ROPSHELL 
ropshell> use 3566a8daafa27af944f5d705eaa64894 (download)
name         : tunnel.sys (x86_64/PE)
base address : 0x11000
total gadgets: 1226

ropshell> suggest "load mem"
> 0x000195a9 : mov rsi, [r11 + 0x20]; mov rsp, r11; pop rdi; ret
> 0x0001a4a4 : mov rdi, [r11 + 0x28]; mov rsp, r11; pop r12; ret
> 0x0001ab69 : mov rbp, [r11 + 0x18]; mov rsp, r11; pop rsi; ret
> 0x00020d0c : mov r12, [r11 + 0x20]; mov rsp, r11; pop r13; ret
> 0x0001e1f8 : mov eax, [rcx + 0xf4]; mov [rdx], eax; ret
> 0x000195aa : mov esi, [rbx + 0x20]; mov rsp, r11; pop rdi; ret
> 0x0001a4a5 : mov edi, [rbx + 0x28]; mov rsp, r11; pop r12; ret
> 0x0001ab6a : mov ebp, [rbx + 0x18]; mov rsp, r11; pop rsi; ret
> 0x0001d5d7 : mov rbx, [rdi]; call [rdi + 0x18]
> 0x0001d5d8 : mov ebx, [rdi]; call [rdi + 0x18]
> 0x0001cd44 : mov rax, [rcx + 0x20]; jmp [rax + 0x48]
> 0x0001d56b : mov r8, [rax + 0x20]; jmp [r8 + 0x68]
> 0x0001d433 : mov rax, [rbx + 0x20]; call [rax + 0x78]
> 0x00014d58 : mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x00015ad1 : mov rcx, [rbx + 0x38]; call [rax + 0x10]
> 0x0001d434 : mov eax, [rbx + 0x20]; call [rax + 0x78]
> 0x00014d59 : mov eax, [rdi + 0x20]; call [rax + 0x18]
> 0x00015ad2 : mov ecx, [rbx + 0x38]; call [rax + 0x10]
> 0x000169ac : mov rax, [rdx + 0xf8]; mov rax, [rax + 0x10]; mov rax, [rax]; ret
> 0x0001ab65 : mov rbx, [r11 + 0x10]; mov rbp, [r11 + 0x18]; mov rsp, r11; pop rsi; ret
> 0x0001cfdd : mov r11, [rbx + 0x20]; mov rcx, rbx; call [r11 + 0x28]
> 0x000169ad : mov eax, [rdx + 0xf8]; mov rax, [rax + 0x10]; mov rax, [rax]; ret
> 0x0001d567 : mov rax, [r8 + 0x20]; mov r8, [rax + 0x20]; jmp [r8 + 0x68]
> 0x0001d5d3 : mov rcx, [rdi + 0x10]; mov rbx, [rdi]; call [rdi + 0x18]
> 0x0001d5d4 : mov ecx, [rdi + 0x10]; mov rbx, [rdi]; call [rdi + 0x18]
> 0x0001680c : mov rax, [r13 + 0x40]; lea rcx, [rsp + 0x40]; call [rax + 8]
> 0x00016537 : mov rcx, [r13 + 0x38]; lea rdx, [rsp + 0x80]; call [rax + 0x48]
> 0x0001680d : mov eax, [rbp + 0x40]; lea rcx, [rsp + 0x40]; call [rax + 8]
> 0x00016538 : mov ecx, [rbp + 0x38]; lea rdx, [rsp + 0x80]; call [rax + 0x48]
> 0x0001127a : mov ecx, [rsi + 0x24]; inc [rsi + 0x18]; mov r9, rsi; call [rsi + 0x30]
> 0x00011277 : mov eax, [rsi + 0x28]; mov ecx, [rsi + 0x24]; inc [rsi + 0x18]; mov r9, rsi; call [rsi + 0x30]
> 0x00014d4d : mov eax, [rcx]; mov rcx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x0001d427 : mov rax, [r12 + 0x30]; mov rcx, rsi; mov [rax + 0x20], rbx; mov rax, [rbx + 0x20]; call [rax + 0x78]
> 0x00016b96 : mov rdx, [rbx + 0x40]; mov [rsp + 0x20], r8; mov [rsi], rcx; lea rcx, [rsp + 0x20]; call [rdx + 0x50]
> 0x00016b97 : mov edx, [rbx + 0x40]; mov [rsp + 0x20], r8; mov [rsi], rcx; lea rcx, [rsp + 0x20]; call [rdx + 0x50]
> 0x00014b74 : mov rdx, [rcx + 8]; mov rcx, [rcx]; lea r8, [rsp + 0x40]; mov rax, [rcx - 0x10]; sub rcx, 0x38; call [rax + 8]
> 0x00016805 : mov ecx, [rax + 0x18]; mov [rsp + 0x68], ecx; mov rax, [r13 + 0x40]; lea rcx, [rsp + 0x40]; call [rax + 8]
> 0x00014b75 : mov edx, [rcx + 8]; mov rcx, [rcx]; lea r8, [rsp + 0x40]; mov rax, [rcx - 0x10]; sub rcx, 0x38; call [rax + 8]
> 0x00014d4a : mov rcx, [rax]; mov eax, [rcx]; mov rcx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x00014d4b : mov ecx, [rax]; mov eax, [rcx]; mov rcx, [rsp + 0x48]; mov [r13], eax; mov rax, [rdi + 0x20]; call [rax + 0x18]
> 0x00011273 : mov edx, [rsi + 0x2c]; mov r8d, [rsi + 0x28]; mov ecx, [rsi + 0x24]; inc [rsi + 0x18]; mov r9, rsi; call [rsi + 0x30]
> 0x00014ccc : mov r10, [rax + 0x28]; lea rax, [r11 - 0x80]; lea r8, [r11 - 0x58]; xor ecx, ecx; mov [rsp + 0x20], rax; xor esi, esi; call [r10]
> 0x00014ccd : mov edx, [rax + 0x28]; lea rax, [r11 - 0x80]; lea r8, [r11 - 0x58]; xor ecx, ecx; mov [rsp + 0x20], rax; xor esi, esi; call [r10]
> 0x00016b92 : mov rcx, [rdx + 0x10]; mov rdx, [rbx + 0x40]; mov [rsp + 0x20], r8; mov [rsi], rcx; lea rcx, [rsp + 0x20]; call [rdx + 0x50]
> 0x00016b93 : mov ecx, [rdx + 0x10]; mov rdx, [rbx + 0x40]; mov [rsp + 0x20], r8; mov [rsi], rcx; lea rcx, [rsp + 0x20]; call [rdx + 0x50]
> 0x0001ce8a : mov rcx, [rbx]; lea rdx, [rsp + 0x30]; mov [rax], rcx; mov [rcx + 8], rax; mov rax, [rbx + 0x20]; mov rcx, rbx; call [rax + 8]
> 0x0001ce8b : mov ecx, [rbx]; lea rdx, [rsp + 0x30]; mov [rax], rcx; mov [rcx + 8], rax; mov rax, [rbx + 0x20]; mov rcx, rbx; call [rax + 8]
> 0x00016801 : mov rax, [r14 + 8]; mov ecx, [rax + 0x18]; mov [rsp + 0x68], ecx; mov rax, [r13 + 0x40]; lea rcx, [rsp + 0x40]; call [rax + 8]
> 0x0001595a : mov eax, [r12 + 4]; mov [rsp + 0xc0], r15; mov [rsp + 0xa8], eax; mov rax, [rbx + 0x40]; mov rcx, [rbx + 0x38]; call [rax + 0x48]

© 2014 - 2019 - Powered by ROPEME | Contact