17000005]; scasb al, es:[edi]; ret
> 0x382d4015 : lea esp, [edx]; add [ebx - 0x1a74a13a], cl; pop ebp; ret
> 0x380cd9f4 : lea esp, [esi]; add [ebx - 0x3974fb3c], al; pop esi; pop ebp; ret 4
> 0x383ca303 : mov esp, eax; idiv bh; add esp, 4; mov eax, esi; pop esi; pop ebp; ret 4
> 0x3826bb81 : lea esp, [ebp - 0x14]; pop edi; pop esi; pop ebx; mov esp, ebp; pop ebp; ret 0xc
> 0x3815a646 : xchg esp, edx; add [eax], eax; add [ebx + 0x5b5e5fc7], cl; pop ebp; ret 4
> 0x3836e49e : lea esp, [edi + edi*8 - 1]; call [eax + 0x51]
> 0x381bbb0f : lea esp, [esp + edi*8 - 1]; call [ecx - 0x73]
> 0x382c4000 : lea esp, [ebx]; add [ebx + 0x5fd68bc7], cl; pop esi; mov esp, ebp; pop ebp; ret 8
> 0x38070d17 : lea esp, [ecx + eax]; add [esi + 0x55], dl; call ecx
> 0x38246b5a : xchg esp, esp; add [eax], al; add [edi + 0x5b], bl; mov esp, ebp; pop ebp; ret 0xc
> 0x3826a9e6 : xchg esp, edi; add al, [eax]; add [eax], al; mov eax, edi; pop edi; pop esi; ret
> 0x38246b5a : xchg esp, esp; add [eax], al; add [edi + 0x5b], bl; mov esp, ebp; pop ebp; ret 0xc
> 0x3820d4fa : mov esp, esp; add [eax], al; add al, ch; cld ; fdivr st(7); lcall [esi + 0x5d]; ret 0x10
> 0x38352602 : xchg edx, esp; xor [eax], eax; mov ecx, [ebp + 8]; push eax; call edi
> 0x38008a0d : xchg esp, esi; sbb [eax], al; add [edi + 0x5e], bl; pop ebp; pop ebx; add esp, 8; ret
> 0x38236171 : xchg esp, ebp; add eax, [eax]; add [ebp + 0x3ec8f], cl; add [edx], ch; call [eax + 0x1c]
> 0x383a5517 : xchg esp, eax; add eax, [eax]; add [edi + 0x5e], bl; mov eax, [eax + edx*4 + 0x20]; mov esp, ebp; pop ebp; ret 8
> 0x3821e6c4 : xchg esp, ebx; add [eax], al; add [ecx], al; mov eax, [ecx]; push [ebp + 0xc]; mov eax, [eax + 0x78]; call eax
> 0x382ecca3 : leave ; ret

© 2014 - 2019 - Powered by ROPEME | Contact