ROPSHELL 
ropshell> use 411f9ce38478e2a3877860e2bfa8533a (download)
name         : ps3.bin (i386/RAW)
base address : 0x0
total gadgets: 707

ropshell> suggest
call
    > 0x00014186 : call eax
    > 0x0001c181 : call ebx
    > 0x0001bade : call ecx
    > 0x0001bb11 : call edx
    > 0x0001b491 : call esi
jmp
    > 0x00019677 : jmp eax
    > 0x00030368 : jmp ebx
    > 0x0001b3a1 : jmp ecx
    > 0x0001c6fe : jmp edx
    > 0x0001c6d1 : jmp esi
load reg
    > 0x0003f912 : pop esi; ret
    > 0x00041db4 : pop edi; ret
    > 0x0003fa72 : popal ; ret
    > 0x00037439 : pop eax; jmp esi
    > 0x000377ab : pop ebx; jmp ebx
pop pop ret
    > 0x00041db4 : pop edi; ret
stack pivoting
    > 0x000377be : push ecx; add [ebx], dl; pop esp; jmp eax
    > 0x0003776a : push esi; add [eax], dl; pop esp; jmp edx
    > 0x00037782 : push ebp; add [ecx], dl; pop esp; jmp ecx
    > 0x000377bd : push edi; push ecx; add [ebx], dl; pop esp; jmp eax
    > 0x000377bb : push ebx; add [edi - 1], dl; int1 ; add [ebx], dl; pop esp; jmp eax
write mem
    > 0x000490bc : adc [edi], ebp; add eax, 0x52a06e9; ret
    > 0x0003cca7 : add [edi], ecx; xchg [edx + 0x6c], cl; ret
    > 0x0004a389 : add [esi], edx; call [edi]
    > 0x000490b6 : adc [edx], esi; or edi, [ebx + 0x2f113611]; add eax, 0x52a06e9; ret
    > 0x0003cd43 : add [edi + 0x1003d], esi; fs ; jmp [ebx + 1]

© 2014 - 2019 - Powered by ROPEME | Contact