ROPSHELL 
ropshell> use 7cf34b26c0861b3986011cb0fee6eb19 (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x212d0
total gadgets: 16333

ropshell> suggest "load mem"
> 0x000704ec : mov eax, [rdx]; ret
> 0x000bfdd0 : mov eax, [rdi]; ret
> 0x000bfcc0 : mov rax, [rdi + 0x20]; ret
> 0x000df741 : mov eax, [rdx + 8]; ret
> 0x000bfcc1 : mov eax, [rdi + 0x20]; ret
> 0x00155d53 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00090d83 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000dba77 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0007cad4 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000e0d51 : mov rcx, [r15]; call r12
> 0x00021a13 : mov rdx, [rax]; call rbp
> 0x0009b350 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000f314c : mov rsi, [rax]; call r14
> 0x000f2d5f : mov rdi, [rbx]; call rbp
> 0x000a2089 : mov rdi, [r12]; call rbp
> 0x000e0d52 : mov ecx, [rdi]; call r12
> 0x00021a14 : mov edx, [rax]; call rbp
> 0x000f314d : mov esi, [rax]; call r14
> 0x000f2d60 : mov edi, [rbx]; call rbp
> 0x0014f89f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0003782b : mov rdi, [rax + 0x20]; call rdx
> 0x000854e8 : mov rdi, [rbx + 0x48]; call rax
> 0x0003782c : mov edi, [rax + 0x20]; call rdx
> 0x000854e9 : mov edi, [rbx + 0x48]; call rax
> 0x00147fa0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00097e86 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x000fc711 : mov edx, [rbx]; pop rbx; pop rbp; mov eax, edx; pop r12; ret
> 0x000e7450 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x000774bc : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x00072249 : mov rax, [rsi + 0x130]; call [rax + 0x68]
> 0x00125329 : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x00077497 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x00102838 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00073360 : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x000774bd : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0007224a : mov eax, [rsi + 0x130]; call [rax + 0x68]
> 0x00073361 : mov ecx, [rax + 0x10]; call [rbp + 0x18]
> 0x00077498 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0010390f : mov edx, [rdi + 0x28]; xor eax, eax; test edx, edx; sete al; ret
> 0x00102839 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0013f414 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x0011a12f : mov rdx, [rbx]; mov [rbp], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000f3090 : mov rsi, [rbx]; mov rdi, r12; mov r13, rbx; call rbp
> 0x000369c4 : mov rdi, [rbp]; mov rax, [rsp + 8]; call rax
> 0x000aef9d : mov rdi, [r13]; lea r9, [rsp + 0x30]; call r12
> 0x000a2458 : mov rdi, [r14]; lea r9, [rsp + 0x28]; call r12
> 0x000f3091 : mov esi, [rbx]; mov rdi, r12; mov r13, rbx; call rbp
> 0x000a2459 : mov edi, [rsi]; lea r9, [rsp + 0x28]; call r12
> 0x000aef9e : mov edi, [rbp]; lea r9, [rsp + 0x30]; call r12
> 0x001480c6 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000774f1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000ec510 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00076144 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x000cf106 : mov rdx, [rsi + 0x20]; mov [rax + 0x20], rdx; xor eax, eax; ret
> 0x00045275 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00044f45 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00097f09 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x00074c4b : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x00045276 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00044f46 : mov ecx, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00076145 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x0012870a : mov rax, [rbp + 0x18]; mov rdi, r12; call [rax + 0x20]
> 0x0011cd68 : mov rax, [r10 + 8]; mov rdi, r10; call [rax + 0x20]
> 0x00124e20 : mov rax, [r14 + 0x70]; mov rdi, r12; call [rax + 0x20]
> 0x0009b494 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x00125143 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x0007496a : mov rbp, [rbx + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00079998 : mov rbp, [rdi + 0x90]; sub rbp, rax; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x00073bc8 : mov rbp, [r15 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00073e15 : mov r13, [r15 + 0x98]; mov rdi, r13; call [r13 + 0x20]
> 0x0012870b : mov eax, [rbp + 0x18]; mov rdi, r12; call [rax + 0x20]
> 0x0007496b : mov ebp, [rbx + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00079999 : mov ebp, [rdi + 0x90]; sub rbp, rax; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x00112d6a : mov rax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00127f50 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x00125ea6 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x0012209c : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x00112d6b : mov eax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00132393 : mov ecx, [rdx]; mov rdx, r14; add r9, [rsp + 8]; call rax
> 0x00125ea7 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x0006af43 : mov rdx, [r8 + 0x88]; mov [rdx + 8], r9; add [rdx + 4], 1; ret
> 0x00034c42 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x001033b9 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00103293 : mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x001033b8 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000e0be8 : mov rdx, [r15]; mov rsi, [rbp - 0x1e8]; lea r8, [rax + r13]; call r12
> 0x000369c1 : mov rsi, [r14]; mov rdi, [rbp]; mov rax, [rsp + 8]; call rax
> 0x000e0be9 : mov edx, [rdi]; mov rsi, [rbp - 0x1e8]; lea r8, [rax + r13]; call r12
> 0x00074367 : mov rcx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0011e13c : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x000cd0a5 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x00074368 : mov ecx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0011e13d : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00126739 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x0012673a : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x0007b957 : movzx esi, [rcx]; lea rbx, [rcx + 1]; mov rdi, r15; call [rax + 0x18]
> 0x0004b326 : mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8a8]; sub rdx, rsi; call [rbx + 0x38]
> 0x00045271 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00044f41 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00071d41 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0011cbde : mov rsi, [rbp + 0x20]; mov r12d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00125303 : mov esi, [rdi + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x0011cbdf : mov esi, [rbp + 0x20]; mov r12d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00125302 : mov esi, [r15 + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x000f9525 : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; nop ; mov [rip + 0x2bae25], 0; pop rbp; ret
> 0x000f9526 : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; nop ; mov [rip + 0x2bae25], 0; pop rbp; ret
> 0x00056c70 : mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8d0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00034c3e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00129870 : movsx rax, [rsi]; mov rsi, rsp; mov [rsp], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x0011e138 : mov rax, [r13 + 8]; mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0002d6e1 : mov rsi, [rdi + 0x78]; mov rcx, [rip + 0x3867ec]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0005a342 : movzx esi, [rax + rsi]; lea rax, [rip + 0x11d033]; movsxd rax, [rax + rsi*4]; add rax, rdi; jmp rax
> 0x0012f057 : mov ebx, [rax]; mov eax, 2; cmp ebx, 3; cmove ebx, eax; mov rax, [rip + 0x2864e5]; call [rax + 0x28]
> 0x00044f3a : mov rcx, [rdi + 0x98]; mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x0004b322 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x8a8]; sub rdx, rsi; call [rbx + 0x38]
> 0x0010328a : mov rdx, [r12 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x001033b0 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000a2699 : mov rdi, [r12 + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x000e0d3b : mov r8, [r15 + 8]; mov rdx, [rbp - 0x1d0]; add rax, rbx; mov rdi, [rbp - 0x1b0]; push rax; mov rcx, [r15]; call r12
> 0x00056c6c : mov rsi, [r14 + 0x18]; mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8d0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00034c3a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx

© 2014 - 2019 - Powered by ROPEME | Contact