ROPSHELL 
ropshell> use 3566a8daafa27af944f5d705eaa64894 (download)
name         : tunnel.sys (x86_64/PE)
base address : 0x11000
total gadgets: 1226

ropshell> suggest
call
    > 0x000136c3 : call rcx
    > 0x00013990 : call rdx
    > 0x0001840f : call rbp
    > 0x0001866c : call rsp
    > 0x000136c2 : call r9
jmp
    > 0x0001c532 : jmp rcx
    > 0x0001cd49 : jmp [rax + 0x48]
    > 0x00022754 : jmp [rsi + 0x66]
    > 0x0001d56f : jmp [r8 + 0x68]
load mem
    > 0x000195a9 : mov rsi, [r11 + 0x20]; mov rsp, r11; pop rdi; ret
    > 0x0001a4a4 : mov rdi, [r11 + 0x28]; mov rsp, r11; pop r12; ret
    > 0x0001ab69 : mov rbp, [r11 + 0x18]; mov rsp, r11; pop rsi; ret
    > 0x00020d0c : mov r12, [r11 + 0x20]; mov rsp, r11; pop r13; ret
    > 0x0001e1f8 : mov eax, [rcx + 0xf4]; mov [rdx], eax; ret
load reg
    > 0x00013b61 : pop rax; ret
    > 0x00011537 : pop rbx; ret
    > 0x000122cc : pop rsi; ret
    > 0x000116a1 : pop rdi; ret
    > 0x00011205 : pop rbp; ret
pop pop ret
    > 0x00011490 : pop r12; ret
    > 0x00012e33 : pop r12; pop rdi; ret
    > 0x000122c9 : pop r12; pop rdi; pop rsi; ret
    > 0x00011201 : pop r12; pop rdi; pop rsi; pop rbp; ret
    > 0x00012c2b : pop r12; pop rdi; pop rsi; pop rbp; pop rbx; ret
sp lifting
    > 0x00011064 : add rsp, 0x28; ret
    > 0x00011064 : add rsp, 0x28; ret
    > 0x00013359 : add rsp, 0x38; ret
    > 0x00013d7b : add rsp, 0x48; ret
    > 0x00013b5e : add rsp, 0x58; ret
stack pivoting
    > 0x0001865a : xchg eax, esp; ret
    > 0x0001a4a8 : mov rsp, r11; pop r12; ret
    > 0x0001a4a9 : mov esp, ebx; pop r12; ret
    > 0x0001dd38 : xchg rax, rsp; add [rax], al; lea rdx, [rip - 0x63]; lea rcx, [rip + 0x6946]; call [rip + 0x6730]; add rsp, 0x28; ret
    > 0x00012c62 : leave ; cmovne r8d, eax; mov eax, r8d; ret
write mem
    > 0x00022593 : adc [rax + 0xf], ecx; ret
    > 0x000146ee : add [rcx + 0x3b], eax; ror [rdi], 0x84; ret
    > 0x00012c60 : add [rbp + 0x450f44c9], eax; rol [rcx - 0x75], 0xc0; ret
    > 0x00020808 : add [rbp + 0x12], esi; lea rcx, [rip + 0x6e26]; xor r8d, r8d; xor edx, edx; call [rip + 0x3b73]; add rsp, 0x28; ret
    > 0x0001ca45 : add [rbx + 0x40], ebp; lea rcx, [rsp + 0x20]; call [rip + 0x791d]; mov r11, [rbx + 0x20]; mov edx, r12d; mov rcx, rbx; call [r11 + 0x30]

© 2014 - 2019 - Powered by ROPEME | Contact