ROPSHELL 
ropshell> use d3324ae0d485f347b2803f685f3a8ac8 (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x243c0
total gadgets: 17042

ropshell> suggest "load mem"
> 0x00083000 : mov eax, [rdx]; ret
> 0x000e3394 : mov eax, [rdi]; ret
> 0x00090964 : mov rax, [rdi + 0x68]; ret
> 0x0009e358 : mov eax, [rdx + 0x630]; ret
> 0x0013a844 : mov eax, [rdi + 0x20]; ret
> 0x000b19a5 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00085f9d : mov edx, [rax]; mov eax, edx; ret
> 0x000b6b10 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0011809e : mov rsi, [rbx]; call r13
> 0x00117d09 : mov rdi, [rbx]; call r12
> 0x000b6ab1 : mov edx, [rsi]; mov [rdi], dx; ret
> 0x0011809f : mov esi, [rbx]; call r13
> 0x00117d0a : mov edi, [rbx]; call r12
> 0x0017e7b7 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret
> 0x0018aaef : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x000982d4 : mov rax, [rdi]; mov [rip + 0x14ddea], rax; ret
> 0x000d5740 : movsxd rdx, [rbp + 0x28]; pop rbp; sub rax, rdx; ret
> 0x00040219 : mov rdi, [rbx + 8]; call rax
> 0x00168fba : mov rdi, [rbp + 8]; pop rbp; jmp rax
> 0x0004021a : mov edi, [rbx + 8]; call rax
> 0x00168fbb : mov edi, [rbp + 8]; pop rbp; jmp rax
> 0x0016928f : mov rax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax
> 0x001890ee : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000276af : mov rdx, [rax]; call [rbp - 0x78]
> 0x00169290 : mov eax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax
> 0x00189120 : mov eax, [rcx]; mov [rdx], eax; mov rax, rdi; ret
> 0x00093442 : mov eax, [rsi]; neg eax; sbb eax, eax; and eax, 0x16; ret
> 0x000c10ae : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x0013cd3b : mov edi, [rsi]; call [rbp - 0x40]
> 0x0013c8f5 : mov edi, [r12]; call [rbp - 0x40]
> 0x0013cd3a : mov edi, [r14]; call [rbp - 0x40]
> 0x0005985e : mov rax, [rdx + 0x88]; mov [rax + 8], rcx; ret
> 0x0009f162 : mov rax, [rsi + 0x18]; mov [rdi + 0x18], rax; ret
> 0x00109f91 : mov rax, [r12 + 0x10]; pop r12; pop r13; pop r14; pop rbp; ret
> 0x0007fc7d : mov rcx, [rax + 0xa0]; mov [rcx + 0xe0], rdx; ret
> 0x0009f163 : mov eax, [rsi + 0x18]; mov [rdi + 0x18], rax; ret
> 0x0007fc7e : mov ecx, [rax + 0xa0]; mov [rcx + 0xe0], rdx; ret
> 0x00118169 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r14
> 0x0011816a : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r14
> 0x0015e80e : mov rax, [r13 + 0x60]; call [rax + 8]
> 0x00161070 : mov rax, [r14 + 8]; call [rax + 0x18]
> 0x000a26d1 : mov rdx, [rdi + 0x28]; mov [rdx + 0x20], rax; pop rbp; ret
> 0x0009e4e7 : mov rdi, [rax + 8]; call [rax]
> 0x001226cb : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x000283b3 : mov rdi, [r14 + 0x10]; add rdi, r13; call r12
> 0x0015e80f : mov eax, [rbp + 0x60]; call [rax + 8]
> 0x0010a0af : mov edx, [rax + rdx]; call [rbx + 0x40]
> 0x000a26d2 : mov edx, [rdi + 0x28]; mov [rdx + 0x20], rax; pop rbp; ret
> 0x000adfc2 : mov edx, [rbp + 0x13]; mov [rdi + 3], edx; pop rbp; ret
> 0x0009e4e8 : mov edi, [rax + 8]; call [rax]
> 0x001226cc : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x000283b4 : mov edi, [rsi + 0x10]; add rdi, r13; call r12
> 0x000b6b20 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret
> 0x000982e4 : mov rdx, [rdi]; lea rax, [rip + 0x14ddd2]; mov [rax], edx; ret
> 0x0008f287 : movzx esi, [rdi]; mov rdi, r13; call [rbx + 0x18]
> 0x0008f286 : movzx esi, [r15]; mov rdi, r13; call [rbx + 0x18]
> 0x00156487 : mov rax, [rbx + 8]; pop rdx; call [rax + 0x20]
> 0x0018910b : mov rax, [rcx + 8]; mov [rdx + 8], rax; mov rax, rdi; ret
> 0x000ade70 : mov rax, [rbp + 0x18]; mov [rdi], rax; mov rax, rdi; pop rbp; ret
> 0x00043d71 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00156488 : mov eax, [rbx + 8]; pop rdx; call [rax + 0x20]
> 0x00189146 : mov eax, [rcx + 8]; mov [rdx + 8], eax; mov rax, rdi; ret
> 0x00043d72 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0003e9b9 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x00042ba4 : mov rdi, [r12]; mov rdx, [rbp - 0x40]; call [rbp - 0x38]
> 0x0009fd32 : mov r12, [rbx]; call [rip + 0x145fed]; mov rdi, r13; call r12
> 0x001601f8 : mov rax, [r15 + 8]; mov rdi, r15; call [rax + 0x20]
> 0x000b6c54 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0015fbee : mov rdx, [rax + 0x38]; mov rdi, rax; call [rdx + 0x20]
> 0x0015e513 : mov rdx, [rcx + 0x90]; bswap eax; mov [rdx + 0xc], eax; mov eax, 1; ret
> 0x000b6b63 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00036b54 : mov eax, [r12 + 8]; sub eax, [rbx + 8]; pop rbx; pop r12; pop rbp; ret
> 0x0015e514 : mov edx, [rcx + 0x90]; bswap eax; mov [rdx + 0xc], eax; mov eax, 1; ret
> 0x0015ee3f : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0015ee40 : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x000919c9 : mov rdx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax
> 0x000919ca : mov edx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax
> 0x000a183d : mov rbx, [r8]; mov rdi, r8; call [rip + 0x1444df]; mov rdi, r12; call rbx
> 0x0013c7d2 : mov rdx, [r15]; mov rcx, [rbp - 0x48]; mov r8, rbx; mov rdi, r14; call r13
> 0x000a183e : mov ebx, [rax]; mov rdi, r8; call [rip + 0x1444df]; mov rdi, r12; call rbx
> 0x0003588c : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x00143b3c : mov r8, [r13 + 8]; mov rdi, [rbp - 0x90]; add rax, rbx; push rax; call r14
> 0x0003dc53 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0003588d : mov esi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0015e510 : mov rax, [r8]; mov rdx, [rcx + 0x90]; bswap eax; mov [rdx + 0xc], eax; mov eax, 1; ret
> 0x0011be1d : mov rcx, [rdi]; mov [rdx + 0x10], rcx; mov [rdi], rax; mov [rip + 0xca44e], 0; ret
> 0x000bfe44 : mov rdi, [rcx]; push 1; lea rcx, [rax + 1]; push 0; call [rbp - 0x78]
> 0x0015e81d : mov rdi, [r14]; mov rsi, r15; mov rax, [rdi + 0x38]; call [rax + 8]
> 0x0011be1e : mov ecx, [rdi]; mov [rdx + 0x10], rcx; mov [rdi], rax; mov [rip + 0xca44e], 0; ret
> 0x000bfe45 : mov edi, [rcx]; push 1; lea rcx, [rax + 1]; push 0; call [rbp - 0x78]
> 0x00085974 : mov rcx, [rdx + 0x10]; lea rax, [rcx + rax*4]; mov [rdx], rax; xor eax, eax; ret
> 0x00087508 : mov rdx, [r14 + 0x40]; sub rdx, rsi; mov [rbp - 0xe8], rcx; mov rdi, r14; call rax
> 0x00157dc7 : mov rsi, [rbx + 0x10]; lea rdx, [rbp - 0x2290]; mov rdi, r14; call [rax + 0x20]
> 0x00043d6d : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00157dc8 : mov esi, [rbx + 0x10]; lea rdx, [rbp - 0x2290]; mov rdi, r14; call [rax + 0x20]
> 0x00155c9e : mov rdi, [r13]; lea rsi, [rbp - 0x88]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x00155c9f : mov edi, [rbp]; lea rsi, [rbp - 0x88]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x000d4b83 : mov ecx, [rdi + rax]; xor edx, edx; cmp ecx, [rsi + rax]; setg dl; lea eax, [rdx + rdx - 1]; ret
> 0x0015e7e6 : mov esi, [rbp + 0x88]; mov rdi, r15; mov [r13 + 0x58], 0; call [rax + 0x28]
> 0x0015e7e5 : mov esi, [r13 + 0x88]; mov rdi, r15; mov [r13 + 0x58], 0; call [rax + 0x28]
> 0x000a1839 : mov r12, [r8 + 8]; mov rbx, [r8]; mov rdi, r8; call [rip + 0x1444df]; mov rdi, r12; call rbx
> 0x0009fd2b : mov r13, [rbx + 8]; mov rdi, rbx; mov r12, [rbx]; call [rip + 0x145fed]; mov rdi, r13; call r12
> 0x0003dc4f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0009fd2c : mov ebp, [rbx + 8]; mov rdi, rbx; mov r12, [rbx]; call [rip + 0x145fed]; mov rdi, r13; call r12
> 0x0016be4e : mov rax, [r15]; sub eax, [rsi]; mov ecx, [rdi + rdx - 4]; mov edi, [rsi + rdx - 4]; sub ecx, edi; or eax, ecx; ret
> 0x00162b98 : mov r8, [r14]; lea rsi, [rbp - 0x10]; mov [rbp - 0x10], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x0012333b : mov edx, [r15 + 0x18]; movdqu xmm0, xmm[r15 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r12; movups xmm[rbp - 0x108], xmm0; call rax
> 0x00122e13 : mov edx, [r12 + 0x60]; movdqu xmm0, xmm[r12 + 0x78]; mov [rbp - 0x110], edx; lea rdx, [rbp - 0x130]; movups xmm[rbp - 0x108], xmm0; call rax
> 0x00122dab : mov edx, [r13 + 0x18]; movdqu xmm0, xmm[r13 + 0x30]; mov [rbp - 0x110], edx; lea rdx, [rbp - 0x130]; movups xmm[rbp - 0x108], xmm0; call rax
> 0x000726f0 : movzx esi, [rcx + rsi]; lea rcx, [rip + 0x135f85]; movsxd rcx, [rcx + rsi*4]; lea rsi, [rip - 0xa45]; add rcx, rsi; jmp rcx
> 0x00161b4b : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea rdi, [rbx + 0x10]; mov [rbx + 0x10], 0; call [rax + 0x28]
> 0x00161b4c : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea rdi, [rbx + 0x10]; mov [rbx + 0x10], 0; call [rax + 0x28]
> 0x00052f1e : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00052f1f : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret

© 2014 - 2019 - Powered by ROPEME | Contact