Free Online ROP Gadgets Search

ropshell> use c9dba162d90f403aabdda17b56261b0c (download)
name         : 3x17 (x86_64/ELF)
base address : 0x4010d0
total gadgets: 8821

ropshell> suggest "load mem"
> 0x00413910 : movzx eax, [rdx]; ret
> 0x0048a547 : mov rax, [rsi + 0x10]; ret
> 0x00418840 : mov rax, [rdi + 0x68]; ret
> 0x0047b3f5 : mov eax, [rdx + 4]; ret
> 0x0048a548 : mov eax, [rsi + 0x10]; ret
> 0x00418841 : mov eax, [rdi + 0x68]; ret
> 0x00422eb3 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x00401aa9 : mov ecx, [rbx]; jmp rax
> 0x00429583 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x004290c3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x004184cd : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00432b50 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0048a3ca : mov rsi, [rbx]; call r14
> 0x0044871c : mov rdi, [rbx]; call r12
> 0x0044875f : mov rdi, [rbp]; call r12
> 0x00470cd9 : mov rdi, [r12]; call rbp
> 0x004487cb : mov rdi, [r13]; call r12
> 0x0044888b : mov rdi, [r14]; call r12
> 0x00448a05 : mov rdi, [r15]; call r12
> 0x0048a3cb : mov esi, [rbx]; call r14
> 0x00417631 : mov esi, [rbp]; add [rax - 0x77], cl; ret
> 0x0044871d : mov edi, [rbx]; call r12
> 0x0044888c : mov edi, [rsi]; call r12
> 0x00448760 : mov edi, [rbp]; call r12
> 0x00427928 : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00414aab : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0046df17 : mov eax, [rcx]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0040f81a : mov rdi, [rax + 0x20]; call rdx
> 0x0040f81b : mov edi, [rax + 0x20]; call rdx
> 0x0043fa20 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x0048b71e : mov rdx, [r15]; mov rdi, rbp; call rbx
> 0x0048b71f : mov edx, [rdi]; mov rdi, rbp; call rbx
> 0x004817c8 : mov rax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x004817a8 : mov rdx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x004817bc : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x004817c9 : mov eax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x0045e271 : movzx eax, [r10 + rax]; jmp [rdi + rax*8]
> 0x004817a9 : mov edx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x004817bd : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0046d98c : mov edx, [rax]; add rsp, 8; mov eax, edx; pop rbx; pop rbp; ret
> 0x004835e3 : mov rax, [rbx]; add rax, [rdx + 8]; call rax
> 0x00432ae4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x0048a39e : mov rdx, [r9]; mov [rsp + 0x10], r9; call r14
> 0x004894ad : mov rdx, [r12]; or esi, 2; mov edi, 1; call rax
> 0x00489bdb : mov rdx, [r13]; mov esi, 1; mov edi, 1; call rax
> 0x00448cda : mov rdi, [rax]; mov [rsp + 8], rax; call r12
> 0x004835e4 : mov eax, [rbx]; add rax, [rdx + 8]; call rax
> 0x0048a39f : mov edx, [rcx]; mov [rsp + 0x10], r9; call r14
> 0x00489bdc : mov edx, [rbp]; mov esi, 1; mov edi, 1; call rax
> 0x00417021 : movzx esi, [r12]; mov rdi, r14; call [rbx + 0x18]
> 0x00448cdb : mov edi, [rax]; mov [rsp + 8], rax; call r12
> 0x0043fb46 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x0043faf4 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x00422e94 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x004480f4 : mov rsi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x004480f5 : mov esi, [rax]; mov rdi, r13; mov [rbp - 0x50], r15d; call r14
> 0x004418c4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x004417d3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00411ed5 : mov rbp, [r13 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00447e2b : mov rax, [rdx]; and eax, 1; or rdi, rax; mov [rdx], rdi; pop rbx; pop rbp; ret
> 0x00413ef1 : mov rax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x00413ef2 : mov eax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x004695e4 : movzx ecx, [rdx + rax]; lea rax, [rip + 0x4b9d1]; jmp [rax + rcx*8]
> 0x0045e14a : movzx edx, [r10 + rax]; lea rax, [rip + 0x5676a]; jmp [rax + rdx*8]
> 0x0040f1c5 : mov rsi, [r15]; mov rdi, [rbx]; mov rax, [rsp + 8]; call rax
> 0x00478ade : mov r14, [rbx]; mov rax, [rbx + 0x10]; add rax, [r13]; call rax
> 0x0040f1c6 : mov esi, [rdi]; mov rdi, [rbx]; mov rax, [rsp + 8]; call rax
> 0x0047f173 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00489077 : mov eax, [r15 + 8]; movsxd rax, [r13 + rax*4]; add rax, r13; jmp rax
> 0x0045b27e : mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x0046d611 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00411519 : mov rcx, [rbx + 8]; push rdi; mov rdi, rbp; push [rax + 0x38]; call [rbp + 0x18]
> 0x0044a4e5 : mov rdx, [rcx + rdx]; lea rcx, [rip - 0x60]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x00411db7 : mov rdx, [r13 + 0x40]; sub rdx, rsi; mov [rsp + 0x10], rcx; mov rdi, r13; call rax
> 0x0046667f : mov rdx, [r15 + 0x20]; mov rdi, r13; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00470f52 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x00412093 : mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x0046d612 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0041151a : mov ecx, [rbx + 8]; push rdi; mov rdi, rbp; push [rax + 0x38]; call [rbp + 0x18]
> 0x0044a4e6 : mov edx, [rcx + rdx]; lea rcx, [rip - 0x60]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x00411db8 : mov edx, [rbp + 0x40]; sub rdx, rsi; mov [rsp + 0x10], rcx; mov rdi, r13; call rax
> 0x0045de63 : movzx edi, [rdx + rax]; lea rax, [rip + 0x56952]; mov rax, [rax + rdi*8]; jmp rax
> 0x00412094 : mov edi, [rbp + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x0045de62 : movzx edi, [r10 + rax]; lea rax, [rip + 0x56952]; mov rax, [rax + rdi*8]; jmp rax
> 0x0046d64e : mov rdx, [rax + 0x10]; punpckhqdq xmm0, xmm0; mov [rax + 0x10], rcx; mov [rax + 0x40], rdx; movups xmm[rax], xmm0; ret
> 0x00411889 : mov rsi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [rbp + 0x70]
> 0x0047f16f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0046d64f : mov edx, [rax + 0x10]; punpckhqdq xmm0, xmm0; mov [rax + 0x10], rcx; mov [rax + 0x40], rdx; movups xmm[rax], xmm0; ret
> 0x0041188a : mov esi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [rbp + 0x70]
> 0x0047f170 : mov esi, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0045b27a : mov rsi, [r14 + 0x18]; mov rdx, [r14 + 0x20]; mov rdi, [rbp - 0x8b0]; sub rdx, rsi; call [rbx + 0x38]
> 0x004620c1 : mov rax, [r12 + 0x38]; mov r15, r8; mov [rbp - 0xe0], r9d; mov rdx, r13; mov rsi, r15; mov rdi, [rbp - 0xc0]; call rax
> 0x0046667b : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, r13; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0041149e : mov rbp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x0041149f : mov ebp, [rdi + 0x98]; mov rax, fs:[0x28]; mov [rsp + 8], rax; xor eax, eax; mov rdi, rbp; call [rbp + 0x20]
> 0x00469924 : movzx esi, [rdx + rax]; lea rax, [rip + 0x4b391]; mov [rbp - 0x4b8], rcx; mov [rbp - 0x4d0], 1; mov rax, [rax + rsi*8]; jmp rax
> 0x0041208a : mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x0041208b : mov esi, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]
> 0x00412086 : mov r8, [rax + 0x40]; mov r14, [rax + 0x50]; mov [rsp + 0x10], r8; mov r15, [r13 + 0x98]; mov [rsp + 8], r8; mov rdi, r15; call [r15 + 0x20]