ROPSHELL 
ropshell> use b96c7fbfdfc1065aefdcbea3bd91196e (download)
name         : libc-2.21.so (x86_64/ELF)
base address : 0x1f4f0
total gadgets: 16722

ropshell> suggest "load mem"
> 0x0006b27c : mov eax, [rdx]; ret
> 0x000b4890 : mov eax, [rdi]; ret
> 0x00116d92 : mov rax, [rdi + 0x18]; ret
> 0x000d4e51 : mov eax, [rdx + 8]; ret
> 0x000d1a9e : mov eax, [rsi + 0x14]; ret
> 0x00116d93 : mov eax, [rdi + 0x18]; ret
> 0x001485a3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000838a3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000cefa7 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x00075b60 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000207da : mov rdx, [rax]; call rbp
> 0x00095720 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000a84d6 : mov rdi, [rax]; call r14
> 0x000e581b : mov rdi, [rbx]; call rbp
> 0x0009c1c4 : mov rdi, [rbp]; call r12
> 0x00035185 : mov rdi, [r12]; call r14
> 0x000207db : mov edx, [rax]; call rbp
> 0x000a84d7 : mov edi, [rax]; call r14
> 0x000e581c : mov edi, [rbx]; call rbp
> 0x0009c1c5 : mov edi, [rbp]; call r12
> 0x001098f6 : mov r8, [rax + 0x18]; jmp r8
> 0x0011ef3f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0006f87a : mov edx, [rdi + 0xc0]; mov eax, edx; ret
> 0x0001fcbe : mov eax, [rbx + 4]; pop rbx; pop rbp; pop r12; ret
> 0x00140d90 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000e5ad8 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x00092416 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x0009c435 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x000e5ad9 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x000daf46 : mov rdx, [rsi + 0x78]; mov [rdi + 0x100], rdx; ret
> 0x00035181 : mov rsi, [r13]; mov rdi, [r12]; call r14
> 0x000daf80 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x00035182 : mov esi, [rbp]; mov rdi, [r12]; call r14
> 0x00071890 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0006cd99 : mov rax, [rsi + 0x130]; call [rax + 0x68]
> 0x00112381 : mov rax, [r14 + 0x60]; call [rax + 8]
> 0x00071864 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0007e4e8 : mov rdi, [rbx + 0x48]; call [rbx + 0x40]
> 0x000f37b3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0006dc9e : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0006dc9f : mov ecx, [rax + 0x10]; call [rbp + 0x18]
> 0x00071865 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0007e4e9 : mov edi, [rbx + 0x48]; call [rbx + 0x40]
> 0x000f37b4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00135734 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00108824 : mov rdx, [rbx]; mov [rbp], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0009c53f : mov rdi, [r14]; lea r9, [rsp + 0x30]; call r13
> 0x00108825 : mov edx, [rbx]; mov [rbp], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0009c540 : mov edi, [rsi]; lea r9, [rsp + 0x30]; call r13
> 0x00140eb6 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000b7cfb : mov rax, [rdx + 0x18]; mov [rdx + 0x18], rax; mov rax, -0xe; ret
> 0x000df850 : mov rax, [r12 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x000706b7 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x000422e5 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00041f65 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00092499 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x0009a0bd : mov eax, [r9 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0006f31b : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x000422e6 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00041f66 : mov ecx, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x000706b8 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x0011e423 : mov ecx, [rdx]; mov rdx, r13; add r9, [rbp - 0x88]; call rax
> 0x0010a905 : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x00112b6d : mov rax, [r15 + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x00095864 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x001121b3 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x0006dc0e : mov rbp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0006e590 : mov r14, [rbx + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0010a906 : mov eax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0006e591 : mov esi, [rbx + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0006dc0f : mov ebp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x001032af : mov rax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00114a50 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x00071d0b : mov rdx, [rbp]; mov [rdx + rax], 0; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x00112660 : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x001032b0 : mov eax, [rbp]; add rbx, rax; mov [rbp], rbx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00071d0c : mov edx, [rbp]; mov [rdx + rax], 0; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x000663c3 : mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x000bc098 : mov rdi, [rax + r13]; mov rsi, [rbp - 0x1c0]; call [r15 + 0x40]
> 0x00033582 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x000f3de9 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00103f1b : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x000f3d3e : mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x000f3de8 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000f45a5 : mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x000bc099 : mov edi, [rax + rbp]; mov rsi, [rbp - 0x1c0]; call [r15 + 0x40]
> 0x0010c248 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0010f014 : mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x0010f015 : mov edi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x001134d9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x000e5b75 : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x001134da : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x000e5b76 : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x000422e1 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00041f61 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x0006c8d1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0010adf1 : mov rsi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x000dd814 : mov rdi, [r14 + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x0010adf2 : mov esi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00112358 : mov esi, [r14 + 0x88]; mov rdi, r12; mov [r14 + 0x58], 0; call [rax + 0x28]
> 0x000dd815 : mov edi, [rsi + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x000663bc : mov rax, [r8 + 0x88]; mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x0003357e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0003357f : mov esi, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0010408d : mov rax, [rsi]; mov [rdi + 8], rax; mov rax, [rsi + 8]; mov [rdi + 0x10], rax; xor eax, eax; ret
> 0x0010c244 : mov rax, [r13 + 8]; mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00048138 : mov rcx, [r15 + 0xd8]; sub rax, rbx; mov rsi, rbx; mov rdx, rax; mov rdi, r15; call [rcx + 0x38]
> 0x00111888 : mov rsi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00112108 : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00111889 : mov esi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00041f5a : mov rcx, [rdi + 0x98]; mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x0006e8f0 : mov rcx, [rbx + 0x10]; mov rdx, [rbx + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r14 + 0x30]
> 0x000f3d35 : mov rdx, [r12 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x000f3de0 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x000f459a : mov rdx, [r14 + 0x80]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x0009c7d1 : mov rdi, [r12 + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x0006e8f1 : mov ecx, [rbx + 0x10]; mov rdx, [rbx + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r14 + 0x30]
> 0x0003357a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00110ab4 : mov rdi, [rsi + 8]; mov rcx, rsi; mov r8, [rdi + 0x18]; mov edx, [rax + 0x1c8]; lea rsi, [rax + 0x38]; mov rdi, rcx; jmp r8
> 0x001151a6 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x001151a7 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x00068636 : mov r8, [rdx + 0x88]; mov [rax + 8], r9; add [r8 + 4], 1; mov rax, [rdx + 0xd8]; mov rbx, rdx; mov rdi, rdx; call [rax + 0x60]

© 2014 - 2019 - Powered by ROPEME | Contact