ROPSHELL 
ropshell> use 7450dd3ddf93a83f69c64c82b539212a (download)
name         : win32kfull.sys (x86_64/PE)
base address : 0x1c0001000
total gadgets: 13056

ropshell> suggest "load reg"
> 0x1c00101a4 : pop rax; ret
> 0x1c0001142 : pop rbx; ret
> 0x1c009b537 : pop rcx; ret
> 0x1c01dd036 : pop rdx; ret
> 0x1c0005b1b : pop rsi; ret
> 0x1c0005c1f : pop rdi; ret
> 0x1c00011f7 : pop rbp; ret
> 0x1c00034a0 : pop rsp; ret
> 0x1c00edbd9 : pop r8; ret
> 0x1c000349f : pop r12; ret
> 0x1c000ac7a : pop r13; ret
> 0x1c0005b1a : pop r14; ret
> 0x1c0009301 : pop r15; ret
> 0x1c0251870 : mov rbx, [rsp + 0x10]; ret
> 0x1c01c63de : mov rsi, [rsp + 0x10]; ret
> 0x1c0006a62 : mov rdi, [rsp + 0x10]; ret
> 0x1c01007cb : mov r14, [rsp + 0x20]; ret
> 0x1c0251871 : mov ebx, [rsp + 0x10]; ret
> 0x1c01c63df : mov esi, [rsp + 0x10]; ret
> 0x1c0006a63 : mov edi, [rsp + 0x10]; ret
> 0x1c024e9c6 : mov r13, [rsp + 0x28]; pop r14; ret
> 0x1c024e9c7 : mov ebp, [rsp + 0x28]; pop r14; ret
> 0x1c00d1de7 : mov rax, [rsp + 0x30]; add rsp, 0x28; ret
> 0x1c012f2d3 : mov rbp, [rsp + 0x30]; pop r15; pop rsi; ret
> 0x1c024c54e : mov r12, [rsp + 0x30]; pop r15; pop r14; ret
> 0x1c00d1de8 : mov eax, [rsp + 0x30]; add rsp, 0x28; ret
> 0x1c024c54f : mov esp, [rsp + 0x30]; pop r15; pop r14; ret
> 0x1c014b255 : mov rcx, [rsp + 0x40]; call [rip + 0x206b58]; add rsp, 0x38; ret
> 0x1c014b256 : mov ecx, [rsp + 0x40]; call [rip + 0x206b58]; add rsp, 0x38; ret
> 0x1c0266ed0 : mov rdx, [rsp + 0x58]; mov r10, [rip + 0xedfb4]; call r10
> 0x1c0266ed1 : mov edx, [rsp + 0x58]; mov r10, [rip + 0xedfb4]; call r10
> 0x1c01a148f : mov r8, [rsp + 0xf0]; mov rdx, rsi; mov r10, [rip + 0x1b39ef]; call r10
> 0x1c0002584 : mov r9, [rsp + 0x80]; xor r8d, r8d; mov r10, [rip + 0x3528fa]; call r10
> 0x1c010a28c : mov r10, [rsp + 0x60]; mov [rsp + 0x20], r10; call [rip + 0x24abf4]; add rsp, 0x38; ret

© 2014 - 2019 - Powered by ROPEME | Contact