ROPSHELL 
ropshell> use 35fa0b42414147d7c411622e50cbecbd (download)
name         : crossbow (x86_64/ELF)
base address : 0x401010
total gadgets: 503

ropshell> suggest
call
    > 0x0040a5b5 : call rdi
    > 0x0040171d : call rsp
    > 0x0040171c : call r12
    > 0x004016d8 : call [rbx]
    > 0x0040a8b7 : call [rdi + 0x48]
jmp
    > 0x0040109f : jmp rax
    > 0x00403b06 : jmp rcx
    > 0x004020da : jmp rdx
    > 0x00406115 : jmp rsi
    > 0x00406fb6 : jmp rbp
load mem
    > 0x004020f2 : mov rax, [rcx]; mov [rdi], rax; ret
    > 0x004020f3 : mov eax, [rcx]; mov [rdi], rax; ret
    > 0x0040a54e : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
    > 0x0040a6da : mov rax, [rbx + 0x50]; mov edx, 1; pop rbx; jmp rax
    > 0x0040a6db : mov eax, [rbx + 0x50]; mov edx, 1; pop rbx; jmp rax
load reg
    > 0x00404bc7 : pop rax; ret
    > 0x00404b00 : pop rbx; ret
    > 0x00401139 : pop rdx; ret
    > 0x0040566b : pop rsi; ret
    > 0x00401d6c : pop rdi; ret
pop pop ret
    > 0x004018b4 : pop r12; ret
    > 0x004019dd : pop r12; pop r13; ret
    > 0x00405666 : pop r12; pop r13; pop r14; ret
    > 0x00401d65 : pop r12; pop r13; pop r14; pop r15; ret
    > 0x00401d64 : pop rbp; pop r12; pop r13; pop r14; pop r15; ret
sp lifting
    > 0x00401615 : add rsp, 0x158; ret
    > 0x00401615 : add rsp, 0x158; ret
    > 0x00405175 : add rsp, 0x28; ret
    > 0x00404bc4 : add rsp, 0x58; ret
stack pivoting
    > 0x0040136c : leave ; ret
syscall
    > 0x00404b51 : syscall ; ret
write mem
    > 0x00405573 : adc [rdi + 0x20], eax; ret
    > 0x0040a8e8 : adc [rbx + 8], eax; pop rbx; ret
    > 0x00405103 : add [rax + 2], edi; sbb eax, -1; ret
    > 0x00404f52 : add [r8], eax; mov rdx, [rbx]; mov rax, fs:[0]; mov [rax + 0x28], rdx; pop rbx; ret

© 2014 - 2019 - Powered by ROPEME | Contact