Free Online ROP Gadgets Search

ropshell> use cac294ad0dceaacfb968152e4edffc2f (download)
name         : libc (x86_64/ELF)
base address : 0x22700
total gadgets: 14959

ropshell> suggest "load mem"
> 0x0007d900 : mov eax, [rdx]; ret
> 0x000de894 : mov eax, [rdi]; ret
> 0x0008ad64 : mov rax, [rdi + 0x68]; ret
> 0x00101d81 : mov eax, [rdx + 8]; ret
> 0x0014b534 : mov eax, [rdi + 0x20]; ret
> 0x000ad5c5 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00080281 : mov edx, [rax]; mov eax, edx; ret
> 0x0008aa75 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x000b26e0 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0011863e : mov rsi, [rbx]; call r12
> 0x00118083 : mov rdi, [rbx]; call rbp
> 0x001180c3 : mov rdi, [r12]; call rbp
> 0x0011812a : mov rdi, [r13]; call rbp
> 0x000b2681 : mov edx, [rsi]; mov [rdi], dx; ret
> 0x0011863f : mov esi, [rbx]; call r12
> 0x00118084 : mov edi, [rbx]; call rbp
> 0x0011812b : mov edi, [rbp]; call rbp
> 0x00186379 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret
> 0x00190aaf : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x000333e2 : mov edi, [rax + rdx]; mov eax, edi; ret
> 0x000a2e50 : mov rdi, [rbx + 0x48]; call rax
> 0x000a2e51 : mov edi, [rbx + 0x48]; call rax
> 0x0018f0ae : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000fdf1b : mov rdx, [rax]; mov [rax], rdi; mov rax, rdx; ret
> 0x00112ccf : mov rbp, [r12]; mov rax, rbp; pop rbx; pop rbp; pop r12; ret
> 0x0018f0e0 : mov eax, [rcx]; mov [rdx], eax; mov rax, rdi; ret
> 0x0008d7b2 : mov eax, [rsi]; neg eax; sbb eax, eax; and eax, 0x16; ret
> 0x0003c819 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x00124fd9 : mov edx, [r12]; pop rbx; pop rbp; pop r12; mov eax, edx; ret
> 0x0008bb10 : mov rax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x00099de2 : mov rax, [rsi + 0x18]; mov [rdi + 0x18], rax; ret
> 0x0008bb89 : mov rdx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x0008bb04 : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0008bb11 : mov eax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x00099de3 : mov eax, [rsi + 0x18]; mov [rdi + 0x18], rax; ret
> 0x000ef7e8 : mov eax, [rbp + 0x4c]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0003980f : mov ecx, [rbp + 1]; fnstcw [rsi]; jmp r9
> 0x0008bb8a : mov edx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x0008bb05 : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0016ea6c : mov rax, [rbx]; add rsp, 8; pop rbx; pop rbp; jmp rax
> 0x001186e8 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x0016ea6d : mov eax, [rbx]; add rsp, 8; pop rbx; pop rbp; jmp rax
> 0x00126482 : mov eax, [rbp]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00126481 : mov eax, [r13]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x001186e9 : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x0015f435 : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x00084c0b : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x00098b0f : mov rdi, [rax + 8]; call [rax]
> 0x0012b9c3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00084c0c : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0012b9c4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x001429a9 : mov rax, [r12]; mov [rax + 8], 0; pop rbx; pop rbp; pop r12; ret
> 0x000b26f0 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret
> 0x0011e673 : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x0014ca00 : mov rdx, [r15]; mov rcx, r14; mov rdi, r13; call r12
> 0x0011e674 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000897bc : movzx esi, [rdi]; mov rdi, r13; call [rax + 0x18]
> 0x000897bb : movzx esi, [r15]; mov rdi, r13; call [rax + 0x18]
> 0x0018f0cb : mov rax, [rcx + 8]; mov [rdx + 8], rax; mov rax, rdi; ret
> 0x00084c65 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x001110d0 : mov rax, [r13 + 0x10]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x00041d41 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0018f106 : mov eax, [rcx + 8]; mov [rdx + 8], eax; mov rax, rdi; ret
> 0x00041d42 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0003c859 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x001630da : mov rax, [rbp + 0x18]; mov rdi, r13; call [rax + 0x20]
> 0x00156c48 : mov rax, [r12 + 8]; mov rdi, r12; call [rax + 0x20]
> 0x0015ef14 : mov rax, [r14 + 0x70]; mov rdi, r12; call [rax + 0x20]
> 0x000b2824 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x000b2733 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x0015f414 : mov esi, [rdi + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x0015f413 : mov esi, [r15 + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x0015bf32 : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0015bf33 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0003fce4 : mov rdi, [r15]; mov rdx, [rsp + 8]; mov rax, [rsp]; call rax
> 0x001587ac : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x0003320c : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0016e08a : mov r8, [rbx + 0x10]; call [rax + 0x328]; mov [rbx], rax; pop rax; pop rdx; pop rbx; ret
> 0x00098b64 : mov r14, [rbx + 0x18]; mov rdi, [rbx + 8]; call [rbx]
> 0x0003baf1 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x001587ad : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00121e45 : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xd45c6], 0; ret
> 0x0015960c : mov rdi, [rbp]; add rbx, rax; sub edx, eax; mov rsi, rbx; call [rbp + 0x40]
> 0x00159259 : mov rdi, [r14]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x00121e46 : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xd45c6], 0; ret
> 0x0015925a : mov edi, [rsi]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x00082bab : mov rcx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x000807df : mov rcx, [rdx + 0x20]; cmp rax, rcx; cmovb rax, rcx; sub rax, [rdx + 0x10]; sar rax, 2; ret
> 0x00041d3d : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00082bac : mov ecx, [rbx + 0xf8]; sub rax, rdx; sar rax, 2; mov [rcx], rax; xor eax, eax; pop rbx; ret
> 0x0008bcc2 : mov r10, [rdx]; mov rax, [rax + 0x330]; mov rdx, [rbx + 0x20]; push r10; call rax
> 0x000813d7 : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x00157156 : mov rsi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x000cf9e3 : mov ecx, [rdi + rax]; xor edx, edx; cmp ecx, [rsi + rax]; setg dl; lea eax, [rdx + rdx - 1]; ret
> 0x00157157 : mov esi, [rbp + 0x20]; mov rdi, rbx; mov r12d, eax; xor eax, eax; call [rbp + 0x28]
> 0x0003fce0 : mov rsi, [r13]; mov rdi, [r15]; mov rdx, [rsp + 8]; mov rax, [rsp]; call rax
> 0x0003fce1 : mov esi, [rbp]; mov rdi, [r15]; mov rdx, [rsp + 8]; mov rax, [rsp]; call rax
> 0x0018b774 : mov ecx, [rax + 0x60]; xor edx, edx; cmp ecx, [rsi + rax + 0x60]; setg dl; lea eax, [rdx + rdx - 1]; ret
> 0x0003baed : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00171ace : mov rax, [r15]; sub eax, [rsi]; mov ecx, [rdi + rdx - 4]; mov edi, [rsi + rdx - 4]; sub ecx, edi; or eax, ecx; ret
> 0x0015d84a : mov rsi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x0003f568 : movzx r8, [rax + r10]; mov edx, 6; mov [rip + 0x1b91a5], al; lea rax, [rip + 0x1b9199]; mov [rax + rdx], 0; ret
> 0x00159609 : mov edx, [rbp + 0x48]; mov rdi, [rbp]; add rbx, rax; sub edx, eax; mov rsi, rbx; call [rbp + 0x40]
> 0x00159255 : mov edx, [r14 + 0x48]; mov rdi, [r14]; add r13, rbx; sub edx, ebx; mov rsi, r13; call [r14 + 0x40]
> 0x00159007 : mov edx, [r15 + 0x48]; mov rdi, [r15]; add r14, rax; sub edx, eax; mov rsi, r14; call [r15 + 0x40]
> 0x0015d84b : mov esi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x0012c384 : mov edx, [rcx + 0x18]; movdqu xmm6, xmm[rcx + 0x30]; mov [rbp - 0x80], edx; mov rdx, r14; movups xmm[rbp - 0x78], xmm6; call rax
> 0x0012c595 : mov edx, [r12 + 0x18]; movdqu xmm6, xmm[r12 + 0x30]; mov [rbp - 0x80], edx; mov rdx, r14; movups xmm[rbp - 0x78], xmm6; call rax
> 0x000332d8 : mov rcx, [rax + 0xb0]; mov rdx, [rip + 0x1c2b2a]; mov [rdx], rcx; mov rdx, [rax + 0xb8]; mov rax, [rip + 0x1c2bd9]; mov [rax], rdx; ret
> 0x0004e07b : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0004e07c : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x001630aa : mov rbp, [rdi + 0x48]; mov rax, [rbp + 0x18]; lea r13, [rbp + 0x10]; mov [rbp + 0x10], 0; mov rdi, r13; call [rax + 0x28]
> 0x001630ab : mov ebp, [rdi + 0x48]; mov rax, [rbp + 0x18]; lea r13, [rbp + 0x10]; mov [rbp + 0x10], 0; mov rdi, r13; call [rax + 0x28]