ROPSHELL 
ropshell> use b86ec517ee44b2d6c03096e0518c72a1 (download)
name         : libc.so.6 (x86_64/RAW)
base address : 0x0
total gadgets: 20145

ropshell> suggest "load mem"
> 0x0006c81c : mov eax, [rdx]; ret
> 0x000b6460 : mov eax, [rdi]; ret
> 0x0015b706 : mov edi, [rdx]; ret
> 0x000b6360 : mov rax, [rdi + 0x20]; ret
> 0x000d2cf1 : mov eax, [rdx + 8]; ret
> 0x000d1f7e : mov eax, [rsi + 0x14]; ret
> 0x000b6361 : mov eax, [rdi + 0x20]; ret
> 0x00147453 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000850c3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x0009b926 : mov eax, [rcx + 4]; pop r12; ret
> 0x0009b925 : mov eax, [r9 + 4]; pop r12; ret
> 0x000cf3b7 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x00076ea0 : mov rcx, [rdi]; mov [rdx], rcx; ret
> 0x00021ad0 : mov rdx, [rax]; call rbp
> 0x00096fb0 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000e58db : mov rdi, [rbx]; call rbp
> 0x00036b9c : mov rdi, [r12]; call r13
> 0x0009de2d : mov rdi, [r13]; call r12
> 0x00076ea1 : mov ecx, [rdi]; mov [rdx], rcx; ret
> 0x00021ad1 : mov edx, [rax]; call rbp
> 0x000e58dc : mov edi, [rbx]; call rbp
> 0x0009de2e : mov edi, [rbp]; call r12
> 0x000c6638 : mov eax, [rbp + 4]; pop rbp; pop r12; ret
> 0x0011ea2f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x000f4cb4 : mov rax, [rdi]; mov rdi, rdx; jmp rax
> 0x00023059 : mov rdi, [rbx + 0x18]; call rax
> 0x00070dde : mov edx, [rdi + 0xc0]; mov eax, edx; pop rbx; ret
> 0x0002305a : mov edi, [rbx + 0x18]; call rax
> 0x0014c873 : mov rax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0013fc40 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000e5b68 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x0014c874 : mov eax, [rbx]; mov [rax + 8], 0; pop rbx; ret
> 0x0010eda8 : mov eax, [rcx]; mov [r8], eax; mov eax, 1; ret
> 0x0009dd15 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x000e5b69 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x000db1b6 : mov rdx, [rsi + 0x78]; mov [rdi + 0x100], rdx; ret
> 0x00036b99 : mov rsi, [r14]; mov rdi, [r12]; call r13
> 0x000db1f0 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x00072e70 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0006e38d : mov rax, [rsi + 0x140]; call [rax + 0x68]
> 0x0011204d : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x00072e44 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x000f3593 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00072e71 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x00072e45 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x000f3594 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0010ecd8 : mov rax, [r8]; bswap eax; mov [rcx + 0xb4], eax; mov eax, 1; ret
> 0x001345e4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x000254c8 : mov rdx, [r12]; mov rsi, rbp; call [r14 + 8]
> 0x00027de8 : mov rdx, [r13]; mov rsi, r12; call [r14 + 8]
> 0x00026728 : mov rdx, [r14]; mov rsi, r13; call [rbx + 8]
> 0x0011dee7 : mov ecx, [rdx]; mov rdx, r12; add r9, r11; call rax
> 0x00027de9 : mov edx, [rbp]; mov rsi, r12; call [r14 + 8]
> 0x0013fd66 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x00072ea1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000dfa88 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00071c67 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x00022d0e : mov rdi, [rax + 0x18]; mov [rbp - 0x58], rax; call rcx
> 0x00043e25 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00043ae5 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00043e26 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00043ae6 : mov ecx, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00071c68 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x00022d0f : mov edi, [rax + 0x18]; mov [rbp - 0x58], rax; call rcx
> 0x0010a9ec : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x001137d6 : mov rax, [r13 + 8]; mov rdi, r13; call [rax + 0x20]
> 0x00111b85 : mov rax, [r14 + 0x70]; mov rdi, r12; call [rax + 0x20]
> 0x000970f4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000f4cb0 : mov rdx, [rdi + 8]; mov rax, [rdi]; mov rdi, rdx; jmp rax
> 0x00046dd5 : mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x0006f1ae : mov rbp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0006f9e0 : mov r15, [rbx + 0x98]; mov rdi, r15; call [r15 + 0x20]
> 0x00046dd6 : mov edx, [rbp + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x0006f1af : mov ebp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0010320f : mov rax, [rbp]; add rax, rbx; mov [rbp], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x00114700 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x000732db : mov rdx, [rbx]; mov [rdx + rax], 0; pop rbx; mov rax, rbp; pop rbp; pop r12; ret
> 0x00112a66 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x0011230c : mov rdi, [r14]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x00103210 : mov eax, [rbp]; add rax, rbx; mov [rbp], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x000732dc : mov edx, [rbx]; mov [rdx + rax], 0; pop rbx; mov rax, rbp; pop rbp; pop r12; ret
> 0x00112a67 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x20]
> 0x0011230d : mov edi, [rsi]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x000677bd : mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x00034f52 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00103d9b : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x000f3dbb : mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x000f3bef : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x000f3a40 : mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x0010ed0c : mov rdx, [rcx + 0x10]; mov [r8], rax; mov [r8 + 8], rdx; mov eax, 1; ret
> 0x0010c008 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00111564 : mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000ceee3 : movzx ebx, [rcx + 8]; movsxd r11, [r9 + r11*4]; add r11, r9; jmp r11
> 0x0010ed0d : mov edx, [rcx + 0x10]; mov [r8], rax; mov [r8 + 8], rdx; mov eax, 1; ret
> 0x0010c009 : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00111565 : mov edi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000e5c1a : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x000e5c1b : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x00043e21 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00043ae1 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x0006dea1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0004bd49 : mov rcx, [rbx + 0x10]; mov [rcx + rdx*8], rax; add rsp, 8; mov eax, ebp; pop rbx; pop rbp; ret
> 0x0010ac81 : mov rsi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00046dd1 : mov rsi, [r13 + 0x18]; mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x000ddc24 : mov rdi, [r14 + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x0006dea2 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0004bd4a : mov ecx, [rbx + 0x10]; mov [rcx + rdx*8], rax; add rsp, 8; mov eax, ebp; pop rbx; pop rbp; ret
> 0x00112027 : mov esi, [rdi + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x00046dd2 : mov esi, [rbp + 0x18]; mov rdx, [r13 + 0x20]; sub rdx, rsi; call [rax + 0x38]
> 0x00112026 : mov esi, [r15 + 0x88]; mov rdi, rbp; mov [r15 + 0x58], 0; call [rax + 0x28]
> 0x000ddc25 : mov edi, [rsi + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x000677b6 : mov rax, [r8 + 0x88]; mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x00034f4e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x001085f8 : mov rdx, [rbp]; mov [r12], rax; mov rsi, rax; mov r8, rbx; mov rcx, r15; mov rdi, r14; call r13
> 0x00111578 : mov rsi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00111e08 : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00111579 : mov esi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x0010c3f8 : movsxd rax, [rsi]; mov rsi, rsp; mov [rsp + 8], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x00043ada : mov rcx, [rdi + 0x98]; mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x000250e6 : mov rdi, [r15 + 0x18]; mov r8, r12; mov rcx, rbx; mov rdx, [r13]; mov rsi, rbp; call [r15 + 8]
> 0x00027a4d : mov rcx, [r14]; mov rsi, [rsp + 0x10]; mov [rsp], rax; mov rdi, [rsp + 0x68]; call [r13]
> 0x000f3db2 : mov rdx, [r12 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x000f3a38 : mov rdx, [r14 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x00034f4a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00114e66 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x00114e67 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x0006f233 : mov r9, [rax + 0x10]; lea rsi, [rax + 0x58]; mov [rsp + 8], rdi; mov rax, [rax + 0x38]; mov rdi, rbp; mov [rsp], rax; call [rbp + 0x18]

© 2014 - 2019 - Powered by ROPEME | Contact