ropshell> use ed6014c1ccd07eb2ef94913332b01b25 (download) name : nginx (x86_64/ELF) base address : 0x4037c0 total gadgets: 1991
ropshell> suggest "load mem" > 0x00414b10 : mov rsi, [r13 + 0x10]; call rax > 0x0041b8c2 : mov rdi, [rbx + 0x10]; call rdx > 0x00422cd3 : mov rdi, [rdx + 0x40]; call rax > 0x00442c2c : mov rdi, [rbp + 0x48]; call rax > 0x00414b11 : mov esi, [rbp + 0x10]; call rax > 0x0041b8c3 : mov edi, [rbx + 0x10]; call rdx > 0x00422cd4 : mov edi, [rdx + 0x40]; call rax > 0x00442c2d : mov edi, [rbp + 0x48]; call rax > 0x0041cde7 : mov rax, [rdi]; call [rax + 8] > 0x0042656e : mov rsi, [rcx]; mov rdi, r14; call rax > 0x0041cde8 : mov eax, [rdi]; call [rax + 8] > 0x0042656f : mov esi, [rcx]; mov rdi, r14; call rax > 0x0041dc7f : mov rsi, [rdi + 0x38]; call [rdi + 0x28] > 0x00414668 : mov rsi, [r14 + 0x10]; mov rdi, rbp; call rax > 0x0041dc80 : mov esi, [rdi + 0x38]; call [rdi + 0x28] > 0x004190e2 : mov rbx, [rax]; mov rdi, rax; call [rax + 0x58] > 0x00425961 : mov rsi, [rax]; mov rdi, r12; call [r13 + 0x38] > 0x00408cf8 : mov rsi, [rbp]; mov rdi, r13; call [r13 + 0x38] > 0x00418b23 : mov r13, [rax]; mov rdi, rax; call [rax + 0x58] > 0x00417e96 : mov r15, [rbx]; mov rdi, rbx; call [rbx + 0x58] > 0x004190e3 : mov ebx, [rax]; mov rdi, rax; call [rax + 0x58] > 0x00425962 : mov esi, [rax]; mov rdi, r12; call [r13 + 0x38] > 0x00408cf9 : mov esi, [rbp]; mov rdi, r13; call [r13 + 0x38] > 0x00417e97 : mov edi, [rbx]; mov rdi, rbx; call [rbx + 0x58] > 0x00418b24 : mov ebp, [rax]; mov rdi, rax; call [rax + 0x58] > 0x00423679 : mov rax, [rbx + 8]; mov rdi, rax; call [rax + 0x10] > 0x00415553 : mov rdx, [r14 + 0x58]; mov esi, 0; mov rdi, r14; call rax > 0x00438413 : mov rsi, [rbx + 0x18]; mov rdi, r14; call [rbx + 8] > 0x0042367a : mov eax, [rbx + 8]; mov rdi, rax; call [rax + 0x10] > 0x00415554 : mov edx, [rsi + 0x58]; mov esi, 0; mov rdi, r14; call rax > 0x00438414 : mov esi, [rbx + 0x18]; mov rdi, r14; call [rbx + 8] > 0x0041ebcc : mov rax, [rbx]; mov rsi, rbp; mov rdi, rax; call [rax + 0x30] > 0x0041ebcd : mov eax, [rbx]; mov rsi, rbp; mov rdi, rax; call [rax + 0x30] > 0x0042666a : mov rdx, [rsi]; mov rsi, [rdx + rcx*8]; mov rdi, r14; call rax > 0x004262fd : mov rdx, [r15]; lea r13, [rdx + rbp*8]; mov rdi, r14; call rax > 0x0042666b : mov edx, [rsi]; mov rsi, [rdx + rcx*8]; mov rdi, r14; call rax > 0x004262fe : mov edx, [rdi]; lea r13, [rdx + rbp*8]; mov rdi, r14; call rax > 0x0043e2cc : mov rax, [r14 + 8]; movsxd rax, [rdx + rax*4]; add rax, rdx; jmp rax > 0x0043e5a8 : mov rdx, [rax + 0x10]; mov rdi, [rdi + 0x50]; call [rax + 8] > 0x00441f7a : mov rdx, [rbx + 0x2a0]; sub rdx, rsi; mov rdi, rbp; call [rbp + 0x20] > 0x0043c3d8 : mov rdx, [rbp + 0x20]; mov rsi, rax; mov rdi, r12; call [rbp + 0x18] > 0x00431320 : mov rsi, [rax + 8]; mov rdx, rbx; mov rdi, r12; call [rax] > 0x00432a47 : mov rsi, [r12 + 8]; mov rdx, r13; mov rdi, rbx; call [rbx + 0x20] > 0x004361f3 : mov rsi, [r15 + 0x390]; mov rdx, r12; mov rdi, rax; call [rax + 0x38] > 0x0043e2cd : mov eax, [rsi + 8]; movsxd rax, [rdx + rax*4]; add rax, rdx; jmp rax > 0x0043e5a9 : mov edx, [rax + 0x10]; mov rdi, [rdi + 0x50]; call [rax + 8] > 0x00441f7b : mov edx, [rbx + 0x2a0]; sub rdx, rsi; mov rdi, rbp; call [rbp + 0x20] > 0x0043c3d9 : mov edx, [rbp + 0x20]; mov rsi, rax; mov rdi, r12; call [rbp + 0x18] > 0x00431321 : mov esi, [rax + 8]; mov rdx, rbx; mov rdi, r12; call [rax] > 0x0046a4aa : mov rax, [rsi + 0x20]; sub [rax + rcx*8], 1; call [rsi + 0x30] > 0x0042634f : mov rdx, [r15 + 0x10]; lea r12, [rdx + rbp*8]; mov rdi, r14; call rax > 0x00426350 : mov edx, [rdi + 0x10]; lea r12, [rdx + rbp*8]; mov rdi, r14; call rax > 0x0041b8ba : mov rax, [rbp]; lea r13, [rax + rcx*8]; mov rdi, [rbx + 0x10]; call rdx > 0x0041b8bb : mov eax, [rbp]; lea r13, [rax + rcx*8]; mov rdi, [rbx + 0x10]; call rdx > 0x00408399 : mov rax, [rbp + 8]; mov [rbx + 8], rax; mov rsi, rbp; mov rdi, rbx; call r13 > 0x0044a0af : mov rax, [r13 + 8]; mov rax, [rax + 0x10]; mov rdi, rax; call [rax + 0x10] > 0x0040839a : mov eax, [rbp + 8]; mov [rbx + 8], rax; mov rsi, rbp; mov rdi, rbx; call r13 > 0x00423673 : mov esi, [rdx + 0x2000000]; mov rax, [rbx + 8]; mov rdi, rax; call [rax + 0x10] > 0x0042bcad : mov rcx, [rax]; mov rax, [rbx + 0x10]; lea r14, [rax + rcx*8]; mov rdi, rbp; call rdx > 0x0041ec4e : mov rdx, [rbp]; mov [rdx + 0x4c], eax; mov rsi, [rbp]; mov rdi, rbx; call [rbx + 0x40] > 0x0042bcae : mov ecx, [rax]; mov rax, [rbx + 0x10]; lea r14, [rax + rcx*8]; mov rdi, rbp; call rdx > 0x0041ec4f : mov edx, [rbp]; mov [rdx + 0x4c], eax; mov rsi, [rbp]; mov rdi, rbx; call [rbx + 0x40] > 0x0041344b : mov rcx, [rax + 8]; mov rax, [rbx]; mov rsi, [rax + rcx*8]; mov rdi, rbx; call rdx > 0x004361ef : mov r13, [rax + 0x48]; mov rsi, [r15 + 0x390]; mov rdx, r12; mov rdi, rax; call [rax + 0x38] > 0x0041344c : mov ecx, [rax + 8]; mov rax, [rbx]; mov rsi, [rax + rcx*8]; mov rdi, rbx; call rdx > 0x004361f0 : mov ebp, [rax + 0x48]; mov rsi, [r15 + 0x390]; mov rdx, r12; mov rdi, rax; call [rax + 0x38] > 0x0046a4a6 : mov rcx, [rsi + 8]; mov rax, [rsi + 0x20]; sub [rax + rcx*8], 1; call [rsi + 0x30] > 0x0046a4a7 : mov ecx, [rsi + 8]; mov rax, [rsi + 0x20]; sub [rax + rcx*8], 1; call [rsi + 0x30] > 0x004072ae : mov rdi, [r15 + 8]; mov [rax + 8], rdi; mov rsi, r12; mov rax, [rsp + 0x30]; call [rax + 8] > 0x0043e59c : mov rcx, [rdi + 0x10]; lea rsi, [rcx - 0x10]; mov [rdi + 0x10], rsi; mov rdx, [rax + 0x10]; mov rdi, [rdi + 0x50]; call [rax + 8] > 0x004361e4 : mov r12, [rbx + 0xe0]; mov rax, [rsp]; mov r13, [rax + 0x48]; mov rsi, [r15 + 0x390]; mov rdx, r12; mov rdi, rax; call [rax + 0x38] > 0x0043e59d : mov ecx, [rdi + 0x10]; lea rsi, [rcx - 0x10]; mov [rdi + 0x10], rsi; mov rdx, [rax + 0x10]; mov rdi, [rdi + 0x50]; call [rax + 8]