ROPSHELL 
ropshell> use 359c637cf2313e06cd9224604ec748f6 (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x26400
total gadgets: 16202

ropshell> suggest "load mem"
> 0x0007870c : mov eax, [rdx]; ret
> 0x000d1b40 : mov eax, [rdi]; ret
> 0x00084e90 : mov rax, [rdi + 0x68]; ret
> 0x000db621 : mov eax, [rdx + 8]; ret
> 0x001343c0 : mov eax, [rdi + 0x20]; ret
> 0x000a3a25 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x0007b349 : mov edx, [rax]; mov eax, edx; ret
> 0x00084b7d : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000a8a80 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0010aa8e : mov rsi, [rbx]; call r12
> 0x0010a708 : mov rdi, [rbx]; call rbp
> 0x000a8a21 : mov edx, [rsi]; mov [rdi], dx; ret
> 0x0010aa8f : mov esi, [rbx]; call r12
> 0x0010a709 : mov edi, [rbx]; call rbp
> 0x0009d341 : mov ecx, [rax + rax]; cmovne rax, rdx; ret
> 0x00168717 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret
> 0x0017455f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00035dde : mov edi, [rax + rdx]; mov eax, edi; ret
> 0x0009b7f8 : mov rdi, [rbx + 0x48]; call rax
> 0x0009b7f9 : mov edi, [rbx + 0x48]; call rax
> 0x0012cfcb : mov rax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x00172b6e : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000f2787 : mov rdx, [rax]; mov [rax], rdi; mov rax, rdx; ret
> 0x0010928b : mov rbp, [r12]; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x0012cfcc : mov eax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x00172ba0 : mov eax, [rcx]; mov [rdx], eax; mov rax, rdi; ret
> 0x0008773e : mov eax, [rsi]; neg eax; sbb eax, eax; and eax, 0x16; ret
> 0x0003e035 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x00111ee9 : mov edx, [r12]; pop rbx; pop rbp; pop r12; mov eax, edx; ret
> 0x00085c78 : mov rax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x00093140 : mov rcx, [rdi + 0x18]; mov [rax + 0x18], rcx; ret
> 0x00085cf9 : mov rdx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x00085c6c : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x00085c79 : mov eax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x0015a902 : movzx eax, [rsi + rdx]; mov [rdi + rdx], r8b; ret
> 0x000e5648 : mov eax, [rbp + 0x4c]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00093141 : mov ecx, [rdi + 0x18]; mov [rax + 0x18], rcx; ret
> 0x00085cfa : mov edx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x00085c6d : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0010ab23 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x001132d2 : mov eax, [rbp]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x001132d1 : mov eax, [r13]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0010ab24 : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x00146549 : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x000a0a8e : mov rbx, [r12 + 0x908]; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x0007f6f7 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x001178d3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0002897f : mov rdi, [r13 + 0x10]; add rdi, rbx; call r12
> 0x0007f6f8 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x001178d4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00028980 : mov edi, [rbp + 0x10]; add rdi, rbx; call r12
> 0x000a8a90 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret
> 0x0010b77f : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0008c5d0 : mov rdx, [rdi]; lea rax, [rip + 0x149ae6]; mov [rax], edx; ret
> 0x0010b780 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00172b8b : mov rax, [rcx + 8]; mov [rdx + 8], rax; mov rax, rdi; ret
> 0x0007f751 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000fc518 : mov rax, [r13 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x000424b2 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00172bc6 : mov eax, [rcx + 8]; mov [rdx + 8], eax; mov rax, rdi; ret
> 0x000424b3 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0003e075 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x00086f24 : mov rax, [rsi + 0x18]; sub rcx, rdx; lea rax, [rcx + rax + 0x4000]; ret
> 0x00149616 : mov rax, [rbp + 0x18]; mov rdi, r13; call [rax + 0x20]
> 0x0013e990 : mov rax, [r12 + 8]; mov rdi, r12; call [rax + 0x20]
> 0x00146040 : mov rax, [r14 + 0x70]; mov rdi, r12; call [rax + 0x20]
> 0x000a8bc4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000a8ad3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00146528 : mov esi, [rdi + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x00146527 : mov esi, [r15 + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x0012624a : mov rax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0010a80b : mov rdx, [r11]; and edx, 1; or rax, rdx; mov [r11], rax; pop rbx; pop rbp; ret
> 0x00135689 : mov rdx, [r15]; mov r8, rbx; mov rcx, r14; mov rdi, r13; call r12
> 0x00143472 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x00146bc2 : mov rdi, [r14]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x00143473 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x00146bc3 : mov edi, [rsi]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0003d3a2 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x000410a8 : mov rdi, [r15]; mov rdx, [rsp + 8]; mov rax, [rsp]; call rax
> 0x001402e4 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00035c18 : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x00153076 : mov r8, [rbx + 0x10]; call [rax + 0x330]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x00091fc4 : mov r15, [rbx + 0x18]; mov rdi, [rbx + 8]; call [rbx]
> 0x000f1e8b : movzx ecx, [r15 + 0x30]; movsxd rcx, [rsi + rcx*4]; add rcx, rsi; jmp rcx
> 0x001402e5 : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0010ef1d : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xc734e], 0; ret
> 0x0013e333 : mov rdi, [r12]; mov rsi, r13; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0010ef1e : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xc734e], 0; ret
> 0x00083a27 : movzx esi, [r14]; lea rbx, [r14 + 1]; mov rdi, r15; call [rax + 0x18]
> 0x0007d6d7 : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0007b37b : mov rcx, [rdx + 0x20]; cmp rax, rcx; cmovb rax, rcx; sub rax, [rdx + 0x10]; sar rax, 2; ret
> 0x000424ae : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0007d6d8 : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x00085e1e : mov r10, [rdx]; mov rax, [rax + 0x338]; mov rdx, [rbx + 0x20]; push r10; call rax
> 0x0013ee5e : mov rsi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x0013ee5f : mov esi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x0003d39e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0005d03c : movzx edx, [rcx + rax]; lea rax, [rip + 0x133cb9]; movsxd rax, [rax + rdx*4]; add rax, rdi; jmp rax
> 0x00155fce : mov rax, [r15]; sub eax, [rsi]; mov ecx, [rdi + rdx - 4]; mov edi, [rsi + rdx - 4]; sub ecx, edi; or eax, ecx; ret
> 0x00144bf6 : mov rsi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x00144bf7 : mov esi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x00117f79 : mov edx, [rbp + 0x18]; movdqu xmm5, xmm[r13 + 0x30]; mov [rbp - 0x80], edx; mov rdx, r14; movups xmm[rbp - 0x78], xmm5; call rax
> 0x00117fd9 : mov edx, [r12 + 0x18]; movdqu xmm3, xmm[r12 + 0x30]; mov [rbp - 0x80], edx; mov rdx, r13; movups xmm[rbp - 0x78], xmm3; call rax
> 0x00117f78 : mov edx, [r13 + 0x18]; movdqu xmm5, xmm[r13 + 0x30]; mov [rbp - 0x80], edx; mov rdx, r14; movups xmm[rbp - 0x78], xmm5; call rax
> 0x00117f12 : mov edx, [r15 + 0x18]; movdqu xmm1, xmm[r15 + 0x30]; mov [rbp - 0x80], edx; mov rdx, r13; movups xmm[rbp - 0x78], xmm1; call rax
> 0x0003d39a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0003d39b : mov ebp, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00035cd8 : mov rcx, [rax + 0xb0]; mov rdx, [rip + 0x1a014a]; mov [rdx], rcx; mov rdx, [rax + 0xb8]; mov rax, [rip + 0x1a01f9]; mov [rax], rdx; ret
> 0x0004d5f6 : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0004d5f7 : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x001495e6 : mov rbp, [rdi + 0x48]; mov rax, [rbp + 0x18]; lea r13, [rbp + 0x10]; mov [rbp + 0x10], 0; mov rdi, r13; call [rax + 0x28]

© 2014 - 2019 - Powered by ROPEME | Contact