ropshell> use 40860aa4eab257bd5c35e2dfac4cca07 (download)
name         : libc-2.27.so (i386/ELF)
base address : 0x18610
total gadgets: 16552
ropshell> suggest "stack pivoting"
> 0x00019672 : xchg eax, esp; ret
> 0x0002d6ff : mov esp, ecx; jmp edx
> 0x00041328 : lea esp, [ebp - 8]; pop ebx; pop esi; pop ebp; ret
> 0x0011e477 : lea esp, [ecx - 0x3b7c0011]; adc [ebx + 0x5e5b04c4], al; ret
> 0x0009ae4b : xchg esp, esp; mov bl, 0xfa; call [eax - 0x18]
> 0x0009ae4b : xchg esp, esp; mov bl, 0xfa; call [eax - 0x18]
> 0x000c363f : lea esp, [ebx + edi*8 - 1]; call [ebx - 0x18]
> 0x00059dbf : lea esp, [edx + edi*8 - 1]; call [esi - 0x18]
> 0x000c7e0f : lea esp, [edi + edx*8 - 1]; call [esi - 0x73]
> 0x000b6a5d : xchg ebp, esp; sbb eax, [eax]; add [ebx - 0x877b], cl; inc [ebx]; test [eax - 0x5dd08], bl; jmp eax
> 0x0005da85 : xchg esp, ebx; sbb al, [eax]; add [ebx - 0x4e37b], cl; inc [ebx]; test [eax - 0x5f9dc], bl; jmp eax
> 0x00057f87 : xchg esi, esp; sldt [eax]; mov eax, [ebp - 0x590]; movzx edx, dl; add eax, [eax + edx*4 - 0x5fbe8]; jmp eax
> 0x0014cc34 : lea esp, [esi - 0x3c7e0002]; dec eax; movsd es:[edi], [esi]; add eax, [eax]; add ebx, [ebx + ecx*4]; jmp ebx
> 0x00109939 : mov esp, edi; mov ebx, [ecx]; mov esi, [ecx + 4]; mov edi, [ecx + 8]; mov ebp, [ecx + 0xc]; nop ; jmp edx
> 0x001069b2 : leave ; ret