Free Online ROP Gadgets Search

ropshell> use 3e5c9b44fc491e6dd5e480fcb316bf2d (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x1f940
total gadgets: 16079

ropshell> suggest "load mem"
> 0x00069edc : mov eax, [rdx]; ret
> 0x000b3fa0 : mov eax, [rdi]; ret
> 0x00118232 : mov rax, [rdi + 0x18]; ret
> 0x000d2f31 : mov eax, [rdx + 8]; ret
> 0x000d216e : mov eax, [rsi + 0x14]; ret
> 0x00118233 : mov eax, [rdi + 0x18]; ret
> 0x0007e9ce : mov ecx, [rax + rax]; ret
> 0x00143fb3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00083a53 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000cf817 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x00075bee : mov rax, [rdi]; mov [rdx], rax; ret
> 0x0002026b : mov rdx, [rax]; call rbp
> 0x00094540 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000a77c3 : mov rdi, [rax]; call r14
> 0x000e580b : mov rdi, [rbx]; call rbp
> 0x00034b23 : mov rdi, [r12]; call r13
> 0x0002026c : mov edx, [rax]; call rbp
> 0x000a77c4 : mov edi, [rax]; call r14
> 0x000e580c : mov edi, [rbx]; call rbp
> 0x001203ef : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0006e8fa : mov edx, [rdi + 0xc0]; mov eax, edx; ret
> 0x00072d5b : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x000ef7db : mov eax, [rsi]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x000ef7da : mov eax, [r14]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x000c6627 : mov eax, [rbx + 4]; pop rbx; pop rbp; pop r12; ret
> 0x0013c7a0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000d4207 : mov rdx, [r12]; mov rsi, rbx; call r14
> 0x000e5b08 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x00091236 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x000e5b09 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x000b7f33 : mov rcx, [rdi + 0x18]; mov [rdi + 0x18], rcx; ret
> 0x000daf76 : mov rdx, [rsi + 0x78]; mov [rdi + 0x100], rdx; ret
> 0x000f0830 : mov eax, [rcx + 8]; sub eax, [rdx + 8]; ret
> 0x000b7f34 : mov ecx, [rdi + 0x18]; mov [rdi + 0x18], rcx; ret
> 0x000d4a77 : mov rcx, [r12]; mov rdi, [rbp - 0xb8]; call r14
> 0x00034b20 : mov rsi, [r14]; mov rdi, [r12]; call r13
> 0x000b8ce4 : mov ecx, [rdx]; add al, ch; movsb [rdi], [rsi]; ret
> 0x000e3575 : mov ebp, [rbx]; add [rbx + 0x5d], bl; pop r12; pop r13; ret
> 0x000708c0 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0006bae9 : mov rax, [rsi + 0x130]; call [rax + 0x68]
> 0x0011379a : mov rax, [r14 + 0x60]; call [rax + 8]
> 0x00114f72 : mov rax, [r15 + 8]; call [rax + 0x10]
> 0x00070894 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0007e538 : mov rdi, [rbx + 0x48]; call [rbx + 0x40]
> 0x000f3e63 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0006cb03 : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x00070895 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0007e539 : mov edi, [rbx + 0x48]; call [rbx + 0x40]
> 0x000f3e64 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00133c14 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00108fe4 : mov rdx, [rbx]; mov [rbp], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0009b370 : mov rdi, [r14]; lea r9, [rsp + 0x30]; call r13
> 0x00108fe5 : mov edx, [rbx]; mov [rbp], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0009b371 : mov edi, [rsi]; lea r9, [rsp + 0x30]; call r13
> 0x0013c8c6 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000708f1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000df860 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0006f6e7 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x00041ef5 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00041bc5 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00098ee0 : mov eax, [r8 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0006e3ab : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x00041ef6 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x0006f6e8 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x0010b235 : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x00094684 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x001135f3 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x00072cc8 : mov rbp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x0006d4c0 : mov rbp, [r15 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0006ced2 : mov r9, [rdx + 8]; mov rdx, r12; call [rbp + 0x18]
> 0x0006d5c1 : mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0010b236 : mov eax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0006d5c2 : mov esi, [rdi + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x00072cc9 : mov ebp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x0010378a : mov rax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00115f10 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x00113a68 : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0010378b : mov eax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00064dec : mov rdx, [r9 + 0x88]; mov [rdx + 8], r8; add [rdx + 4], 1; ret
> 0x000bc100 : mov rdi, [rax + r14]; mov rsi, [rbp - 0x1b8]; call [r15 + 0x40]
> 0x00032e42 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x000f47ee : mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000f4379 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x0010448b : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x000f4378 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000f486e : mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000bc101 : mov edi, [rax + rsi]; mov rsi, [rbp - 0x1b8]; call [r15 + 0x40]
> 0x0006caff : mov rcx, [rbx + 8]; mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0010cb58 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00110424 : mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000c1245 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x0006cb00 : mov ecx, [rbx + 8]; mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0010cb59 : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00110425 : mov edi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x001148c9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x000e5bac : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x001148ca : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x000e5bad : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x00074bfe : movzx esi, [rbp]; mov rdi, r14; lea rbx, [rbp + 1]; call [rax + 0x18]
> 0x00041ef1 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00041bc1 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x001045fe : mov r10, [rsi + 8]; mov [rdi + rdx + 8], r9; mov [rdi + rdx + 0x10], r10; ret
> 0x00108ea8 : mov rdx, [r15]; mov [rbp], rax; mov r8, rbx; mov rcx, r14; mov rdi, r13; call r12
> 0x00108ea9 : mov edx, [rdi]; mov [rbp], rax; mov r8, rbx; mov rcx, r14; mov rdi, r13; call r12
> 0x0006b5c1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0006d457 : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x0010b731 : mov rsi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x000dd8b4 : mov rdi, [r14 + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x00094457 : mov r9, [r8 + rax]; movsxd rcx, [r11 + rdx*4]; lea rcx, [r11 + rcx]; jmp rcx
> 0x0010b732 : mov esi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00113773 : mov esi, [r14 + 0x88]; mov rdi, rbp; mov [r14 + 0x58], 0; call [rax + 0x28]
> 0x000dd8b5 : mov edi, [rsi + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x00032e3e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x001045fb : mov r9, [rsi]; mov r10, [rsi + 8]; mov [rdi + rdx + 8], r9; mov [rdi + rdx + 0x10], r10; ret
> 0x0010cb54 : mov rax, [r13 + 8]; mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00110420 : mov rsi, [rcx + 8]; mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00112c88 : mov rsi, [rdi + 0x1c]; mov rdi, [rdi + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00110421 : mov esi, [rcx + 8]; mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x0010cf58 : movsxd rax, [rsi]; mov rsi, rsp; mov [rsp + 8], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x0010d07e : mov rdi, [rbp]; mov r12, rax; add r12, [rbp + 0x50]; sub edx, eax; mov rsi, r12; call [rbp + 0x40]
> 0x0010d07f : mov edi, [rbp]; mov r12, rax; add r12, [rbp + 0x50]; sub edx, eax; mov rsi, r12; call [rbp + 0x40]
> 0x0006d5b8 : mov rbx, [rax + 0x50]; mov [rsp + 8], rsi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0006d9ad : mov rcx, [r15 + 0x10]; mov rax, [rax + 0x60]; sar r8, 2; mov [rsp + 0x30], rax; call [r14 + 0x30]
> 0x000f47e6 : mov rdx, [rcx + 0x38]; mov [rbp - 0x70], rdx; mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000f4370 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000f4866 : mov rdx, [r14 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x0009b5c1 : mov rdi, [rbp + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x0006d5b9 : mov ebx, [rax + 0x50]; mov [rsp + 8], rsi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0009b5c2 : mov edi, [rbp + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x0004ff21 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x4a0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00032e3a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00116666 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x00116667 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]