ROPSHELL 
ropshell> use 7ae014282f748386b31fc3387421d6bc (download)
name         : auth.cgi (x86_64/ELF)
base address : 0x401100
total gadgets: 7014

ropshell> suggest "stack pivoting"
> 0x00401fe5 : xchg eax, esp; ret
> 0x00476299 : mov rsp, rcx; pop rcx; jmp rcx
> 0x0047629a : mov esp, ecx; pop rcx; jmp rcx
> 0x0044bb08 : mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0044bb09 : mov esp, eax; mov rbp, r9; jmp rdx
> 0x00468dd7 : mov rsp, rbx; mov rbx, [rsp]; add rsp, 0x30; ret
> 0x00460e70 : lea rsp, [rbp - 0x18]; pop rbx; pop r12; pop r13; pop rbp; ret
> 0x00468dd8 : mov esp, ebx; mov rbx, [rsp]; add rsp, 0x30; ret
> 0x00460e71 : lea esp, [rbp - 0x18]; pop rbx; pop r12; pop r13; pop rbp; ret
> 0x0040b0bc : movsxd rsp, esp; mov rdx, r12; call [r13 + 0x38]
> 0x00409ca5 : lea esp, [rcx + rax]; mov rdi, r12; call rbx
> 0x004234a5 : xchg ebx, esp; add [rax], al; add [rdi], cl; adc [rsi + rdx - 0x10], cl; movups xmm[rdi], xmm0; movups xmm[rdi + rdx - 0x10], xmm1; ret
> 0x00476941 : lea esp, [rbx + rax + 8]; mov [rsp + 0x18], r9; mov rsi, [r9]; mov rdx, [r12]; mov rdi, [rsp + 8]; mov rax, [rsp + 0x10]; call rax
> 0x00401733 : leave ; ret

© 2014 - 2019 - Powered by ROPEME | Contact