ROPSHELL 
ropshell> use 7ae5fa298772964cf408d1fac5dc4180 (download)
name         : libc-2.29.so.6 (x86_64/ELF)
base address : 0x25320
total gadgets: 17444

ropshell> suggest "load mem"
> 0x00084bdc : mov eax, [rdx]; ret
> 0x000dc9f0 : mov eax, [rdi]; ret
> 0x000dc9b0 : mov rax, [rdi + 0x20]; ret
> 0x00101bb1 : mov eax, [rdx + 8]; ret
> 0x000dc9b1 : mov eax, [rdi + 0x20]; ret
> 0x00182833 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000aaed3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000fe757 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0009267d : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00104271 : mov rcx, [r14]; call r12
> 0x00026af5 : mov rdx, [rax]; call rbp
> 0x000b54a0 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x001190ec : mov rdi, [rbx]; call r12
> 0x0011912f : mov rdi, [rbp]; call r12
> 0x000bb669 : mov rdi, [r12]; call rbp
> 0x0011919b : mov rdi, [r13]; call r12
> 0x0011925b : mov rdi, [r14]; call r12
> 0x001193d5 : mov rdi, [r15]; call r12
> 0x00026af6 : mov edx, [rax]; call rbp
> 0x001190ed : mov edi, [rbx]; call r12
> 0x0011925c : mov edi, [rsi]; call r12
> 0x00119130 : mov edi, [rbp]; call r12
> 0x0017b9ef : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0008ea2b : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x00086c67 : mov eax, [rcx]; add rsp, 8; pop rbx; pop rbp; ret
> 0x000472a6 : mov rdi, [rax + 0x20]; call rdx
> 0x0009c530 : mov rdi, [rbx + 0x48]; call rax
> 0x000472a7 : mov edi, [rax + 0x20]; call rdx
> 0x0009c531 : mov edi, [rbx + 0x48]; call rax
> 0x001740f0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00118a33 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x0014bd80 : mov eax, [r8]; mov [rdx], eax; mov eax, 1; ret
> 0x000bb91a : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x00118a34 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x0008228f : mov rdx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x00082290 : mov edx, [rdi + 0xa0]; mov [rdx + 0x130], rcx; ret
> 0x0010c270 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x001254c9 : mov eax, [r12]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0008c234 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x001552a4 : mov rax, [r12 + 8]; call [rax + 8]
> 0x0008c217 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0012a5b3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0008c235 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0008c218 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0012a5b4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x001401f9 : mov rax, [r12]; mov [rax + 8], 0; pop rbx; pop rbp; pop r12; ret
> 0x0016b564 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x0011d9bf : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x001196aa : mov rdi, [rax]; mov [rsp + 8], rax; call r12
> 0x0011d9c0 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0009121c : movzx esi, [rdi]; mov rdi, r13; call [rax + 0x18]
> 0x0009121b : movzx esi, [r15]; mov rdi, r13; call [rax + 0x18]
> 0x001196ab : mov edi, [rax]; mov [rsp + 8], rax; call r12
> 0x00174216 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x0008c271 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x00055e72 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000b2059 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x0014bd6d : movzx eax, [r8 + 0x88]; mov [rdx + 0x6c], ax; mov eax, 1; ret
> 0x00055e73 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000a89d4 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00118ac4 : mov rsi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x00118ac5 : mov esi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x00035450 : mov rax, [rsi + 0x70]; movsxd rdi, edi; mov eax, [rax + rdi*4]; ret
> 0x001461b0 : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x001466ab : mov rax, [r10 + 8]; mov rdi, r10; call [rax + 0x20]
> 0x001500f7 : mov rax, [r14 + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x0014699c : mov rax, [r15 + 0x38]; mov rdi, r15; call [rax + 0x20]
> 0x000b55e4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000b54f3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x0014f3a3 : mov rdx, [r8 + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x00088825 : mov rbp, [r13 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x001500f8 : mov eax, [rsi + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x001461b1 : mov eax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0014f5a6 : mov esi, [rbx + 0x88]; mov rdi, r14; call [rax + 0x28]
> 0x0010409e : mov rdx, [r14]; mov rsi, [rbp - 0x1e0]; mov rdi, [rbp - 0x190]; call r15
> 0x00143233 : mov rdx, [r15]; mov r8, rbp; mov rcx, r14; mov rdi, r13; call r12
> 0x0015e1f5 : mov ecx, [rdx]; mov rdx, r14; add r9, [rsp + 8]; call rax
> 0x0010eb67 : mov rcx, [rdi]; mov rdx, [rsi]; xor eax, eax; cmp rcx, rdx; seta al; sbb eax, 0; ret
> 0x00046535 : mov rsi, [r15]; mov rdi, [rbx]; mov rax, [rsp + 8]; call rax
> 0x0010eb68 : mov ecx, [rdi]; mov rdx, [rsi]; xor eax, eax; cmp rcx, rdx; seta al; sbb eax, 0; ret
> 0x0008fe42 : mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r13 + 0x70]
> 0x00147abc : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00034c88 : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0015df06 : mov r8, [rbx + 0x10]; call [rax + 0x1b8]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x00043c73 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x000eaa85 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x00158109 : mov ebx, [rax + 0x18]; mov [rip + 0x9239a], 0; mov eax, ebx; pop rbx; pop rbp; pop r12; ret
> 0x0008fe43 : mov edx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r13 + 0x70]
> 0x00034c89 : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x00150fc9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x0012053d : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xc3e0e], 0; ret
> 0x00150fca : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x0012053e : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xc3e0e], 0; ret
> 0x0008a077 : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x00075188 : mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x00055e6e : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0013b354 : movzx eax, [r10 + 1]; add r10, 2; mov [r8], eax; mov eax, edx; mov [r9], r10; ret
> 0x0008a078 : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0014f340 : mov rax, [r8 + 0x90]; mov eax, [rax]; bswap eax; mov eax, eax; mov [rdx], rax; mov eax, 1; ret
> 0x00086351 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00088708 : mov rdx, [r13 + 0x40]; sub rdx, rsi; mov [rsp + 0x10], rcx; mov rdi, r13; call rax
> 0x0007af19 : mov rdx, [r15 + 0x20]; mov rdi, r13; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0014652e : mov rsi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x000bbcc2 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x000889e3 : mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x00086352 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00088709 : mov edx, [rbp + 0x40]; sub rdx, rsi; mov [rsp + 0x10], rcx; mov rdi, r13; call rax
> 0x0014652f : mov esi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x000889e4 : mov edi, [rbp + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x00154a48 : movsx rax, [rsi]; mov rsi, rsp; mov [rsp], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x00147ab8 : mov rax, [r13 + 8]; mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00043c6f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00077fb4 : movzx ecx, [r8 + rax]; lea rax, [rip + 0x131c80]; movsxd rax, [rax + rcx*4]; add rax, r14; jmp rax
> 0x0007e1a3 : movzx ecx, [r10 + rax]; lea rax, [rip + 0x12bef1]; movsxd rax, [rax + rcx*4]; add rax, rdx; jmp rax
> 0x000780e0 : movzx edx, [r8 + rax]; lea rax, [rip + 0x131c54]; movsxd rax, [rax + rdx*4]; add rax, r14; jmp rax
> 0x0015abe7 : mov ebx, [rax]; mov eax, 2; cmp ebx, 3; cmove ebx, eax; mov rax, [rip + 0x8a955]; call [rax + 0x28]
> 0x00055e67 : mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00075184 : mov rsi, [r14 + 0x18]; mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x00148194 : mov edx, [r15 + 0x48]; mov rdi, [r15]; add r12, r13; sub edx, r13d; mov rsi, r12; call [r15 + 0x40]
> 0x0007af15 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, r13; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0012ac99 : mov edx, [r12 + 0x60]; movdqu xmm4, xmm[r12 + 0x78]; mov [rbp - 0x80], edx; mov rdx, rbx; movups xmm[rbp - 0x78], xmm4; call rax
> 0x00087dde : mov rbp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x00087ddf : mov ebp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x0012b234 : mov edx, [r13 + 0x18]; movdqu xmm7, xmm[r13 + 0x30]; mov [rbp - 0x80], edx; lea rdx, [rcx + 0x70]; movups xmm[rbp - 0x78], xmm7; call rax
> 0x000561f6 : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000561f7 : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00153586 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x000889da : mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x00153587 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x000889db : mov esi, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x000889d6 : mov r8, [rax + 0x40]; mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]

© 2014 - 2019 - Powered by ROPEME | Contact