ropshell> use f368514b12955a07b9e3748f75661050 (download)
name         : exploit2.bin (x86_64/ELF)
base address : 0x4011b0
total gadgets: 7260

ropshell> suggest "load mem"
> 0x00498d72 : mov eax, [rcx]; ret
> 0x00421cb4 : mov rax, [rdi + 0x68]; ret
> 0x00421cb5 : mov eax, [rdi + 0x68]; ret
> 0x0042c6c3 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x00432df3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00432934 : movzx edx, [rsi]; sub eax, edx; ret
> 0x00421935 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x0043c400 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x004af1c2 : mov rsi, [rbx]; call rax
> 0x0045250f : mov rdi, [rbp]; call rbx
> 0x00453762 : mov rdi, [r8]; call rbx
> 0x00453201 : mov rdi, [r12]; call rbx
> 0x0045326b : mov rdi, [r13]; call rbx
> 0x0045332b : mov rdi, [r14]; call rbx
> 0x0045349c : mov rdi, [r15]; call rbx
> 0x0046a701 : mov edx, [rbp]; add [rax - 0x7d], cl; ret
> 0x004af1c3 : mov esi, [rbx]; call rax
> 0x00453763 : mov edi, [rax]; call rbx
> 0x0045332c : mov edi, [rsi]; call rbx
> 0x00452510 : mov edi, [rbp]; call rbx
> 0x004af359 : mov rax, [rsi + 0x10]; add rsp, 8; ret
> 0x004af35a : mov eax, [rsi + 0x10]; add rsp, 8; ret
> 0x00431168 : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0041ff10 : movzx eax, [rdx]; add rsp, 8; pop rbx; pop rbp; ret
> 0x004496e0 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x004b0526 : mov rdx, [r12]; mov rdi, r14; call rbp
> 0x004a2e30 : mov rax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x004a2e9c : mov rdx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x004a2e24 : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x004a2e31 : mov eax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x00439cde : mov ecx, [rbp + 1]; fnstcw [rsi]; jmp r9
> 0x004a2e9d : mov edx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x004a2e25 : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0043c394 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x004ac4b8 : mov r8, [rax]; lea rax, [rax + 8]; mov [rcx], r8; ret
> 0x00449806 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x004497b4 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x0041bffe : mov eax, [rdx + 0x4c]; cmp [rdx + 0x48], eax; cmovne eax, ecx; ret
> 0x0042c6a4 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00454ad9 : mov rax, [rbx]; mov [rip + 0x8b5ad], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x00454ada : mov eax, [rbx]; mov [rip + 0x8b5ad], rax; add rsp, 8; pop rbx; pop rbp; ret
> 0x0044b584 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0044b493 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x004a531b : mov rax, [r12]; pop rbx; add rax, [rdx + 8]; pop rbp; pop r12; jmp rax
> 0x004525a5 : mov rsi, [r14]; mov rax, [rsp + 8]; mov rdi, r13; call rax
> 0x004033e0 : mov eax, [rbp + 8]; sub eax, [rbx + 8]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0047edf7 : movzx ecx, [rdx + rax]; lea rax, [rip + 0x5e2be]; jmp [rax + rcx*8]
> 0x00452a48 : mov rsi, [rax]; mov rdi, r14; mov rax, [rbp - 0x58]; mov r15d, r13d; call rax
> 0x00496466 : mov r14, [rbx]; mov rax, [rbx + 0x10]; add rax, [r13]; call rax
> 0x00452a49 : mov esi, [rax]; mov rdi, r14; mov rax, [rbp - 0x58]; mov r15d, r13d; call rax
> 0x00475810 : mov rdx, [r14 + 0x20]; mov rdi, r15; sub rdx, rsi; call [rbx + 0x38]
> 0x0049ce25 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x004716c9 : mov ebx, [rcx + 5]; add al, ch; pop rsi; sbb bh, cl; jmp [rsi + 0x66]
> 0x004af18f : mov rdx, [r10]; mov rax, [rsp + 8]; mov [rsp + 0x10], r10; call rax
> 0x004aea95 : mov rdx, [r14]; mov r8, r12; mov rcx, r14; mov esi, 1; mov edi, 1; call rax
> 0x0040f8f0 : mov rsi, [r13]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp]; call rax
> 0x0040f8f1 : mov esi, [rbp]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp]; call rax
> 0x004203b5 : movzx esi, [r14]; lea r15, [r14 + 1]; mov rdi, r12; call [rbx + 0x18]
> 0x0041d148 : mov rdx, [rbp + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, rbp; call rax
> 0x0041d149 : mov edx, [rbp + 0x40]; sub rdx, rsi; mov [rsp], rcx; mov rdi, rbp; call rax
> 0x00482ee5 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00454d09 : mov rdx, [rcx + rdx]; lea rcx, [rip - 0x64]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x0041ab67 : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x004500f6 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x00482ee6 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x004789ba : movzx ecx, [rbx + rax]; lea rax, [rip + 0x63bfb]; mov rax, [rax + rcx*8]; jmp rax
> 0x00454d0a : mov edx, [rcx + rdx]; lea rcx, [rip - 0x64]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x0041b232 : mov rax, [rbp + 0xa0]; mov rdi, rbp; pop rbp; mov rax, [rax + 0xe0]; mov rax, [rax + 0x20]; jmp rax
> 0x00482f22 : mov rdx, [rax + 0x10]; punpckhqdq xmm0, xmm0; mov [rax + 0x10], rcx; mov [rax + 0x40], rdx; movups xmm[rax], xmm0; ret
> 0x0041a468 : mov rsi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [rax + 0x70]
> 0x0047580c : mov rsi, [r14 + 0x18]; mov rdx, [r14 + 0x20]; mov rdi, r15; sub rdx, rsi; call [rbx + 0x38]
> 0x0049ce21 : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00482f23 : mov edx, [rax + 0x10]; punpckhqdq xmm0, xmm0; mov [rax + 0x10], rcx; mov [rax + 0x40], rdx; movups xmm[rax], xmm0; ret
> 0x0041a469 : mov esi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [rax + 0x70]
> 0x0049ce22 : mov esi, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0047ee20 : movzx esi, [rdx + rax]; lea rax, [rip + 0x5de95]; mov r11, rcx; mov [rbp - 0x4d0], 1; mov rax, [rax + rsi*8]; jmp rax
> 0x00495aa5 : mov edx, [rax]; add rax, 8; mov [rdi + 0x310], rax; lea rax, [rax + rdx*4]; mov [rdi + 0x2f4], edx; mov [rdi + 0x308], rax; ret
> 0x00466171 : movzx edi, [rax + 0xe]; mov [rdx + 0xe], dil; mov [rax + 0xe], sil; mov rsi, [rsp + 0x10]; mov rdx, rbp; mov rdi, r12; call rbx