ROPSHELL 
ropshell> use 986cedc30c8b1f07eefbecfb0aceaf87 (download)
name         : libsystem_c.dylib (x86_64/RAW)
base address : 0x0
total gadgets: 9158

ropshell> suggest "load mem"
> 0x000f35a3 : movzx eax, [rcx]; pop rbp; ret
> 0x0003065b : mov rax, [rdi + 0x38]; pop rbp; ret
> 0x0003065c : mov eax, [rdi + 0x38]; pop rbp; ret
> 0x0010cc63 : mov eax, [rbp + 8]; pop rbp; ret
> 0x00105170 : mov eax, [rbx]; add [rcx - 0x7c0e7608], cl; ret
> 0x00056cab : movzx eax, [rdx]; add [rax - 0x77], cl; ret
> 0x0012b5ad : mov esi, [rbp + 8]; jmp rax
> 0x00063e46 : mov rsi, [rbx + 8]; call r15
> 0x0003eeb2 : mov rdi, [rbx + 0x30]; call rax
> 0x0001dd1f : mov rdi, [r14 + 0x840]; call rax
> 0x00063e47 : mov esi, [rbx + 8]; call r15
> 0x0003eeb3 : mov edi, [rbx + 0x30]; call rax
> 0x0001dd20 : mov edi, [rsi + 0x840]; call rax
> 0x001126d2 : mov edi, [rbp + 0x10]; call rdi
> 0x0001213a : mov rax, [rdi]; mov [rip + 0x7fe8c], rax; pop rbp; ret
> 0x00065112 : mov rsi, [rax]; mov rdi, r12; call r15
> 0x00028093 : mov rdi, [rax]; mov [rip + 0x6c323], rdi; pop rbp; ret
> 0x0001213b : mov eax, [rdi]; mov [rip + 0x7fe8c], rax; pop rbp; ret
> 0x00065113 : mov esi, [rax]; mov rdi, r12; call r15
> 0x00028094 : mov edi, [rax]; mov [rip + 0x6c323], rdi; pop rbp; ret
> 0x0001c045 : mov rax, [rsi + 8]; mov [rax], rsi; pop rbp; ret
> 0x00017361 : mov eax, [rbx + 0x200]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0001c046 : mov eax, [rsi + 8]; mov [rax], rsi; pop rbp; ret
> 0x000ce5ad : mov ecx, [rax + 4]; mov [rcx], eax; pop rbp; ret
> 0x0002d99e : movzx ecx, [rdi + 0xc]; mov [rax], rcx; pop rbp; ret
> 0x0000cdc7 : mov rax, [rcx + 0x538]; mov eax, [rax + 0x30]; pop rbp; ret
> 0x0001d97b : mov rcx, [rax + 0x20]; mov rax, rcx; pop rbx; pop r14; pop rbp; ret
> 0x00063c68 : mov rsi, [r12 + 8]; xor al, al; call r14
> 0x00037d81 : mov r8, [rdx + 0x50]; mov rdx, rax; pop rbp; jmp r8
> 0x00035467 : mov r9, [rcx + 0x38]; mov rcx, rax; pop rbp; jmp r9
> 0x000355aa : mov r11, [rax + 0x48]; mov r8, r10; pop rbp; jmp r11
> 0x0000cdc8 : mov eax, [rcx + 0x538]; mov eax, [rax + 0x30]; pop rbp; ret
> 0x00037d82 : mov eax, [rdx + 0x50]; mov rdx, rax; pop rbp; jmp r8
> 0x000355ab : mov ebx, [rax + 0x48]; mov r8, r10; pop rbp; jmp r11
> 0x00111a6d : mov ebx, [rbp + 0x14]; mov eax, ebx; call rax
> 0x000d9922 : mov ecx, [rdx + 1]; add [rax], al; jmp rbx
> 0x000c395b : mov ecx, [rbp + 0x10]; mov [rax + 0x869bc], ecx; pop rbp; ret
> 0x000e7e5a : mov edx, [rbp + 8]; mov [rcx + 0x6261d], edx; pop rbp; ret
> 0x00063e43 : mov rdi, [rbx]; mov rsi, [rbx + 8]; call r15
> 0x00063e44 : mov edi, [rbx]; mov rsi, [rbx + 8]; call r15
> 0x0003050c : mov rax, [r14 + 0x80]; mov [rax], 0; pop rbx; pop r14; pop rbp; ret
> 0x0007c973 : mov rcx, [rdi + 0x10]; mov eax, [rcx + rax*8]; pop rbp; ret
> 0x000f21a1 : mov ecx, [rsi + 0x1c]; mov [rsp], ecx; call rax
> 0x0001766e : mov edi, [rdx + rax]; add [rdx], al; pop rbx; pop r14; pop rbp; ret
> 0x00063de3 : mov rsi, [r15 + 8]; mov rdx, r14; xor al, al; call r13
> 0x00070ee8 : mov rdi, [r12 + 0x18]; mov rsi, rbx; mov rdx, r14; call r13
> 0x001040af : mov esi, [rdx + 0x1e]; add [rax], al; add ecx, ebx; jmp rcx
> 0x00063de4 : mov esi, [rdi + 8]; mov rdx, r14; xor al, al; call r13
> 0x000b91b7 : mov rax, [r8]; bt eax, ecx; sbb eax, eax; and eax, 1; add esp, 8; pop rbp; ret
> 0x00063c64 : mov rdi, [r12]; mov rsi, [r12 + 8]; xor al, al; call r14
> 0x0001b7ef : mov rax, [rbx + 0x128]; mov [r14], rax; xor eax, eax; pop rbx; pop r14; pop rbp; ret
> 0x00081185 : mov rsi, [r13 + 0x58]; mov edx, r15d; lea rcx, [rbp - 0x48]; call rbx
> 0x00070f48 : mov rdi, [r15 + 0x18]; mov rsi, rbx; mov rdx, [rbp - 0x30]; call r14
> 0x000e053b : mov eax, [r13 + 8]; add ecx, [rcx + rdx*4 + 0xd3]; jmp rcx
> 0x0002d7ea : mov edx, [rax]; lea rsi, [rbp - 0x430]; mov rdi, r15; call [r15 + 0x10]
> 0x000355a3 : mov rax, [r9 + 0x538]; mov r11, [rax + 0x48]; mov r8, r10; pop rbp; jmp r11
> 0x00035460 : mov rcx, [r8 + 0x538]; mov r9, [rcx + 0x38]; mov rcx, rax; pop rbp; jmp r9
> 0x0001dc4f : mov rdx, [rbx + 0x20]; mov rdi, [r14 + 0x840]; mov esi, r15d; call rax
> 0x00037d7a : mov rdx, [rcx + 0x538]; mov r8, [rdx + 0x50]; mov rdx, rax; pop rbp; jmp r8
> 0x00039c2b : mov r8, [rcx + 0x50]; lea rdx, [rax + 0x490]; mov rcx, rax; pop rbp; jmp r8
> 0x000353a8 : mov r9, [rdx + 0x38]; xor edi, edi; mov rdx, r8; mov r8, rax; pop rbp; jmp r9
> 0x000357af : mov r11, [rcx + 0x48]; mov rdx, -1; mov rcx, r9; mov r9, rax; pop rbp; jmp r11
> 0x000357b0 : mov ebx, [rcx + 0x48]; mov rdx, -1; mov rcx, r9; mov r9, rax; pop rbp; jmp r11
> 0x0001dc50 : mov edx, [rbx + 0x20]; mov rdi, [r14 + 0x840]; mov esi, r15d; call rax
> 0x00037d7b : mov edx, [rcx + 0x538]; mov r8, [rdx + 0x50]; mov rdx, rax; pop rbp; jmp r8
> 0x00043ac4 : mov rcx, [rsi]; lea rdx, [rcx + 1]; mov [rsi], rdx; mov [rcx], dil; pop rbp; ret
> 0x00063de0 : mov rdi, [r15]; mov rsi, [r15 + 8]; mov rdx, r14; xor al, al; call r13
> 0x000f359c : mov ecx, [rax]; lea edx, [rcx + 1]; mov [rax], edx; movzx eax, [rcx]; pop rbp; ret
> 0x00043ac5 : mov ecx, [rsi]; lea rdx, [rcx + 1]; mov [rsi], rdx; mov [rcx], dil; pop rbp; ret
> 0x001150f7 : mov ecx, [rbx + 4]; mov [rsp + 4], ecx; mov [rsp], eax; call rdx
> 0x0000ac57 : mov rcx, [rsi + 0x538]; mov eax, [rcx + rax*4 + 0xa4]; shr eax, 8; and eax, 1; pop rbp; ret
> 0x000359f4 : mov r9, [rax + 0x538]; lea rcx, [rax + 0x290]; mov r8, rax; call [r9 + 0x38]
> 0x00113c8a : mov esi, [rcx + 0x3337a]; mov [rcx + 0x3338a], esi; mov [rcx + 0x3338e], edx; pop rsi; pop rdi; pop rbp; ret
> 0x0003645f : mov rcx, [rdx + 0x538]; mov eax, [rcx + rax*4 + 0xa4]; and eax, ebx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00081181 : mov rdi, [r13 + 0x30]; mov rsi, [r13 + 0x58]; mov edx, r15d; lea rcx, [rbp - 0x48]; call rbx
> 0x000e8426 : mov edx, [rax + 0x524]; mov [rsp + 4], eax; mov [rsp], ecx; call [rdx + 0x34]
> 0x0001d6d7 : mov rbx, [rdi + 0x38]; lea rsi, [rbp - 0x18]; lea rdx, [rbp - 0x28]; mov ecx, 3; call [rdi + 0x28]
> 0x00020d35 : mov rbx, [rbp + 0x10]; lea rcx, [rip + 0x10a4]; movsxd rax, [rcx + rdi*4]; add rax, rcx; jmp rax
> 0x000353a1 : mov rdx, [rax + 0x538]; mov r9, [rdx + 0x38]; xor edi, edi; mov rdx, r8; mov r8, rax; pop rbp; jmp r9
> 0x0001d6d8 : mov ebx, [rdi + 0x38]; lea rsi, [rbp - 0x18]; lea rdx, [rbp - 0x28]; mov ecx, 3; call [rdi + 0x28]
> 0x0000ac54 : mov rsi, [rcx]; mov rcx, [rsi + 0x538]; mov eax, [rcx + rax*4 + 0xa4]; shr eax, 8; and eax, 1; pop rbp; ret
> 0x0000ac55 : mov esi, [rcx]; mov rcx, [rsi + 0x538]; mov eax, [rcx + rax*4 + 0xa4]; shr eax, 8; and eax, 1; pop rbp; ret
> 0x000d00a3 : mov ebx, [rsi + 0x14]; mov [rsp + 8], edx; mov [rsp + 4], ebx; mov [rsp], ecx; call rax
> 0x00039d3a : mov rbx, [rax + 0x538]; lea rdx, [rax + 0x490]; mov rdi, r15; mov esi, r14d; mov rcx, rax; call [rbx + 0x50]
> 0x00031e4c : mov rax, [r8 + 0x538]; lea rdi, [rbp - 0x98]; lea rsi, [rbp - 0x91]; lea rcx, [rbp - 0x90]; mov edx, 1; call [rax + 0x38]
> 0x000f7578 : mov edx, [rsi + 0x1c]; mov [rsp + 8], ecx; mov [rsp + 4], eax; mov [rsp], edx; call [rsi + 0x2c]
> 0x00020d31 : mov rsi, [rbp + 0x18]; mov rbx, [rbp + 0x10]; lea rcx, [rip + 0x10a4]; movsxd rax, [rcx + rdi*4]; add rax, rcx; jmp rax
> 0x00070edb : mov r13, [r12 + 8]; mov rbx, r15; sub rbx, [r12 + 0x10]; mov rdi, [r12 + 0x18]; mov rsi, rbx; mov rdx, r14; call r13
> 0x000cff92 : mov edx, [rdi + 0x10]; mov [rsp + 8], edx; mov edx, [rbp + 0xc]; mov [rsp + 4], edx; mov [rsp], ecx; call rax
> 0x0011522d : mov eax, [rsi]; mov ecx, [rsi + 4]; mov edx, [rbp + 0x10]; mov [rsp + 8], edx; mov [rsp + 4], ecx; mov [rsp], eax; call rdi

© 2014 - 2019 - Powered by ROPEME | Contact