ROPSHELL 
ropshell> use 4b2daf6d918d815e4a6f9441f25b1787 (download)
name         : fact (arm/ELF)
base address : 0x10170
total gadgets: 1855

ropshell> suggest
jmpcall
    > 0x0005ab50 : bx r1
    > 0x000108a4 : bx r3
    > 0x000290f1 : bx r4
    > 0x000291d1 : bx r6
    > 0x000140f5 : bx r7
load mem
    > 0x00049b3a : ldr r0, [r2]; pop {r4, pc}
    > 0x0004973e : ldrne r0, [r3]; pop {r4, pc}
    > 0x00028782 : ldr r0, [r4]; blx r5
    > 0x0004b236 : ldr r0, [r5]; blx r6
    > 0x00010f1e : ldr r0, [r7]; blx r3
pop pop ret
    > 0x00010e00 : pop {r1, pc}
    > 0x00026394 : pop {r0, r4, pc}
    > 0x0001d155 : pop {r0, r1, r4, pc}
    > 0x00019aa5 : pop {r1, r2, r4, r6, pc}
    > 0x00033da5 : pop {r0, r1, r2, r3, r4, pc}
stack pivoting
    > 0x00059eb6 : mov sp, r7; ldr r7, [sp, #0x10c]; ldr lr, [sp, #0x5c]; add sp, sp, #0x110; bx lr
syscall
    > 0x0001be46 : svc #0; pop {r4, r5, r6, r7, pc}
write mem
    > 0x0005a8fe : strne r3, [r0]; pop {r4, pc}
    > 0x0004eed6 : str ip, [r1]; pop {r7, pc}
    > 0x00028882 : str r0, [r2]; pop {r4, pc}
    > 0x00057fc6 : str r3, [r2]; pop {r4, pc}
    > 0x0002ae2a : str r0, [r3]; pop {r4, pc}

© 2014 - 2019 - Powered by ROPEME | Contact