ROPSHELL 
ropshell> use 35ef4ffc9c6ad7ffd1fd8c16f14dc766 (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x212d0
total gadgets: 16861

ropshell> suggest "load mem"
> 0x00081b5c : mov eax, [rdx]; ret
> 0x000e0180 : mov eax, [rdi]; ret
> 0x000e0070 : mov rax, [rdi + 0x20]; ret
> 0x000e0071 : mov eax, [rdi + 0x20]; ret
> 0x0018afa3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000ac3b3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x00101277 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0008fb84 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00105fc9 : mov rcx, [r14]; call r12
> 0x00021b23 : mov rdx, [rax]; call rbp
> 0x000b6980 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0011d35d : mov rdi, [rbx]; call r12
> 0x0011d383 : mov rdi, [rbp]; call r12
> 0x000bd789 : mov rdi, [r12]; call rbp
> 0x0011df5b : mov rdi, [r13]; call r12
> 0x00021b24 : mov edx, [rax]; call rbp
> 0x0011d35e : mov edi, [rbx]; call r12
> 0x0011d384 : mov edi, [rbp]; call r12
> 0x00184aef : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x000838ff : mov eax, [rsi]; add rsp, 8; pop rbx; pop rbp; ret
> 0x000430eb : mov rdi, [rax + 0x20]; call rdx
> 0x0009d068 : mov rdi, [rbx + 0x48]; call rax
> 0x000430ec : mov edi, [rax + 0x20]; call rdx
> 0x0009d069 : mov edi, [rbx + 0x48]; call rax
> 0x0017d1f0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000b34b6 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x0009dd01 : mov edi, [rcx]; add [rax], eax; cmove rax, rdx; ret
> 0x0003fbcd : mov edx, [rdi]; test edx, edx; mov edx, 1; cmove eax, edx; ret
> 0x0008948c : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0015d50d : mov rax, [rbp + 8]; call [rax + 8]
> 0x00156cf4 : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x00089467 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0012e998 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x000851d0 : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0008948d : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0015d50e : mov eax, [rbp + 8]; call [rax + 8]
> 0x000851d1 : mov ecx, [rax + 0x10]; call [rbp + 0x18]
> 0x00089468 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0013024f : mov edx, [rdi + 0x28]; xor eax, eax; test edx, edx; sete al; ret
> 0x0012e999 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00174664 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x001218df : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0011d800 : mov rsi, [rbx]; mov rdi, r12; mov r13, rbx; call rbp
> 0x000bdb78 : mov rdi, [r14]; lea r9, [rsp + 0x28]; call r12
> 0x00166dc5 : mov ecx, [rdx]; mov rdx, r14; add r9, r15; call rax
> 0x001218e0 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0011d801 : mov esi, [rbx]; mov rdi, r12; mov r13, rbx; call rbp
> 0x000bdb79 : mov edi, [rsi]; lea r9, [rsp + 0x28]; call r12
> 0x0017d316 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000894c1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x00114c30 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00088114 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x000524b5 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00052185 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x000b3539 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x000894c2 : mov eax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x0012f899 : mov eax, [r12 + 0x60]; mov [rbp - 0x80], eax; call rcx
> 0x00086c1b : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x000524b6 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00052186 : mov ecx, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00088115 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x0003fea4 : mov rax, [rsi]; and rax, [r8]; mov [rdi], rax; xor eax, eax; ret
> 0x0011d898 : mov rsi, [rax]; mov rdi, [rbp - 0x58]; mov r12d, r14d; call r15
> 0x0011d899 : mov esi, [rax]; mov rdi, [rbp - 0x58]; mov r12d, r14d; call r15
> 0x000308e0 : mov rax, [rsi + 0x70]; movsxd rdi, edi; mov eax, [rax + rdi*4]; ret
> 0x0014d3db : mov rax, [r10 + 8]; mov rdi, r10; call [rax + 0x20]
> 0x0014cdc1 : mov rax, [r13 + 8]; mov rdi, r13; call [rax + 0x20]
> 0x00157b6c : mov rax, [r14 + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x000b6ac4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000b69d3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00156ae3 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x000867ea : mov rbp, [rbx + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0008b908 : mov rbp, [rdi + 0x90]; sub rbp, rax; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x00085a48 : mov rbp, [r15 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00085c95 : mov r13, [r15 + 0x98]; mov rdi, r13; call [r13 + 0x20]
> 0x00157b6d : mov eax, [rsi + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x000867eb : mov ebp, [rbx + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0008b909 : mov ebp, [rdi + 0x90]; sub rbp, rax; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x0015abd0 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x00157dd6 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x001534fc : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0008e56a : movzx esi, [rcx]; lea rbx, [rcx + 1]; call [rax + 0x18]
> 0x00157dd7 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x0016395a : mov ebp, [rax]; add [rax - 0x77], cl; xlatb ; call [rax + 0x20]
> 0x0007be53 : mov rdx, [r8 + 0x88]; mov [rdx + 8], r9; add [rdx + 4], 1; ret
> 0x00130060 : mov edx, [rbp + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x0012f926 : mov edx, [r12 + 0x60]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x0013005f : mov edx, [r13 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x00105e44 : mov rdx, [r14]; mov rsi, [rbp - 0x1f0]; lea r8, [rax + r13]; call r12
> 0x00041f65 : mov rsi, [r15]; mov rdi, [r13]; mov rax, [rsp + 8]; call rax
> 0x00041f66 : mov esi, [rdi]; mov rdi, [r13]; mov rax, [rsp + 8]; call rax
> 0x000861e7 : mov rcx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0014e88c : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0003ed53 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x000edc95 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x000861e8 : mov ecx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0014e88d : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00158aa9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x00158aaa : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x00059586 : mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8a8]; sub rdx, rsi; call [rbx + 0x38]
> 0x000524b1 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00052181 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00149e60 : mov rdx, [r15]; mov [rbx], rax; mov r8, rbp; mov rcx, r14; mov rdi, r13; call r12
> 0x000833c1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0014d25e : mov rsi, [rbp + 0x20]; mov r12d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00156cce : mov esi, [rdi + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x0014d25f : mov esi, [rbp + 0x20]; mov r12d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00156ccd : mov esi, [r15 + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x0013bf33 : movsxd rax, [r15]; add [rax - 0x68], cl; mov eax, [rdx + rax*8 + 4]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00124335 : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; nop ; mov [rip + 0x2c7015], 0; pop rbp; ret
> 0x00124336 : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; nop ; mov [rip + 0x2c7015], 0; pop rbp; ret
> 0x00065c10 : mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8d0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00024ee6 : movsx r9, [rdx + 0x1a]; movsx edx, [rdx + 0x1b]; mov [rax + 0x50], ecx; mov [rax + 0x54], edx; ret
> 0x00030131 : mov rsi, [rdi + 0x78]; mov rcx, [rip + 0x3bad9c]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0003ed4f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00163207 : mov ebx, [rax]; mov eax, 2; cmp ebx, 3; cmove ebx, eax; mov rax, [rip + 0x289335]; call [rax + 0x28]
> 0x0005217a : mov rcx, [rdi + 0x98]; mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00059582 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8a8]; sub rdx, rsi; call [rbx + 0x38]
> 0x0012f91a : mov rdx, [r12 + 0x80]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x60]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x00130054 : mov rdx, [r13 + 0x80]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x000bddb9 : mov rdi, [r12 + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x00105fb3 : mov r8, [r14 + 8]; mov rdx, [rbp - 0x1e0]; add rax, rbx; mov rdi, [rbp - 0x190]; push rax; mov rcx, [r14]; call r12
> 0x00065c0c : mov rsi, [r14 + 0x18]; mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8d0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0014f03f : mov edx, [r15 + 0x48]; and eax, 3; mov rdi, [r15]; add r14, rax; sub edx, eax; mov rsi, r14; call [r15 + 0x40]
> 0x00024edf : movsx rcx, [rdx + 0x19]; mov [rax + 0x4c], ecx; movsx ecx, [rdx + 0x1a]; movsx edx, [rdx + 0x1b]; mov [rax + 0x50], ecx; mov [rax + 0x54], edx; ret

© 2014 - 2019 - Powered by ROPEME | Contact