ROPSHELL 
ropshell> use c0d63d5f295f8cea9f6a969f30d87c1a (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x26650
total gadgets: 15278

ropshell> suggest "load mem"
> 0x00081ee0 : mov eax, [rdx]; ret
> 0x000da1d4 : mov eax, [rdi]; ret
> 0x0008fe64 : mov rax, [rdi + 0x68]; ret
> 0x000fd861 : mov eax, [rdx + 8]; ret
> 0x001515c4 : mov eax, [rdi + 0x28]; ret
> 0x0017e8f3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000a8b94 : movzx edx, [rsi]; sub eax, edx; ret
> 0x0008fb65 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000ff0d3 : mov rcx, [r12]; call rax
> 0x00028c39 : mov rdx, [rax]; call rbp
> 0x000b31c0 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x00114ad3 : mov rdi, [rbp]; call rbx
> 0x00114b05 : mov rdi, [r12]; call rbx
> 0x00114b63 : mov rdi, [r13]; call rbx
> 0x0011f2d9 : mov eax, [r12]; pop rbx; pop rbp; pop r12; ret
> 0x00028c3a : mov edx, [rax]; call rbp
> 0x00114ad4 : mov edi, [rbp]; call rbx
> 0x00177abf : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x000ce5b5 : mov r10, [r9]; add [rbp + 1], cl; ret
> 0x000ce5b6 : mov edx, [rcx]; add [rbp + 1], cl; ret
> 0x0009b900 : mov rdi, [rbx + 0x48]; call rax
> 0x00045469 : mov rdi, [rbp + 8]; call rax
> 0x0009b901 : mov edi, [rbx + 0x48]; call rax
> 0x0004546a : mov edi, [rbp + 8]; call rax
> 0x001701c0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000f977b : mov r8, [rax]; mov [rax], rdi; mov rax, r8; ret
> 0x000afcd6 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x00146f30 : mov eax, [r8]; mov [rdx], eax; mov eax, 1; ret
> 0x00042509 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x0010d611 : mov rax, [r13 + 0x10]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x000de5cb : mov rdx, [rdi + 0x18]; mov [rdi + 0x18], rdx; ret
> 0x0010d612 : mov eax, [rbp + 0x10]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x00164f4e : mov ecx, [rbp + 1]; fnstcw [rsi]; jmp r9
> 0x000de5cc : mov edx, [rdi + 0x18]; mov [rdi + 0x18], rdx; ret
> 0x000feedb : mov rdx, [r12]; mov rax, [rbp - 0x1e0]; call rax
> 0x00107c64 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x00120a92 : mov eax, [rbp]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00120a91 : mov eax, [r13]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00089664 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0010dea8 : mov rax, [rsi + 0x28]; cmp [rdi + 0x28], rax; sete al; ret
> 0x00142419 : mov rax, [rbp + 8]; call [rax + 0x28]
> 0x0008964b : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0009119b : mov rdx, [rbx + 0x28]; and [rdx + 0x10], rcx; pop rbx; ret
> 0x00125a83 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00089665 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0010dea9 : mov eax, [rsi + 0x28]; cmp [rdi + 0x28], rax; sete al; ret
> 0x0008964c : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0009119c : mov edx, [rbx + 0x28]; and [rdx + 0x10], rcx; pop rbx; ret
> 0x00125a84 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00146fd8 : mov rax, [rdx]; bswap eax; mov [r8 + 0xb4], eax; mov eax, 1; ret
> 0x00149d60 : mov rax, [r8]; bswap eax; mov [rdi + 0x54], eax; mov eax, 1; ret
> 0x0013c0fc : mov rax, [r12]; mov [rax + 8], 0; pop rbx; pop rbp; pop r12; ret
> 0x00167604 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00119153 : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x001150df : mov rsi, [rbx]; mov r13, rbx; mov rdi, rbp; call r12
> 0x0012f691 : mov ecx, [rax]; lcall [rax + 0x4c]; mov eax, esp; pop rdx; pop r12; ret
> 0x00119154 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x001150e0 : mov esi, [rbx]; mov r13, rbx; mov rdi, rbp; call r12
> 0x001702e6 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000896a5 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x00053171 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000afd59 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x00146f1d : movzx eax, [r8 + 0x88]; mov [rdx + 0x6c], ax; mov eax, 1; ret
> 0x00053172 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000a6674 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00042549 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x0014c337 : mov rax, [r8 + 0x38]; mov rdi, r8; call [rax + 0x20]
> 0x0014284c : mov rax, [r12 + 0x38]; mov rdi, r12; call [rax + 0x20]
> 0x0014a333 : mov rax, [r14 + 0x70]; mov rdi, rbp; call [rax + 0x20]
> 0x0014b057 : mov rax, [r15 + 0x60]; mov rdi, rbp; call [rax + 0x20]
> 0x000b3304 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000b3213 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00090b0b : mov r8, [rdi + 8]; mov rax, [rdi]; mov rdi, r8; jmp rax
> 0x0014a850 : mov esi, [rbx + 0x88]; mov rdi, r15; call [rax + 0x28]
> 0x0014e1c0 : mov rax, [rbx]; mov [rbp + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x0013f813 : mov rdx, [r15]; mov r8, rbp; mov rcx, r14; mov rdi, r13; call r12
> 0x00114cf0 : mov rsi, [r14]; mov rax, [rsp + 0x10]; mov rdi, rbp; call rax
> 0x001472d4 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0014b580 : mov rdi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x0014e1c1 : mov eax, [rbx]; mov [rbp + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x001472d5 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0014b581 : mov edi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x001151a8 : mov rsi, [rax]; mov rdi, r14; mov rax, [rbp - 0x58]; mov r15d, r13d; call rax
> 0x001151a9 : mov esi, [rax]; mov rdi, r14; mov rax, [rbp - 0x58]; mov r15d, r13d; call rax
> 0x00143984 : mov rsi, [rbx + 0x10]; mov rdx, r12; mov rdi, r14; call [rax + 0x10]
> 0x000386ec : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x00159d1a : mov r8, [rbx + 0x10]; call [rax + 0x270]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x00041681 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x000e7e05 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x000386ed : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0011bd85 : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xc75e6], 0; ret
> 0x00043940 : mov rsi, [r13]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp]; call rax
> 0x001443a9 : mov rdi, [r14]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x00144152 : mov rdi, [r15]; add r13, rax; sub edx, eax; mov rsi, r13; call [r15 + 0x40]
> 0x00043941 : mov esi, [rbp]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp]; call rax
> 0x001443aa : mov edi, [rsi]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x0008734b : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0008afe8 : mov rdx, [rbp + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, rbp; call rax
> 0x00148c4e : mov rsi, [r8 + 0x40]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x0005316d : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0008734c : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0008afe9 : mov edx, [rbp + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, rbp; call rax
> 0x00148c4f : mov esi, [rax + 0x40]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x000837a5 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00085b97 : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x000b99a9 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x000837a6 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0004167d : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00053166 : mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x001443a5 : mov edx, [r14 + 0x48]; mov rdi, [r14]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x0014414e : mov edx, [r15 + 0x48]; mov rdi, [r15]; add r13, rax; sub edx, eax; mov rsi, r13; call [r15 + 0x40]
> 0x00126696 : mov edx, [rcx + 0x18]; movdqu xmm7, xmm[rcx + 0x30]; mov [rbp - 0x80], edx; mov rdx, r12; movups xmm[rbp - 0x78], xmm7; call rax
> 0x0005363b : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0005363c : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0014e72a : mov rbp, [rdi + 0x48]; mov rax, [rbp + 0x18]; lea r13, [rbp + 0x10]; mov [rbp + 0x10], 0; mov rdi, r13; call [rax + 0x28]
> 0x0014e72b : mov ebp, [rdi + 0x48]; mov rax, [rbp + 0x18]; lea r13, [rbp + 0x10]; mov [rbp + 0x10], 0; mov rdi, r13; call [rax + 0x28]

© 2014 - 2019 - Powered by ROPEME | Contact