ROPSHELL 
ropshell> use f503e4ae1d2faf5a499a8119610ab505 (download)
name         : BNUpdate.exe (i386/PE)
base address : 0x401000
total gadgets: 4767

ropshell> suggest "load mem"
> 0x004155d0 : mov eax, [ecx + 0xc]; ret
> 0x00404b48 : mov eax, [ecx]; add eax, edx; ret 4
> 0x0040d4d3 : mov eax, [edx + 0x12c]; pop edi; pop esi; ret
> 0x0040d46a : mov eax, [edi + 0x12c]; pop edi; pop esi; ret
> 0x004199e9 : mov ecx, [esi + 0x28]; call eax
> 0x00424fc8 : mov ecx, [eax]; mov eax, [eax + 4]; push eax; ret
> 0x0040f64b : mov edx, [ecx]; xor eax, eax; test edx, edx; setne al; ret 0x20
> 0x0041fde4 : mov ecx, [eax + 0x28]; jmp [eax + 0x24]
> 0x0040c78c : mov edx, [eax]; push eax; call [edx + 0x48]
> 0x0040bd9c : mov edx, [esi]; pop edi; mov [edx + 8], 0; pop esi; ret
> 0x0040e5df : mov eax, [ebp + 0x10c]; push 0; push eax; call edi
> 0x004183fc : mov ecx, [edi + 0x28]; call [edi + 0x20]
> 0x0040b004 : mov esi, [eax + 8]; push eax; push 0; call ebx
> 0x00421065 : mov eax, [ebx]; push 0; push 0; push eax; push ebp; call edi
> 0x0040dba5 : mov ecx, [ebx]; push ecx; push eax; call [edx + 0x4c]
> 0x004205cc : mov ecx, [ebx + 0x3c]; push edi; mov edx, esi; call eax
> 0x0040d4cd : mov edx, [esi + 0x114]; mov eax, [edx + 0x12c]; pop edi; pop esi; ret
> 0x004044c2 : mov eax, [edi]; push 1; mov ecx, edi; call [eax + 8]
> 0x004044ae : mov edx, [edi]; push eax; mov ecx, edi; call [edx]
> 0x00420418 : mov ecx, [ebp + 0x28]; mov edx, edi; call [ebp + 0x24]
> 0x0040e5ff : mov edx, [ebp + 0x10c]; push 0; push 0; push ecx; push edx; call edi
> 0x004069e8 : mov ecx, [esi]; mov [edi], ecx; inc eax; pop edi; mov [esi], eax; pop esi; ret
> 0x0041562d : mov eax, [ebx + 0xc]; pop edi; pop esi; pop ebp; mov [ebx + 8], eax; pop ebx; ret 4
> 0x0041b2b9 : mov eax, [esi + 0x140]; dec eax; pop edi; mov [esi + 0x140], eax; pop esi; pop ebx; ret 0xc
> 0x00413e34 : mov ecx, [edx + 0x10]; pop edi; add ecx, eax; pop esi; mov [edx + 0x10], ecx; pop ebx; ret
> 0x0040d3d9 : mov edx, [eax + 0xc]; pop edi; add edx, ecx; pop esi; mov [eax + 0xc], edx; pop ebx; ret
> 0x0041f3c1 : mov edx, [ebx + 0xc]; mov ecx, [esi + 0x28]; call [esi + 0x24]
> 0x00417061 : mov edx, [ecx + 4]; mov [eax + 4], edx; mov [ecx], 0; mov [ecx + 4], 0; pop esi; ret
> 0x004082c4 : mov eax, [esi]; mov ecx, [esi + 4]; mov [eax + 4], ecx; mov [esi], 0; mov [esi + 4], 0; pop esi; ret

© 2014 - 2019 - Powered by ROPEME | Contact