ROPSHELL 
ropshell> use 836bfe499e852361e13aa20d06ccd506 (download)
name         : libc.my.so (i386/ELF)
base address : 0x190d0
total gadgets: 16787

ropshell> suggest "stack pivoting"
> 0x0001a0e2 : xchg eax, esp; ret
> 0x000dcdff : xchg esp, esp; ret
> 0x000dcdff : xchg esp, esp; ret
> 0x0002df0d : mov esp, ecx; jmp edx
> 0x001395c5 : xchg esp, edi; cmc ; inc [ecx]; ret
> 0x00108f53 : mov esp, esi; inc [ebx - 0x2776d73c]; pop ebx; ret
> 0x00041878 : lea esp, [ebp - 8]; pop ebx; pop esi; pop ebp; ret
> 0x00130e39 : xchg esp, eax; aad 0xfa; call [eax - 0x73]
> 0x00118fd0 : xchg esp, ebx; sar dl, 1; call [eax - 0x73]
> 0x000c3133 : lea esp, [ebx + edi*8 - 1]; call [ebx - 0x18]
> 0x0005a069 : lea esp, [edx + edi*8 - 1]; call [esi - 0x18]
> 0x000de4f8 : lea esp, [esi + edi*8 - 1]; call [edx - 0x46]
> 0x000b688d : xchg ebp, esp; sbb eax, [eax]; add [ebx - 0x877b], cl; inc [ebx]; test [eax - 0x5d428], bl; jmp eax
> 0x000582a7 : xchg esp, edx; sldt [eax]; mov eax, [ebp - 0x590]; movzx edx, dl; add eax, [eax + edx*4 - 0x5f308]; jmp eax
> 0x00108cc8 : mov esp, edi; mov ebx, [ecx]; mov esi, [ecx + 4]; mov edi, [ecx + 8]; mov ebp, [ecx + 0xc]; jmp edx
> 0x00105d72 : leave ; ret

© 2014 - 2019 - Powered by ROPEME | Contact