ROPSHELL 
ropshell> use 33f2e09e5c0755fe275b9865f9023c8b (download)
name         : IPGen2_64.exe (x86_64/PE)
base address : 0x401000
total gadgets: 34433

ropshell> suggest "load mem"
> 0x004065d0 : mov rax, [rcx]; ret
> 0x004065d1 : mov eax, [rcx]; ret
> 0x00547570 : mov rax, [rcx + 0x100]; ret
> 0x00547571 : mov eax, [rcx + 0x100]; ret
> 0x00466e3a : mov eax, [r8 + 8]; ret
> 0x0040b59b : movzx rcx, [rdx + 3]; sub eax, ecx; ret
> 0x0040b59c : movzx ecx, [rdx + 3]; sub eax, ecx; ret
> 0x0044ae93 : mov edx, [rax + 0x28c48348]; pop rbx; pop rsi; ret
> 0x004845e4 : mov rax, [rdx]; call [rax - 0x50]; add rsp, 0x28; ret
> 0x004845e5 : mov eax, [rdx]; call [rax - 0x50]; add rsp, 0x28; ret
> 0x004f9674 : mov edi, [rax]; add al, 0; add bh, al; ret 0xcf
> 0x0044af24 : mov rax, [rdx + 0x18]; call rax
> 0x00440d32 : mov rbx, [rbp + 0x28]; call rbx
> 0x004fe2f4 : mov rcx, [rbp + 0x120]; call rbx
> 0x0053034e : mov rdx, [rax + 0x38]; call rbx
> 0x00530926 : mov rdx, [rbp + 0x208]; call rax
> 0x0047476f : mov r8, [rax + 0x28]; call rbx
> 0x00502a3b : mov r8, [rbp + 0x38]; call rsi
> 0x00515a9d : mov r9, [rax + 0x50]; call rbx
> 0x004cb3cf : movsx r9, [rsi + 0x12]; call r14
> 0x004cb9b7 : mov r9, [rbp + 0x24]; call rax
> 0x0044af25 : mov eax, [rdx + 0x18]; call rax
> 0x0047014d : mov eax, [rbp + 0x34]; call rsi
> 0x00440d33 : mov ebx, [rbp + 0x28]; call rbx
> 0x00515a9e : mov ecx, [rax + 0x50]; call rbx
> 0x004cb3d0 : movsx ecx, [rsi + 0x12]; call r14
> 0x004fe2f5 : mov ecx, [rbp + 0x120]; call rbx
> 0x00530927 : mov edx, [rbp + 0x208]; call rax
> 0x0043b170 : mov rax, [rbx]; call [rax + 0x10]
> 0x004a0c7e : mov rax, [rsi]; call [rax + 0x18]
> 0x00515f65 : mov rax, [rdi]; call [rax + 0x28]
> 0x005ea1a7 : mov rax, [r13]; call [rax + 0x48]
> 0x00515daf : mov rax, [r14]; call [rax + 0x30]
> 0x004657f9 : mov rbx, [rax]; call [rbx + 0x10]
> 0x0049f736 : mov rbx, [rsi]; call [rbx + 0x10]
> 0x0049a647 : mov rbx, [rdi]; call [rbx + 0x28]
> 0x00519ba8 : mov rbx, [r13]; call [rbx + 0x28]
> 0x00519bb4 : mov rbx, [r14]; call [rbx + 0x28]
> 0x004628f2 : mov rsi, [rax]; call [rsi + 0x10]
> 0x004a0c90 : mov rsi, [rbx]; call [rsi + 0x10]
> 0x0049adfc : mov rsi, [rdi]; call [rsi + 0x28]
> 0x00534a28 : mov rsi, [r14]; call [rsi + 0x40]
> 0x0055985a : mov rdi, [rax]; call [rdi + 0x10]
> 0x0046493b : mov rdi, [rbx]; call [rdi + 0x10]
> 0x0047a4b7 : mov rdi, [rsi]; call [rdi + 8]
> 0x0051aaae : mov r13, [rax]; call [r13 + 0x10]
> 0x005eb81f : mov r13, [rbx]; call [r13 + 0x48]
> 0x0049a4ea : mov r13, [rsi]; call [r13 + 0x58]
> 0x0054e56b : mov r13, [rdi]; call [r13 + 0x48]
> 0x004695e1 : mov r14, [rax]; call [r14 + 0x18]
> 0x006435f9 : mov r14, [rbx]; call [r14 + 0x48]
> 0x005318ce : mov r14, [rsi]; call [r14 + 0x30]
> 0x0051a615 : mov r14, [rdi]; call [r14 + 0x40]
> 0x0043b171 : mov eax, [rbx]; call [rax + 0x10]
> 0x004a0c7f : mov eax, [rsi]; call [rax + 0x18]
> 0x00515f66 : mov eax, [rdi]; call [rax + 0x28]
> 0x005ea1a8 : mov eax, [rbp]; call [rax + 0x48]
> 0x004657fa : mov ebx, [rax]; call [rbx + 0x10]
> 0x0049f737 : mov ebx, [rsi]; call [rbx + 0x10]
> 0x0049a648 : mov ebx, [rdi]; call [rbx + 0x28]
> 0x00519ba9 : mov ebx, [rbp]; call [rbx + 0x28]
> 0x004695e2 : mov esi, [rax]; call [r14 + 0x18]
> 0x006435fa : mov esi, [rbx]; call [r14 + 0x48]
> 0x0051a616 : mov esi, [rdi]; call [r14 + 0x40]
> 0x0046493c : mov edi, [rbx]; call [rdi + 0x10]
> 0x0047a4b8 : mov edi, [rsi]; call [rdi + 8]
> 0x0051aaaf : mov ebp, [rax]; call [r13 + 0x10]
> 0x005eb820 : mov ebp, [rbx]; call [r13 + 0x48]
> 0x0049a4eb : mov ebp, [rsi]; call [r13 + 0x58]
> 0x0054e56c : mov ebp, [rdi]; call [r13 + 0x48]
> 0x00403841 : mov r9, [r8 + rcx]; mov [r8 + rdx], r9; ret
> 0x0057ffe7 : mov rax, [rbp + 0x150]; call [rax + 0x28]
> 0x0047822e : mov rcx, [rbx + 8]; call [rbx]
> 0x0058182b : mov rcx, [rsi + 8]; call [rsi]
> 0x0040f669 : mov rcx, [rdi + 8]; mov rdx, rsi; call rbx
> 0x0047d13f : mov rcx, [r11 + 8]; call [r11]
> 0x0047d140 : mov ecx, [rbx + 8]; call [r11]
> 0x0040f66a : mov ecx, [rdi + 8]; mov rdx, rsi; call rbx
> 0x0044eb73 : mov edx, [r8 + 0x20]; call [rbp + 0x20]
> 0x0046c008 : mov rbx, [rcx]; mov rcx, rax; call [rbx + 0x10]
> 0x005499af : mov rbx, [rdx]; mov edx, eax; call [rbx + 0x40]
> 0x00449664 : mov rsi, [rcx]; mov rcx, rax; call [rsi + 0x70]
> 0x005769cf : mov rdi, [rcx]; mov rcx, rax; call [rdi + 0x78]
> 0x0046c009 : mov ebx, [rcx]; mov rcx, rax; call [rbx + 0x10]
> 0x005499b0 : mov ebx, [rdx]; mov edx, eax; call [rbx + 0x40]
> 0x00449665 : mov esi, [rcx]; mov rcx, rax; call [rsi + 0x70]
> 0x005769d0 : mov edi, [rcx]; mov rcx, rax; call [rdi + 0x78]
> 0x0040dcda : mov rax, [rbx + 0x20]; lea rsp, [rbp + 0x238]; pop rbx; pop rbp; ret
> 0x004c6626 : movzx rax, [rsi + 0x34]; test ax, 1; setne r8b; call rdi
> 0x0041128a : movsxd rcx, [rax + 0x3c]; mov rax, [rsp + 8]; add rax, rcx; ret
> 0x0040dcdb : mov eax, [rbx + 0x20]; lea rsp, [rbp + 0x238]; pop rbx; pop rbp; ret
> 0x004c6627 : movzx eax, [rsi + 0x34]; test ax, 1; setne r8b; call rdi
> 0x004731f3 : mov rdx, [rsi]; mov rbx, [rbx]; call [rbx + 0x48]
> 0x004731f4 : mov edx, [rsi]; mov rbx, [rbx]; call [rbx + 0x48]
> 0x004cf7ba : mov rcx, [r14 + 8]; mov rdx, rsi; call [r14]
> 0x00549c08 : mov rdx, [rbx + 0xd0]; lea r8, [rbx + 0x90]; call rax
> 0x00546aa4 : mov rdx, [rcx + 0x10]; mov rcx, rax; call [rbx]
> 0x00506ab0 : movzx rdx, [rsi + 8]; lea r8, [rbp + 0x3c]; call rdi
> 0x004037b4 : mov r8, [rcx + 0x10]; movdqa xmm[rdx], xmm0; mov [rdx + 0x10], r8; ret
> 0x004cb3ca : movsx r8, [rsi + 0x10]; movsx r9, [rsi + 0x12]; call r14
> 0x00549c09 : mov edx, [rbx + 0xd0]; lea r8, [rbx + 0x90]; call rax
> 0x00546aa5 : mov edx, [rcx + 0x10]; mov rcx, rax; call [rbx]
> 0x00506ab1 : movzx edx, [rsi + 8]; lea r8, [rbp + 0x3c]; call rdi
> 0x0065528c : mov rdx, [r13 + 0x30]; mov rax, [rsi]; call [rax + 0x70]
> 0x005abb96 : mov edi, [rsi + 0x5a]; add [rax], al; add spl, sil; call rcx
> 0x0052f19c : mov r8, [rbx + 0x4a8]; mov rax, [rbp + 0x28]; call [rax + 0x18]
> 0x005587ca : mov eax, [r9]; sub eax, edx; mov edx, eax; mov rax, [rsp + 0x28]; add [rax], edx; ret
> 0x0052c0c3 : mov rax, [rdi + 0x10]; mov rcx, rax; mov rax, [rax]; call [rax + 0x28]
> 0x004f9022 : mov rax, [ebp + 0x30]; mov rcx, rax; mov rax, [rax]; call [rax + 0x40]
> 0x004a8148 : mov rbx, [rax + 0x10]; mov rcx, rbx; mov rax, [rbx]; call [rax]
> 0x0052c0c4 : mov eax, [rdi + 0x10]; mov rcx, rax; mov rax, [rax]; call [rax + 0x28]
> 0x004a8149 : mov ebx, [rax + 0x10]; mov rcx, rbx; mov rax, [rbx]; call [rax]
> 0x004835bc : mov rcx, [rdx]; mov rdx, [rdx]; mov rdx, [rdx]; mov rdx, [rdx]; mov [rcx], rdx; ret
> 0x0043b381 : mov r9, [rax]; mov [rsp + 0x20], r13d; mov rax, [rbx]; call [rax + 0x18]
> 0x0043b382 : mov ecx, [rax]; mov [rsp + 0x20], r13d; mov rax, [rbx]; call [rax + 0x18]
> 0x004835bd : mov ecx, [rdx]; mov rdx, [rdx]; mov rdx, [rdx]; mov rdx, [rdx]; mov [rcx], rdx; ret
> 0x0054cad1 : mov rcx, [r13 + 8]; mov rdx, rbx; mov r8d, esi; mov r9, rdi; call [r13]
> 0x004cafa6 : movsx r9, [rbx + 0x10]; movsx rax, [rbx + 0x12]; mov [rsp + 0x20], eax; call r13
> 0x004c9151 : mov r10, [rsi + 0x10]; mov r10d, [r10 + 8]; mov [rsp + 0x28], r10d; call rax
> 0x005a9a96 : mov rax, [rbp]; mov [rbp + 8], rax; mov rax, [rbp + 8]; lea rsp, [rbp + 0x10]; pop rbp; ret
> 0x005ea18e : mov rsi, [r13]; call [rsi + 0xd8]; mov rcx, r13; mov rax, [r13]; call [rax + 0x60]
> 0x005ea18f : mov esi, [rbp]; call [rsi + 0xd8]; mov rcx, r13; mov rax, [r13]; call [rax + 0x60]
> 0x005dde63 : mov r10, [rbp + 0x30]; mov [rsp + 0x20], r10; mov rax, [rax]; call [rax + 0x40]
> 0x004a6b76 : mov rax, [ebx + 0x48]; mov rax, [rax + 0x98]; mov rcx, rax; mov rax, [rax]; call [rax]
> 0x0054e5e7 : mov rdi, [rcx + 0x650]; mov rcx, rdi; lea rdx, [rip + 0x2c4]; mov rsi, [rdi]; call [rsi + 0x48]
> 0x005cd28c : mov esi, [rax + 0x48000004]; mov edx, ecx; mov rsi, [rcx]; mov rcx, rdx; mov edx, eax; call [rsi + 0x70]
> 0x0054e5e8 : mov edi, [rcx + 0x650]; mov rcx, rdi; lea rdx, [rip + 0x2c4]; mov rsi, [rdi]; call [rsi + 0x48]
> 0x004c6c5d : movzx rsi, [rbx + 0xa3]; mov rax, [rbx + 0xc8]; mov rcx, rax; xor rdx, rdx; mov rax, [rax]; call [rax + 0x20]
> 0x004a7f6b : mov rsi, [rdi + 0x20]; mov [rdi + 0x20], 0; mov rcx, rbx; mov rdx, rbx; mov rbx, [rbx]; call [rbx + 0x20]
> 0x005b7c55 : mov r8, [r13 + 0x68]; mov r9, rax; mov rax, [rcx]; mov rcx, rdx; mov rdx, r8; mov r8, r9; call [rax + 0x78]
> 0x0061a9d2 : mov r9, [rcx + 0x20]; mov r10d, edx; mov rbx, [rax]; mov rcx, r8; mov rdx, r9; mov r8d, r10d; call [rbx + 0x78]
> 0x004c6c5e : movzx esi, [rbx + 0xa3]; mov rax, [rbx + 0xc8]; mov rcx, rax; xor rdx, rdx; mov rax, [rax]; call [rax + 0x20]
> 0x004a7f6c : mov esi, [rdi + 0x20]; mov [rdi + 0x20], 0; mov rcx, rbx; mov rdx, rbx; mov rbx, [rbx]; call [rbx + 0x20]
> 0x004c8fc4 : mov eax, [r13 + 4]; add eax, edi; mov [r13 + 0xc], eax; mov rcx, rbx; lea rdx, [rbx + 0x60]; mov rbx, [rbx]; call [rbx + 0x58]

© 2014 - 2019 - Powered by ROPEME | Contact