ROPSHELL 
ropshell> use 880802b20aba2d0f3d7ea3bbd400a587 (download)
name         : chal1 (x86_64/ELF)
base address : 0x4011a0
total gadgets: 7092

ropshell> suggest "load reg"
> 0x00451897 : pop rax; ret
> 0x0040202b : pop rbx; ret
> 0x004017cf : pop rdx; ret
> 0x0040f48e : pop rsi; ret
> 0x004018ca : pop rdi; ret
> 0x00401d51 : pop rbp; ret
> 0x00403140 : pop rsp; ret
> 0x0040313f : pop r12; ret
> 0x00411393 : pop r13; ret
> 0x0040f48d : pop r14; ret
> 0x004018c9 : pop r15; ret
> 0x004907e7 : pop rcx; jmp rcx
> 0x0048db3c : mov rax, [rsp]; add rsp, 0x38; ret
> 0x0048db3d : mov eax, [rsp]; add rsp, 0x38; ret
> 0x00452ac2 : mov edi, [rsp]; call rbx
> 0x0044f4c2 : mov rsi, [rsp + 0x18]; call rbx
> 0x00484d3e : mov rdi, [rsp + 0x18]; call rax
> 0x0044f4c3 : mov esi, [rsp + 0x18]; call rbx
> 0x004920b7 : mov edx, [rsp]; mov rdi, r14; call rbp
> 0x004841fa : mov rcx, [rsp + 0x40]; add rsp, 0x48; jmp [rax]
> 0x004841fb : mov ecx, [rsp + 0x40]; add rsp, 0x48; jmp [rax]
> 0x0041e8de : pop r8; add [rax], al; add [rax], al; movups xmm[rbx + 0x48], xmm0; pop rbx; ret
> 0x0044f4ba : mov r9, [rsp + 0x10]; mov rdi, r12; mov rsi, [rsp + 0x18]; call rbx
> 0x004841f5 : mov rdx, [rsp + 0x38]; mov rcx, [rsp + 0x40]; add rsp, 0x48; jmp [rax]
> 0x004652a7 : mov rbx, [rsp + 8]; nop [rax]; mov rsi, r13; mov rdi, r14; mov rdx, r12; call rbp
> 0x004652a8 : mov ebx, [rsp + 8]; nop [rax]; mov rsi, r13; mov rdi, r14; mov rdx, r12; call rbp
> 0x0040f6ba : mov r12, [rsp + 0x20]; nop ; mov rax, [rsp]; mov rdx, r14; mov rsi, r13; mov rdi, r12; call rax
> 0x0040f6bb : mov esp, [rsp + 0x20]; nop ; mov rax, [rsp]; mov rdx, r14; mov rsi, r13; mov rdi, r12; call rax
> 0x004841f0 : mov r11, [rsp + 0x30]; mov rdx, [rsp + 0x38]; mov rcx, [rsp + 0x40]; add rsp, 0x48; jmp [rax]
> 0x00461ac6 : mov r8, [rsp + 0x48]; mov rcx, [rsp + 0x18]; mov rsi, [rsp + 0x40]; mov rdi, [rsp + 0x38]; call r15
> 0x004651c2 : mov r13, [rsp + 0x10]; add r13, [rsp + 8]; lea r15, [rax + r14]; mov rdx, rbp; mov rsi, r12; mov rdi, r13; call rbx
> 0x004651c3 : mov ebp, [rsp + 0x10]; add r13, [rsp + 8]; lea r15, [rax + r14]; mov rdx, rbp; mov rsi, r12; mov rdi, r13; call rbx
> 0x004841eb : mov r10, [rsp + 0x28]; mov r11, [rsp + 0x30]; mov rdx, [rsp + 0x38]; mov rcx, [rsp + 0x40]; add rsp, 0x48; jmp [rax]

© 2014 - 2019 - Powered by ROPEME | Contact