ROPSHELL 
ropshell> use ee570d67dee756672c70a13e2e2099dd (download)
name         : poc-64 (x86_64/ELF)
base address : 0x4003b0
total gadgets: 7845

ropshell> suggest "load mem"
> 0x0040a4b0 : movzx eax, [rdx]; ret
> 0x00461caa : mov eax, [rsi]; ret
> 0x004876c7 : mov rax, [rsi + 0x10]; ret
> 0x0040e850 : mov rax, [rdi + 0x68]; ret
> 0x004876c8 : mov eax, [rsi + 0x10]; ret
> 0x0040e851 : mov eax, [rdi + 0x68]; ret
> 0x00416a63 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x00421a93 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x0041a1f3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x0040e54e : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00428420 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x00487508 : mov rsi, [rbx]; call r14
> 0x00487557 : mov rsi, [r15]; call r14
> 0x00433d0c : mov rdi, [rbx]; call rbp
> 0x00406873 : mov rdi, [r12]; call r13
> 0x00487509 : mov esi, [rbx]; call r14
> 0x00487558 : mov esi, [rdi]; call r14
> 0x00433d0d : mov edi, [rbx]; call rbp
> 0x00416b8f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0042c600 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00486a78 : mov rdx, [r12]; mov edi, 1; call rax
> 0x004887e8 : mov rdx, [r15]; mov rdi, rbp; call rbx
> 0x0042c681 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x004887e9 : mov edx, [rdi]; mov rdi, rbp; call rbx
> 0x004689a0 : mov rax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x0046232a : mov rax, [rcx + rax]; cmp rax, -1; cmove rax, rdx; ret
> 0x00468980 : mov rdx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x00468994 : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x00468962 : mov eax, [rbx + 0x10]; jmp [0]
> 0x0046232b : mov eax, [rcx + rax]; cmp rax, -1; cmove rax, rdx; ret
> 0x00468981 : mov edx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x00468995 : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x00406870 : mov rsi, [r14]; mov rdi, [r12]; call r13
> 0x00453cca : mov edx, [rax]; add rsp, 8; mov eax, edx; pop rbx; pop rbp; ret
> 0x00463aff : mov rax, [r13]; add rax, [rdx + 8]; call rax
> 0x004283b4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00487073 : mov rdx, [r13]; mov esi, 1; mov edi, 1; call rax
> 0x00484c10 : mov r8, [rax]; lea rax, [rax + 8]; mov [r10], r8; ret
> 0x00463b00 : mov eax, [rbp]; add rax, [rdx + 8]; call rax
> 0x00487074 : mov edx, [rbp]; mov esi, 1; mov edi, 1; call rax
> 0x0045fa90 : mov rax, [r15 + 0x10]; add rax, [r14]; call rax
> 0x00431dfc : mov eax, [r8 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x004546ab : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x00416a44 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x004869f7 : mov rax, [rdx]; mov [rbx + 0x98], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x0042e4a4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0042e3b3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x0040b6a8 : mov rbp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x00408bf8 : mov r13, [r15 + 0x98]; mov rdi, r13; call [r13 + 0x20]
> 0x00408cf6 : mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x00408cf7 : mov esi, [rdi + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0040b6a9 : mov ebp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x00434d35 : mov rax, [rbx]; mov [rip + 0x27e3a9], rax; add rsp, 8; pop rbx; pop rbp; rep ; ret
> 0x00434d36 : mov eax, [rbx]; mov [rip + 0x27e3a9], rax; add rsp, 8; pop rbx; pop rbp; rep ; ret
> 0x0040b13f : mov rax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x00464a93 : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; repne ; call r11
> 0x004887e4 : mov rsi, [r14 + 8]; mov rdx, [r15]; mov rdi, rbp; call rbx
> 0x00466742 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0040b140 : mov eax, [rbp + 0x20]; add rsp, 8; mov rdi, rbx; pop rbx; pop rbp; jmp rax
> 0x0040921b : mov rcx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0040822a : mov r9, [rax + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0040822b : mov ecx, [rax + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x0040921c : mov ecx, [rbx + 0x10]; lea r8, [rsp + 0x10]; call [rbp + 0x18]
> 0x004340b9 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; mov r14d, r15d; mov rax, [rbp - 0x58]; call rax
> 0x004340ba : mov esi, [rax]; mov rdi, [rbp - 0x50]; mov r14d, r15d; mov rax, [rbp - 0x58]; call rax
> 0x0040d474 : movzx esi, [rbp]; mov rdi, r15; lea rbx, [r13 + 1]; call [rax + 0x18]
> 0x0040d473 : movzx esi, [r13]; mov rdi, r15; lea rbx, [r13 + 1]; call [rax + 0x18]
> 0x004874a8 : mov rcx, [rdx + 8]; mov edx, 1; sbb eax, eax; cmp [rsi + 8], rcx; cmova eax, edx; ret
> 0x00408b9e : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, r15; call rax
> 0x00453971 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00408605 : mov r9, [rdx + 8]; mov rdx, r12; lea r8, [rsp + 0x28]; call [rbp + 0x18]
> 0x00464a8f : mov rcx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; repne ; call r11
> 0x0044cec3 : mov rdx, [r13 + 0x20]; mov rdi, [rbp - 0x4b0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0046673e : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00464a90 : mov ecx, [rdi + 0x18]; mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; repne ; call r11
> 0x0044cec4 : mov edx, [rbp + 0x20]; mov rdi, [rbp - 0x4b0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0040840a : mov rsi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r15 + 0x70]
> 0x00408477 : mov r9, [rdi + 8]; mov rsi, rax; mov rdi, rbp; lea r8, [rsp + 0x28]; call [rbp + 0x18]
> 0x0040840b : mov esi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [r15 + 0x70]
> 0x00474454 : mov rdi, [r14]; lea r9, [rsp + 0x20]; lea rdx, [rsp + 0x28]; lea rsi, [rsp + 0x40]; call r13
> 0x00474455 : mov edi, [rsi]; lea r9, [rsp + 0x20]; lea rdx, [rsp + 0x28]; lea rsi, [rsp + 0x40]; call r13
> 0x00408cee : mov rbx, [rax + 0x50]; mov [rsp], rdi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x00408cef : mov ebx, [rax + 0x50]; mov [rsp], rdi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0040912c : mov rcx, [r15 + 0x10]; mov rax, [rax + 0x60]; sar r8, 2; mov [rsp + 0x20], rax; call [r14 + 0x30]
> 0x0044cebf : mov rsi, [r13 + 0x18]; mov rdx, [r13 + 0x20]; mov rdi, [rbp - 0x4b0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0046673a : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0044cec0 : mov esi, [rbp + 0x18]; mov rdx, [r13 + 0x20]; mov rdi, [rbp - 0x4b0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x00453969 : mov rdx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0045396a : mov edx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret

© 2014 - 2019 - Powered by ROPEME | Contact