ROPSHELL 
ropshell> use 7ae014282f748386b31fc3387421d6bc (download)
name         : auth.cgi (x86_64/ELF)
base address : 0x401100
total gadgets: 7014

ropshell> suggest "load mem"
> 0x00464f0a : mov eax, [rcx]; ret
> 0x00417940 : mov rax, [rdi + 0x68]; ret
> 0x00417941 : mov eax, [rdi + 0x68]; ret
> 0x004202a5 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x00420aa5 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x004175fd : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00431e90 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0043afbe : mov rsi, [rbx]; call r12
> 0x0043ac38 : mov rdi, [rbx]; call rbp
> 0x00431e31 : mov edx, [rsi]; mov [rdi], dx; ret
> 0x0043afbf : mov esi, [rbx]; call r12
> 0x0043ac39 : mov edi, [rbx]; call rbp
> 0x0042e498 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret
> 0x004301cf : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00414a2b : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00458907 : mov eax, [rdx]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00476a80 : mov rdx, [rax]; add rax, 8; mov [r8], rdx; ret
> 0x00477a23 : mov rsi, [r13]; mov rdi, rbx; call r14
> 0x00476a81 : mov edx, [rax]; add rax, 8; mov [r8], rdx; ret
> 0x00477a24 : mov esi, [rbp]; mov rdi, rbx; call r14
> 0x00470dc8 : mov rax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x00470e3c : mov rdx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x0043c45f : mov rdx, [rcx + rdx]; mov [rax + 8], rdx; ret
> 0x00470dbc : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x00470dc9 : mov eax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x0045510b : movzx eax, [rsi + rax]; jmp [rdi + rax*8]
> 0x00432201 : mov edx, [rax + rax]; nop [rax]; mov eax, ecx; ret
> 0x00470e3d : mov edx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x0043c460 : mov edx, [rcx + rdx]; mov [rax + 8], rdx; ret
> 0x00470dbd : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0043b053 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x0043b054 : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x0046e4a1 : mov rcx, [rax]; mov [rdx], rcx; mov [rax + 0x10], 0; ret
> 0x00431ea0 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret
> 0x00476903 : mov rsi, [r14]; mov rax, [rsp + 0x10]; call rax
> 0x0046e4a2 : mov ecx, [rax]; mov [rdx], rcx; mov [rax + 0x10], 0; ret
> 0x0043bc05 : mov rax, [rbx]; mov [rip + 0x6b499], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x0046d801 : mov rdx, [rdi]; add rdx, [rax + 0x10]; mov [rsi + 0x18], rdx; ret
> 0x00477a20 : mov rdx, [r15]; mov rsi, [r13]; mov rdi, rbx; call r14
> 0x0043bc06 : mov eax, [rbx]; mov [rip + 0x6b499], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x0046d802 : mov edx, [rdi]; add rdx, [rax + 0x10]; mov [rsi + 0x18], rdx; ret
> 0x00431fd4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x00431ee3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00468d7d : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x00468d7e : mov esi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x00471542 : mov rax, [rbp]; pop rbx; add rax, [rdx + 8]; pop rbp; pop r12; jmp rax
> 0x004759f5 : mov rdx, [rbx]; mov r8, r15; mov rcx, rbx; mov edi, 1; call rax
> 0x0043ad3b : mov rdx, [r11]; and edx, 1; or rax, rdx; mov [r11], rax; pop rbx; pop rbp; ret
> 0x00471543 : mov eax, [rbp]; pop rbx; add rax, [rdx + 8]; pop rbp; pop r12; jmp rax
> 0x0043ad3c : mov edx, [rbx]; and edx, 1; or rax, rdx; mov [r11], rax; pop rbx; pop rbp; ret
> 0x0043c4ef : mov rax, [rdx + rax]; mov [rip + 0x70d7e], rax; lea rax, [rip + 0x70d6f]; ret
> 0x00413eb1 : mov rax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x0044bb02 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0043c4f0 : mov eax, [rdx + rax]; mov [rip + 0x70d7e], rax; lea rax, [rip + 0x70d6f]; ret
> 0x00413eb2 : mov eax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x00409667 : mov rdi, [r15]; mov rdx, [rsp]; mov rax, [rsp + 8]; call rax
> 0x00458486 : mov rax, [r12 + 0x18]; mov esi, ebp; mov rdi, rbx; pop rbx; pop rbp; pop r12; jmp rax
> 0x00456bd8 : mov rsi, [rax + 0x18]; movsxd rdx, r12d; mov rdi, rbx; call [r14 + 0x38]
> 0x00456bd9 : mov esi, [rax + 0x18]; movsxd rdx, r12d; mov rdi, rbx; call [r14 + 0x38]
> 0x00475b46 : mov rdx, [rbp]; mov r9, r15; mov r8, rbx; mov rcx, rbp; mov edi, 1; call r14
> 0x0047694d : mov rdx, [r12]; mov rdi, [rsp + 8]; mov rax, [rsp + 0x10]; call rax
> 0x00476041 : mov rdx, [r13]; mov r8, rbx; mov rcx, r13; mov esi, 1; mov edi, 1; call rax
> 0x00476042 : mov edx, [rbp]; mov r8, rbx; mov rcx, r13; mov esi, 1; mov edi, 1; call rax
> 0x0041665c : movzx esi, [r12]; lea r15, [r12 + 1]; mov rdi, r14; call [rbx + 0x18]
> 0x0044e22c : mov rax, [r15 + 0x38]; mov r11, r8; mov rdx, r12; mov rsi, r11; mov rdi, rbx; call rax
> 0x00468d79 : mov rcx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x00411b3f : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x00468d7a : mov ecx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; call r11
> 0x0045d1e5 : mov rdi, [r12]; push 1; push 0; lea rcx, [rax + 1]; lea r9, [rsp + 0x28]; call rbx
> 0x0044bafe : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0047694a : mov rsi, [r9]; mov rdx, [r12]; mov rdi, [rsp + 8]; mov rax, [rsp + 0x10]; call rax
> 0x0047694b : mov esi, [rcx]; mov rdx, [r12]; mov rdi, [rsp + 8]; mov rax, [rsp + 0x10]; call rax
> 0x0045811e : mov rdx, [rax + 0x10]; punpckhqdq xmm0, xmm0; mov [rax + 0x10], rcx; mov [rax + 0x40], rdx; movups xmm[rax], xmm0; ret
> 0x004114c1 : mov rsi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r14 + 0x70]
> 0x004114c2 : mov esi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r14 + 0x70]
> 0x0044bafa : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0044bafb : mov ebp, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00468a71 : mov ecx, [rdx]; add rdx, 8; mov [rax + 0x328], rdx; lea rdx, [rdx + rcx*4]; mov [rax + 0x30c], ecx; mov [rax + 0x320], rdx; ret

© 2014 - 2019 - Powered by ROPEME | Contact