ROPSHELL 
ropshell> use 5f4f99671c3a200f7789dbb5307b04bb (download)
name         : libc-2.29.so (x86_64/ELF)
base address : 0x25320
total gadgets: 17477

ropshell> suggest "load mem"
> 0x00074e7c : mov eax, [rdx]; ret
> 0x000c3260 : mov eax, [rdi]; ret
> 0x000c3220 : mov rax, [rdi + 0x20]; ret
> 0x000e2bd1 : mov eax, [rdx + 8]; ret
> 0x000c3221 : mov eax, [rdi + 0x20]; ret
> 0x00158a93 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00094b73 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000811dd : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000e4294 : mov rcx, [r15]; call rax
> 0x00026b45 : mov rdx, [rax]; call rbp
> 0x0009f140 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000b1ac0 : mov rdi, [rax]; call r15
> 0x000f640f : mov rdi, [rbp]; call rbx
> 0x000ffd29 : mov eax, [r12]; pop rbx; pop rbp; pop r12; ret
> 0x000e4295 : mov ecx, [rdi]; call rax
> 0x00026b46 : mov edx, [rax]; call rbp
> 0x000b1ac1 : mov edi, [rax]; call r15
> 0x000f6410 : mov edi, [rbp]; call rbx
> 0x000f439d : mov ecx, [rax + rax]; add rsp, 8; ret
> 0x00151caf : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0007e19b : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00089a28 : mov rdi, [rbx + 0x48]; call rax
> 0x0003cef9 : mov rdi, [rbp + 8]; call rax
> 0x00089a29 : mov edi, [rbx + 0x48]; call rax
> 0x0003cefa : mov edi, [rbp + 8]; call rax
> 0x0011a1bb : mov rax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0014a3b0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000a5168 : mov rdi, [r12]; movzx esi, bl; call rbp
> 0x0011a1bc : mov eax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0009bc76 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x00124470 : mov eax, [r8]; mov [rdx], eax; mov eax, 1; ret
> 0x000a53ea : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x000efca9 : mov rax, [r13 + 0x10]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x0007274f : mov rdx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x000efcaa : mov eax, [rbp + 0x10]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x00072750 : mov edx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x000eab30 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x0010159a : mov eax, [rbp]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00101599 : mov eax, [r13]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0007ba64 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x00076ab9 : mov rax, [rsi + 0x130]; call [rax + 0x68]
> 0x0011f491 : mov rax, [rbp + 8]; call [rax + 0x28]
> 0x0007ba47 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x00105df3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0007ba65 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x00076aba : mov eax, [rsi + 0x130]; call [rax + 0x68]
> 0x0007ba48 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x00105df4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00126ef8 : mov rax, [rdx]; bswap eax; mov [r8 + 0x54], eax; mov eax, 1; ret
> 0x00141824 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x000fa17f : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000f6747 : mov rsi, [rbx]; mov r13, rbx; mov rdi, rbp; call r12
> 0x000fa180 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000f6748 : mov esi, [rbx]; mov r13, rbx; mov rdi, rbp; call r12
> 0x0014a4d6 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x0007baa1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000d2416 : mov rdx, [rsi + 0x20]; mov [rax + 0x20], rdx; xor eax, eax; ret
> 0x000497f2 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0009bcf9 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x0012445d : movzx eax, [r8 + 0x88]; mov [rdx + 0x6c], ax; mov eax, 1; ret
> 0x000497f3 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00092674 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00128d23 : mov rax, [r8 + 0x38]; mov rdi, r8; call [rax + 0x20]
> 0x0011eecd : mov rax, [r12 + 8]; mov rdi, r12; call [rax + 0x20]
> 0x001274cf : mov rax, [r14 + 0x70]; mov rdi, rbp; call [rax + 0x20]
> 0x001281be : mov rax, [r15 + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x0007855d : mov rbx, [r15 + 0x98]; mov rdi, rbx; call [rbx + 0x20]
> 0x0009f284 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x001277f3 : mov rdx, [r8 + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x00107637 : mov r8, [rdi + 8]; mov rax, [rdi]; mov rdi, r8; jmp rax
> 0x0007855e : mov ebx, [rdi + 0x98]; mov rdi, rbx; call [rbx + 0x20]
> 0x001279b2 : mov esi, [rbx + 0x88]; mov rdi, r15; call [rax + 0x28]
> 0x0011c8b1 : mov rdx, [r15]; mov r8, rbx; mov rcx, r14; mov rdi, r13; call r12
> 0x0011541a : mov rsi, [rbp]; add rbx, rsi; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00128480 : mov rdi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x0011541b : mov esi, [rbp]; add rbx, rsi; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00128481 : mov edi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x00039dc2 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x001064af : mov edx, [rbx + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x00106bdd : mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00106449 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00116070 : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x00106448 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00106d3e : mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000ed4c7 : mov rcx, [rdi]; mov rdx, [rsi]; xor eax, eax; cmp rcx, rdx; seta al; sbb eax, 0; ret
> 0x0007eee2 : mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r13 + 0x70]
> 0x00065e92 : mov rdx, [r15 + 0x20]; mov rdi, r14; sub rdx, rsi; call [rbx + 0x38]
> 0x00070a53 : mov rsi, [rax + 0x18]; movsxd rdx, ebp; mov rdi, rbx; call [r14 + 0x38]
> 0x001208c4 : mov rsi, [rbx + 0x10]; mov rdx, r12; mov rdi, r14; call [rax + 0x10]
> 0x00032818 : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x001344f6 : mov r8, [rbx + 0x10]; call [rax + 0x1b8]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x000d0835 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x000dec1b : movzx ecx, [rdi + 8]; movsxd rcx, [r9 + rcx*4]; add rcx, r9; jmp rcx
> 0x00070a54 : mov esi, [rax + 0x18]; movsxd rdx, ebp; mov rdi, rbx; call [r14 + 0x38]
> 0x00032819 : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x000fcb8d : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xbc7be], 0; ret
> 0x000fcb8e : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xbc7be], 0; ret
> 0x00080094 : movzx esi, [rdi]; lea rbx, [r15 + 1]; mov rdi, r13; call [rax + 0x18]
> 0x00080093 : movzx esi, [r15]; lea rbx, [r15 + 1]; mov rdi, r13; call [rax + 0x18]
> 0x00079c17 : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0007d8b0 : mov rdx, [rbp + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, rbp; call rax
> 0x0012607a : mov rsi, [r8 + 0x40]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x000497ee : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00079c18 : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0003b88d : mov rsi, [r13]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp + 8]; call rax
> 0x00076591 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x000a56f2 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x00039dbe : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0012be68 : movsx rax, [rsi]; mov rsi, rsp; mov [rsp], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x000f67f3 : mov rsi, [rdx]; mov rdi, [rbp - 0x58]; mov [rbp - 0x50], r9; mov r15d, r14d; mov rax, [rbp - 0x60]; call rax
> 0x000f67f4 : mov esi, [rdx]; mov rdi, [rbp - 0x58]; mov [rbp - 0x50], r9; mov r15d, r14d; mov rax, [rbp - 0x60]; call rax
> 0x00065e8e : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, r14; sub rdx, rsi; call [rbx + 0x38]
> 0x000ba2b8 : mov eax, [r15 + 0x10]; lea rdx, [rip + 0xc52a5]; movsxd rax, [rdx + rax*4]; add rax, rdx; jmp rax
> 0x000a54e8 : mov rdi, [r14]; lea rsi, [rsp + 0x20]; push 1; xor r8d, r8d; push 0; lea r9, [rsp + 0x18]; call r13
> 0x000a54e9 : mov edi, [rsi]; lea rsi, [rsp + 0x20]; push 1; xor r8d, r8d; push 0; lea r9, [rsp + 0x18]; call r13
> 0x000497e7 : mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00106bd5 : mov rdx, [rcx + 0x38]; mov [rbp - 0x70], rdx; mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00106440 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00106d33 : mov rdx, [r14 + 0x80]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x00077b1e : mov rbp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x00039dba : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00039dbb : mov ebp, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00049b66 : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00049b67 : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret

© 2014 - 2019 - Powered by ROPEME | Contact