ROPSHELL 
ropshell> use cac294ad0dceaacfb968152e4edffc2f (download)
name         : libc (x86_64/ELF)
base address : 0x22700
total gadgets: 14959

ropshell> suggest "stack pivoting"
> 0x00054990 : mov rsp, rdx; ret
> 0x0003e72e : xchg eax, esp; ret
> 0x00054991 : mov esp, edx; ret
> 0x00070490 : mov esp, ecx; jmp rdx
> 0x00070409 : mov esp, esi; jmp rdx
> 0x000e13c2 : lea rsp, [rbp - 0x10]; pop rbx; pop r12; pop rbp; ret
> 0x000e13c3 : lea esp, [rbp - 0x10]; pop rbx; pop r12; pop rbp; ret
> 0x0003baf7 : mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0003baf8 : mov esp, eax; mov rbp, r9; nop ; jmp rdx
> 0x0005d270 : movsxd rsp, esp; mov rdx, r12; call [r13 + 0x38]
> 0x00158c25 : mov esp, esp; lea rsi, [rsp + 8]; call [rax]
> 0x00040752 : lea esp, [rcx + rsi]; mov r14, rsi; mov rsi, rcx; mov rdi, r12; call rbx
> 0x00156160 : push rax; pop rsp; lea rsi, [rax + 0x48]; mov rax, [rdi + 8]; jmp [rax + 0x18]
> 0x00033737 : lea esp, [rsi]; sbb al, 0; movsxd rdi, edi; mov rax, fs:[rax]; movzx eax, [rax + rdi*2]; and eax, 0x2000; ret
> 0x00033637 : lea esp, [rdi]; sbb al, 0; movsxd rdi, edi; mov rax, fs:[rax]; movzx eax, [rax + rdi*2]; and eax, 8; ret
> 0x00050877 : leave ; ret

© 2014 - 2019 - Powered by ROPEME | Contact