ROPSHELL 
ropshell> use 335a9fab2ac3ae212e9feee4bcd19e80 (download)
name         : libc-2.3.6.so (i386/ELF)
base address : 0x14cb0
total gadgets: 10011

ropshell> suggest "load mem"
> 0x0005a0de : mov eax, [ecx]; pop ebp; ret
> 0x0002976f : mov eax, [ecx + 0x34]; ret
> 0x0002041c : mov ecx, [edx]; sub eax, ecx; ret
> 0x000d5eb4 : mov eax, [edx + 0x18]; pop ebp; ret
> 0x00022d80 : mov eax, [ebp + 0xc]; pop ebp; ret
> 0x000eee14 : mov eax, [ebx + 0x3154]; pop ebx; pop ebp; ret
> 0x000f42fa : mov ecx, [edx + 0x10]; sub eax, ecx; ret
> 0x00061403 : mov eax, [esi + 0x24]; call eax
> 0x000228a7 : mov edx, [ebp + 0xc]; pop ebp; and eax, edx; ret
> 0x000995d8 : mov eax, [edx]; mov [edx], ecx; pop ebx; pop ebp; ret
> 0x00038247 : mov ecx, [eax + 0x3c]; mov eax, [eax + 0x40]; ret
> 0x00061693 : mov ecx, [ebp + 8]; pop esi; pop ebp; add eax, ecx; ret
> 0x00059527 : mov esi, [ebp + 8]; add eax, esi; pop esi; pop ebp; ret
> 0x000c9a34 : mov eax, [esi]; mov [esp], eax; call edi
> 0x000c4b07 : mov ecx, [esi + ebx]; add [edx + 0x5b], bl; pop ebp; ret
> 0x00090a9e : mov edi, [ebp + 0xc]; call [edi + 0x20]
> 0x00028693 : mov ebp, [ecx + 0xc]; mov esp, [ecx + 0x10]; jmp edx
> 0x000c6223 : mov ebp, [edi + ebx]; add [eax], al; pop edx; pop ebx; pop ebp; ret
> 0x000f48e5 : mov eax, [edi]; mov [esp], eax; call [edi + 0x20]
> 0x000e9686 : mov ecx, [eax]; xchg ebx, ecx; mov eax, 6; call gs:[0x10]; xchg ebx, ecx; pop ebp; ret
> 0x00101aac : mov edx, [esi]; mov eax, [eax + 4]; add eax, edx; call eax
> 0x000ef8b2 : mov eax, [edi + 0x20]; mov [esp], edi; call [eax + 0x10]
> 0x000f72b6 : mov edx, [eax + 0x20]; mov [esp], eax; call [edx + 0x10]
> 0x00046dc0 : mov edx, [ebx + 0xd34]; mov ecx, [ebp - 0x1154]; call [edx + ecx*4]
> 0x0005b050 : mov edi, [esi + 0x54]; mov [esp], edi; call [edi + 0x10]
> 0x000bb326 : mov edx, [eax]; mov eax, [ebp + 0xc]; mov [eax], dx; xor eax, eax; pop ebp; ret
> 0x00028690 : mov edi, [ecx + 8]; mov ebp, [ecx + 0xc]; mov esp, [ecx + 0x10]; jmp edx
> 0x00038241 : mov ebx, [eax + 0x34]; mov edx, [eax + 0x38]; mov ecx, [eax + 0x3c]; mov eax, [eax + 0x40]; ret
> 0x000faccc : mov edx, [ecx + 4]; mov [esp + 4], eax; mov [esp], ecx; call [edx + 0x20]
> 0x000f1387 : mov edx, [edi + 8]; mov [esp + 4], eax; mov [esp], edi; call [edx + 0xc]
> 0x0004440c : mov ecx, [esi]; add [ecx - 0x74fbdbbc], cl; inc ebp; or [ecx + 0x12e82404], cl; mov [ecx], eax; add [ebx + 0x5d5b10c4], al; ret
> 0x0002868d : mov esi, [ecx + 4]; mov edi, [ecx + 8]; mov ebp, [ecx + 0xc]; mov esp, [ecx + 0x10]; jmp edx
> 0x00071d88 : mov edx, [ecx]; mov ecx, edi; movzx eax, cl; mov [esp + 4], eax; mov [esp], edx; call [edx + 0x18]
> 0x000fad8c : mov edx, [esi + 4]; lea eax, [ebp - 0x10]; mov [esp + 4], eax; mov [esp], esi; call [edx + 0x20]
> 0x0003823e : mov ebp, [eax + 0x2c]; mov ebx, [eax + 0x34]; mov edx, [eax + 0x38]; mov ecx, [eax + 0x3c]; mov eax, [eax + 0x40]; ret
> 0x0002868b : mov ebx, [ecx]; mov esi, [ecx + 4]; mov edi, [ecx + 8]; mov ebp, [ecx + 0xc]; mov esp, [ecx + 0x10]; jmp edx
> 0x0005fc3d : mov ecx, [edi + 0x1c]; mov eax, [edi + 0x20]; sub eax, ecx; mov [esp + 4], ecx; mov [esp + 8], eax; mov [esp], edi; call edx
> 0x0003823b : mov esi, [eax + 0x28]; mov ebp, [eax + 0x2c]; mov ebx, [eax + 0x34]; mov edx, [eax + 0x38]; mov ecx, [eax + 0x3c]; mov eax, [eax + 0x40]; ret
> 0x000f7428 : mov edx, [edi]; lea eax, [ebp - 0x10]; mov ecx, [edx + 4]; mov [esp + 8], eax; mov [esp + 4], esi; mov [esp], edx; call [ecx + 0x14]

© 2014 - 2019 - Powered by ROPEME | Contact