ropshell> use c0b86652995f86fa7bf131547f8105c5 (download) name : libc.so.6 (x86_64/ELF) base address : 0x28800 total gadgets: 15755
ropshell> suggest "load mem" > 0x00088e80 : mov eax, [rdx]; ret > 0x000ed964 : mov eax, [rdi]; ret > 0x00096fc4 : mov rax, [rdi + 0x68]; ret > 0x001590a1 : mov eax, [rdx + 8]; ret > 0x0014f344 : mov eax, [rdi + 0x20]; ret > 0x000ba325 : movzx ecx, [rsi]; sub eax, ecx; ret > 0x0008bf2d : mov edx, [rax]; mov eax, edx; ret > 0x00096c95 : mov rax, [rdi]; mov [rdx], rax; ret > 0x000bf450 : mov rdx, [rsi]; mov [rdi], rdx; ret > 0x001287ee : mov rsi, [rbx]; call r13 > 0x00128224 : mov rdi, [rbx]; call r12 > 0x00128262 : mov rdi, [r13]; call r12 > 0x001282ca : mov rdi, [r14]; call r12 > 0x000ca214 : mov edx, [rbx]; add [rax - 0x39], cl; ret > 0x000bf3f1 : mov edx, [rsi]; mov [rdi], dx; ret > 0x001287ef : mov esi, [rbx]; call r13 > 0x00128225 : mov edi, [rbx]; call r12 > 0x001282cb : mov edi, [rsi]; call r12 > 0x00128263 : mov edi, [rbp]; call r12 > 0x0019b0d7 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret > 0x001a72df : movzx edx, [rsi + rcx]; sub eax, edx; ret > 0x0003b2b2 : mov edi, [rax + rdx]; mov eax, edi; ret > 0x001587ab : mov eax, [rbp]; pop r12; pop r13; pop r14; pop rbp; ret > 0x001587aa : mov eax, [r13]; pop r12; pop r13; pop r14; pop rbp; ret > 0x00047719 : mov rdi, [rbx + 8]; call rax > 0x00185409 : mov rdi, [rbp + 8]; pop rbp; jmp rax > 0x000fce98 : mov eax, [r12 + 0x4c]; pop rbx; pop r12; pop rbp; ret > 0x0004771a : mov edi, [rbx + 8]; call rax > 0x0018540a : mov edi, [rbp + 8]; pop rbp; jmp rax > 0x001856df : mov rax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax > 0x001a58ee : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret > 0x0010d05b : mov rdx, [rax]; mov [rax], rdi; mov rax, rdx; ret > 0x0012843c : mov rsi, [rcx]; mov r15, rcx; call rax > 0x001856e0 : mov eax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax > 0x001a5920 : mov eax, [rcx]; mov [rdx], eax; mov rax, rdi; ret > 0x00099b62 : mov eax, [rsi]; neg eax; sbb eax, eax; and eax, 0x16; ret > 0x00045e29 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret > 0x0012843d : mov esi, [rcx]; mov r15, rcx; call rax > 0x001518ef : mov edi, [rax]; call [rbp - 0x40] > 0x00151330 : mov edi, [r15]; call [rbp - 0x40] > 0x001193b1 : mov rax, [r14 + 0x10]; pop r12; pop r13; pop r14; pop rbp; ret > 0x000a68f5 : mov rcx, [rax + 0x18]; mov [rdi + 0x18], rcx; ret > 0x00085d33 : mov rdx, [rdi + 0xa0]; mov [rdx + 0xe0], rcx; ret > 0x000b4a70 : mov rdx, [rbp + 0x18]; mov [rax], rdx; pop rbp; ret > 0x001193b2 : mov eax, [rsi + 0x10]; pop r12; pop r13; pop r14; pop rbp; ret > 0x000a68f6 : mov ecx, [rax + 0x18]; mov [rdi + 0x18], rcx; ret > 0x00085d34 : mov edx, [rdi + 0xa0]; mov [rdx + 0xe0], rcx; ret > 0x000b4a71 : mov edx, [rbp + 0x18]; mov [rax], rdx; pop rbp; ret > 0x00129934 : mov rdx, [rbx]; mov [rax], rdx; pop rbx; pop r12; pop rbp; ret > 0x001288a8 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r15 > 0x001288a9 : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r15 > 0x00175416 : mov rax, [rbx + 0x60]; call [rax + 8] > 0x00174989 : mov rax, [r15 + 0x70]; call [rax + 0x18] > 0x000a5678 : mov rdi, [rax + 8]; call [rax] > 0x000a56fa : mov rdi, [rcx + 8]; call [rcx] > 0x0013498b : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax > 0x0002b143 : mov rdi, [r14 + 0x10]; add rdi, r12; call r13 > 0x00175417 : mov eax, [rbx + 0x60]; call [rax + 8] > 0x001194d5 : mov edx, [rax + rdx]; call [rbx + 0x40] > 0x000a56fb : mov edi, [rcx + 8]; call [rcx] > 0x0013498c : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax > 0x0002b144 : mov edi, [rsi + 0x10]; add rdi, r12; call r13 > 0x000bf460 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret > 0x0009f5e4 : mov rdx, [rdi]; lea rax, [rip + 0x163ad2]; mov [rax], edx; ret > 0x000956c2 : movzx esi, [rdi]; mov rdi, r13; call [rax + 0x18] > 0x000956c1 : movzx esi, [r15]; mov rdi, r13; call [rax + 0x18] > 0x001a590b : mov rax, [rcx + 8]; mov [rdx + 8], rax; mov rax, rdi; ret > 0x000907a5 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret > 0x0004aa91 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret > 0x001a5946 : mov eax, [rcx + 8]; mov [rdx + 8], eax; mov rax, rdi; ret > 0x0004aa92 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret > 0x00045e69 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret > 0x00151228 : mov rdx, [r15]; mov rcx, [rbp - 0x48]; mov rdi, r14; call r13 > 0x00099268 : mov rax, [rsi + 0x18]; sub rcx, rdx; lea rax, [rcx + rax + 0x4000]; ret > 0x00179272 : mov rax, [r12 + 0x18]; mov rdi, r14; call [rax + 0x20] > 0x0016c8b1 : mov rax, [r13 + 8]; mov rdi, r13; call [rax + 0x20] > 0x000bf594 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret > 0x00176f0e : mov rdx, [rax + 0x38]; mov rdi, rax; call [rdx + 0x20] > 0x000bf4a3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret > 0x00158e10 : mov r8, [rbx + 8]; mov rdi, [rbp - 0x78]; push rax; call r12 > 0x0016c8b2 : mov eax, [rbp + 8]; mov rdi, r13; call [rax + 0x20] > 0x001753f6 : mov esi, [rbx + 0x88]; mov rdi, r13; call [rax + 0x28] > 0x00171cf6 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x18] > 0x00175ad1 : mov rdi, [r15]; mov rax, [rdi + 0x38]; call [rax + 0x18] > 0x000b4b28 : mov rcx, [rbp + 0x18]; mov [rax], rcx; lea rax, [rax + rdx - 1]; pop rbp; ret > 0x00098039 : mov rdx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax > 0x000b4b29 : mov ecx, [rbp + 0x18]; mov [rax], rcx; lea rax, [rax + rdx - 1]; pop rbp; ret > 0x0009803a : mov edx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax > 0x0016e447 : mov rsi, [rbx + 0x10]; mov rdx, r12; mov rdi, r14; call [rax + 0x10] > 0x0003b0fc : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret > 0x000a56f6 : mov r15, [rcx + 0x18]; mov rdi, [rcx + 8]; call [rcx] > 0x000450f3 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx > 0x0003b0fd : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret > 0x0012d38d : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xd5ede], 0; ret > 0x0012d38e : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xd5ede], 0; ret > 0x0008bf5f : mov rcx, [rdx + 0x20]; cmp rax, rcx; cmovb rax, rcx; sub rax, [rdx + 0x10]; sar rax, 2; ret > 0x0008d47a : mov rdx, [r13 + 0x40]; sub rdx, rsi; mov [rbp - 0xf0], rcx; mov rdi, r13; call rax > 0x0004aa8d : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret > 0x000498e8 : mov rsi, [r15]; mov rdi, [r13]; mov rdx, [rbp - 0x38]; mov rax, [rbp - 0x40]; call rax > 0x000ddcc3 : mov ecx, [rdi + rax]; xor edx, edx; cmp ecx, [rsi + rax]; setg dl; lea eax, [rdx + rdx - 1]; ret > 0x000450ef : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx > 0x001888ce : mov rax, [r15]; sub eax, [rsi]; mov ecx, [rdi + rdx - 4]; mov edi, [rsi + rdx - 4]; sub ecx, edi; or eax, ecx; ret > 0x001736fa : mov rsi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18] > 0x00048b18 : movzx r8, [rax + r10]; mov edx, 6; mov [rip + 0x1bc8d5], al; lea rax, [rip + 0x1bc8c9]; mov [rax + rdx], 0; ret > 0x00077916 : movzx ecx, [rbx + rcx]; lea rbx, [rip - 0xc00]; movsxd rdx, [rdx + rcx*4]; add rdx, rbx; mov ebx, 1; jmp rdx > 0x001736fb : mov esi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18] > 0x000d8dde : mov rdi, [r12 + 0x10]; lea rsi, [rbp - 0x70]; push 1; lea r9, [rbp - 0x88]; push 0; lea rcx, [rax + 4]; call rbx > 0x00135638 : mov edx, [r12 + 0x18]; movdqu xmm6, xmm[r12 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r14; movups xmm[rbp - 0x108], xmm6; call rax > 0x001358be : mov edx, [r14 + 0x18]; movdqu xmm7, xmm[r14 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r12; movups xmm[rbp - 0x108], xmm7; call rax > 0x00135025 : mov edx, [r15 + 0x18]; movdqu xmm1, xmm[r15 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r13; movups xmm[rbp - 0x108], xmm1; call rax > 0x0005828e : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret > 0x0005828f : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret > 0x0017923d : mov r12, [rdi + 0x48]; mov rax, [r12 + 0x18]; lea r14, [r12 + 0x10]; mov [r12 + 0x10], 0; mov rdi, r14; call [rax + 0x28]