ROPSHELL 
ropshell> use 9b048b35b934f748874c37eda9c6c5c2 (download)
name         : kernel32.dll (x86_64/PE)
base address : 0x180001000
total gadgets: 4554

ropshell> suggest "load mem"
> 0x18001fb4f : movzx eax, [rcx]; ret
> 0x1800f5410 : mov rax, [rbp + 0xa0]; call rax
> 0x180106e7d : mov rcx, [rsi + 0x10]; call rbx
> 0x1800d12bb : mov rcx, [rdi + 8]; call rbx
> 0x1800f548b : mov rdx, [rbp + 8]; call r13
> 0x180002d75 : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x1800f8c9e : mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1800e7165 : mov r14, [r11 + 0x20]; mov rsp, r11; pop r15; ret
> 0x1800f5411 : mov eax, [rbp + 0xa0]; call rax
> 0x180106e7e : mov ecx, [rsi + 0x10]; call rbx
> 0x1800d12bc : mov ecx, [rdi + 8]; call rbx
> 0x1800f548c : mov edx, [rbp + 8]; call r13
> 0x180002d76 : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x1800f8c9f : mov edi, [rbx + 0x18]; mov rsp, r11; pop rbp; ret
> 0x18010e7d5 : mov rcx, [rbx]; mov rdx, rsi; call rdi
> 0x18010e721 : mov rcx, [rdi]; mov edx, 0x20; call rbx
> 0x18010e7d6 : mov ecx, [rbx]; mov rdx, rsi; call rdi
> 0x18010e722 : mov ecx, [rdi]; mov edx, 0x20; call rbx
> 0x180006b0d : mov rax, [rdx + 0x130]; mov [rdx + 0x138], rax; ret
> 0x180015d7a : mov r9, [rdi + 0x38]; mov gs:[0x1748], r9; pop rdi; ret
> 0x180006b0e : mov eax, [rdx + 0x130]; mov [rdx + 0x138], rax; ret
> 0x1800dbbb3 : mov rdx, [rbx + 0x10]; mov rcx, r15; call r12
> 0x18001013e : mov rbp, [r11 + 0x30]; mov rsp, r11; pop r14; pop rdi; pop rsi; ret
> 0x18001e1b2 : mov r12, [r11 + 0x38]; mov rsp, r11; pop r15; pop r14; pop r13; ret
> 0x1800dbbb4 : mov edx, [rbx + 0x10]; mov rcx, r15; call r12
> 0x18001013f : mov ebp, [rbx + 0x30]; mov rsp, r11; pop r14; pop rdi; pop rsi; ret
> 0x1800ef6ac : mov rax, [r11]; mov [rcx], rax; lea eax, [r10 + r8]; ret
> 0x1800ef6ad : mov eax, [rbx]; mov [rcx], rax; lea eax, [r10 + r8]; ret
> 0x1800b7724 : mov rcx, [rdx + 0x50]; mov eax, 1; mov [r8 + 0x50], rcx; ret
> 0x18010ef3a : mov eax, [r10 + 0x38]; mov [r8 + 0x7c], eax; add rsp, 0x28; ret
> 0x1800b7725 : mov ecx, [rdx + 0x50]; mov eax, 1; mov [r8 + 0x50], rcx; ret
> 0x1800c5421 : mov ecx, [rax]; xor eax, eax; dec ecx; mov [rdx + rcx*2], ax; ret
> 0x1800c5420 : mov ecx, [r8]; xor eax, eax; dec ecx; mov [rdx + rcx*2], ax; ret
> 0x1800fdc38 : mov rax, [rcx + 8]; sub rax, [rdx + 8]; test rax, rax; sete al; ret
> 0x1800f8c9a : mov rbx, [r11 + 0x10]; mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x180018122 : mov rcx, [rax + 0x30]; call [rip + 0x10baf4]; mov eax, 1; add rsp, 0x28; ret
> 0x1800f5488 : mov rcx, [rbp + 0x48]; mov edx, [rbp + 8]; call r13
> 0x1800fdc39 : mov eax, [rcx + 8]; sub rax, [rdx + 8]; test rax, rax; sete al; ret
> 0x18010f580 : movzx eax, [rsi + 0x210]; xor edx, edx; xor ecx, ecx; call rbx
> 0x180018123 : mov ecx, [rax + 0x30]; call [rip + 0x10baf4]; mov eax, 1; add rsp, 0x28; ret
> 0x1800f5489 : mov ecx, [rbp + 0x48]; mov edx, [rbp + 8]; call r13
> 0x180109ee7 : mov rax, [r8 + 0x18]; mov [rax + 0x10], r8; mov [r10 + rdx*8], r8; ret
> 0x1800ba157 : mov rax, [r9 + 0x28]; lea rcx, [rax + rcx*4]; mov [rdx + 0x138], rcx; ret
> 0x1800cb7a2 : mov eax, [rdx]; add rcx, rax; lea rax, [r10 + rcx*2]; mov [r9 + 0x188], rax; ret
> 0x18010f5c4 : mov rbx, [r14 + 8]; mov rcx, rbx; call [rip + 0x15fdf]; mov rcx, rdi; call rbx
> 0x18001603a : mov rdi, [rax + 0xb8]; mov rcx, rbx; call [rip + 0x10f566]; mov rcx, rdi; call rbx
> 0x18010f5c5 : mov ebx, [rsi + 8]; mov rcx, rbx; call [rip + 0x15fdf]; mov rcx, rdi; call rbx
> 0x18001603b : mov edi, [rax + 0xb8]; mov rcx, rbx; call [rip + 0x10f566]; mov rcx, rdi; call rbx
> 0x1800dbbaa : mov rbx, [rax]; call [rip + 0x499fd]; mov rdx, [rbx + 0x10]; mov rcx, r15; call r12
> 0x1800de03e : mov rbx, [r9]; mov rcx, rbx; call [rip + 0x47566]; mov rcx, [rdi + 8]; call rbx
> 0x1800dbbab : mov ebx, [rax]; call [rip + 0x499fd]; mov rdx, [rbx + 0x10]; mov rcx, r15; call r12
> 0x1800de03f : mov ebx, [rcx]; mov rcx, rbx; call [rip + 0x47566]; mov rcx, [rdi + 8]; call rbx
> 0x1800d03e3 : mov rbx, [rdi + 0x20]; mov rcx, rbx; call [rip + 0x551c0]; mov edx, ebp; mov rcx, r14; call rbx
> 0x1800f5944 : mov rdx, [r15 + 0x38]; lea r9, [rbp - 9]; lea r8, [rsp + 0x28]; mov ecx, 7; call r14
> 0x1800f4804 : mov rsi, [rbp + 0xd8]; mov rcx, rsi; call [rip + 0x30d9c]; xor edx, edx; mov rcx, rdi; call rsi
> 0x1800d03e4 : mov ebx, [rdi + 0x20]; mov rcx, rbx; call [rip + 0x551c0]; mov edx, ebp; mov rcx, r14; call rbx
> 0x1800f5945 : mov edx, [rdi + 0x38]; lea r9, [rbp - 9]; lea r8, [rsp + 0x28]; mov ecx, 7; call r14
> 0x1800f4805 : mov esi, [rbp + 0xd8]; mov rcx, rsi; call [rip + 0x30d9c]; xor edx, edx; mov rcx, rdi; call rsi
> 0x18010e7c8 : mov rdi, [rbx + 0x10]; mov rcx, rdi; call [rip + 0x16ddb]; mov rcx, [rbx]; mov rdx, rsi; call rdi
> 0x1800ba153 : mov ecx, [r8 + 0x1c]; mov rax, [r9 + 0x28]; lea rcx, [rax + rcx*4]; mov [rdx + 0x138], rcx; ret
> 0x180016033 : mov rbx, [rax + 0xb0]; mov rdi, [rax + 0xb8]; mov rcx, rbx; call [rip + 0x10f566]; mov rcx, rdi; call rbx
> 0x180016034 : mov ebx, [rax + 0xb0]; mov rdi, [rax + 0xb8]; mov rcx, rbx; call [rip + 0x10f566]; mov rcx, rdi; call rbx
> 0x180018d69 : mov rbx, [rcx + rbx]; mov rcx, rbx; call [rip + 0x10c83a]; mov r8, r15; mov rdx, r12; lea rcx, [rsp + 0x30]; call rbx
> 0x180018d6a : mov ebx, [rcx + rbx]; mov rcx, rbx; call [rip + 0x10c83a]; mov r8, r15; mov rdx, r12; lea rcx, [rsp + 0x30]; call rbx
> 0x18010e7c4 : mov rbx, [rsi + 0x18]; mov rdi, [rbx + 0x10]; mov rcx, rdi; call [rip + 0x16ddb]; mov rcx, [rbx]; mov rdx, rsi; call rdi

© 2014 - 2019 - Powered by ROPEME | Contact