ROPSHELL 
ropshell> use f5649a8f4b0e911d10fe25d75a5ed54a (download)
name         : calicovision (x86_64/ELF)
base address : 0x401120
total gadgets: 19121

ropshell> suggest "load mem"
> 0x0042df70 : mov rax, [rsi]; ret
> 0x00407700 : mov rax, [rdi]; ret
> 0x0053c01a : mov eax, [rcx]; ret
> 0x0042df71 : mov eax, [rsi]; ret
> 0x00407701 : mov eax, [rdi]; ret
> 0x00409cd4 : mov rax, [rbx]; pop rbx; ret
> 0x00409cd5 : mov eax, [rbx]; pop rbx; ret
> 0x00477c20 : mov rax, [rdi + 0x10]; ret
> 0x00477c21 : mov eax, [rdi + 0x10]; ret
> 0x004e2ff3 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x004e2b33 : movzx edx, [rsi]; sub eax, edx; ret
> 0x004ec5c0 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x004a48f1 : mov rsi, [rbx]; call rax
> 0x0051773f : mov rdi, [rbp]; call rbx
> 0x004a48f2 : mov esi, [rbx]; call rax
> 0x00517740 : mov edi, [rbp]; call rbx
> 0x0051c988 : mov eax, [rdx + rax]; mov eax, r8d; ret
> 0x004e0d88 : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x004790b4 : mov rdx, [rdi]; lea rax, [rdx + rax - 1]; ret
> 0x004cc1db : movzx r8, [rax]; add rsp, 8; pop rbx; pop rbp; ret
> 0x004c7af7 : mov eax, [rdx]; add rsp, 8; pop rbx; pop rbp; ret
> 0x004790b5 : mov edx, [rdi]; lea rax, [rdx + rax - 1]; ret
> 0x00502750 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00415335 : mov rax, [rbp]; call [rax + 0x18]
> 0x0048481d : mov rax, [r13]; call [rax + 0x10]
> 0x0045fc66 : mov rax, [r14]; call [rax + 0x10]
> 0x0042d556 : mov rax, [r15]; call [rax + 0x10]
> 0x004a60d8 : mov rdx, [r12]; mov rdi, r13; call rbp
> 0x0048187e : mov r8, [rdi]; call [r8 + 0x58]
> 0x0049b6b2 : mov r11, [rdi]; call [r11 + 0x30]
> 0x0048481e : mov eax, [rbp]; call [rax + 0x10]
> 0x0049b6b3 : mov ebx, [rdi]; call [r11 + 0x30]
> 0x004842a1 : mov esi, [rdi]; call [rax + 0x60]
> 0x0043e684 : mov esi, [rbp]; call [rax + 0x60]
> 0x0043e683 : mov esi, [r13]; call [rax + 0x60]
> 0x004842a0 : mov esi, [r15]; call [rax + 0x60]
> 0x0052af08 : mov rax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x0052af7c : mov rdx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x004682ea : mov rdx, [rsi + 8]; mov [rdi + rax], rdx; ret
> 0x0052aefc : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0052af09 : mov eax, [rbx + 0x10]; mov [rax], rdi; pop rbx; ret
> 0x0051ebc1 : movzx eax, [rsi + rax]; jmp [rdi + rax*8]
> 0x0052af7d : mov edx, [rbx + 0x10]; mov [rdx], rax; pop rbx; ret
> 0x0052aefd : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x004472df : mov rdx, [rax + 0x84]; mov [rax + 0x8c], rdx; pop rbx; ret
> 0x004472e0 : mov edx, [rax + 0x84]; mov [rax + 0x8c], rdx; pop rbx; ret
> 0x004306bf : mov rax, [r8]; mov rdi, rsp; call [rax + 0x18]
> 0x0049b48b : mov rax, [r11]; mov rdi, r11; call [rax + 0x40]
> 0x0043d620 : mov rax, [r12]; mov rdi, r12; call [rax + 0x30]
> 0x004ec554 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x004064f8 : mov rdx, [rax]; lea rax, [rax + 8]; mov [rcx], rdx; ret
> 0x005090a9 : mov rdi, [r12]; lea r9, [rsp + 0x28]; call rbx
> 0x004064f9 : mov edx, [rax]; lea rax, [rax + 8]; mov [rcx], rdx; ret
> 0x00485bad : mov esi, [r14]; mov rdi, r15; call [rax + 0x60]
> 0x00502876 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x00502824 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x004dc2f4 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x0044e44a : mov rax, [rbp + 0x30]; mov [rbx + 0x10], rax; pop rbx; pop rbp; pop r12; ret
> 0x00446693 : mov rcx, [rbx + 0xe0]; sar r8, 2; call [rax + 0x38]
> 0x005045f4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0044e44b : mov eax, [rbp + 0x30]; mov [rbx + 0x10], rax; pop rbx; pop rbp; pop r12; ret
> 0x00446694 : mov ecx, [rbx + 0xe0]; sar r8, 2; call [rax + 0x38]
> 0x0047e6b7 : mov esi, [rdi + 8]; mov rdi, r12; call [rax + 0x60]
> 0x0047e6b6 : mov esi, [r15 + 8]; mov rdi, r12; call [rax + 0x60]
> 0x0051784d : mov rax, [rdx]; and eax, 1; or rdi, rax; mov [rdx], rdi; pop rbx; pop rbp; ret
> 0x00422f87 : movzx eax, [r12]; movsxd rax, [r13 + rax*4]; add rax, r13; jmp rax
> 0x004a1724 : mov edx, [rcx]; add bl, al; nop [rax + rax]; lea rax, [rip + 0x118b49]; ret
> 0x0041e47c : mov edx, [r12]; mov esi, ebp; mov rdi, rbx; call [rax + 0x10]
> 0x0047a328 : mov rax, [rsi + 8]; mov [rdi + 8], rax; mov [rsi + 8], rdx; ret
> 0x00449643 : mov rdx, [rbp + 0x10]; mov [rbx + rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x004a60d4 : mov rsi, [r14 + 8]; mov rdx, [r12]; mov rdi, r13; call rbp
> 0x00442724 : mov rdi, [rbx + 0xc8]; mov rax, [rdi]; call [rax + 0x28]
> 0x00444634 : mov rdi, [rbp + 0xc8]; mov rax, [rdi]; call [rax + 0x30]
> 0x0051cab2 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0044346d : mov ebx, [rbp + 0x78]; mov rax, [rdi]; call [rax + 0x30]
> 0x00449644 : mov edx, [rbp + 0x10]; mov [rbx + rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x00442725 : mov edi, [rbx + 0xc8]; mov rax, [rdi]; call [rax + 0x28]
> 0x00444635 : mov edi, [rbp + 0xc8]; mov rax, [rdi]; call [rax + 0x30]
> 0x0043185c : mov rax, [r10]; mov rdx, r12; push rdi; mov rdi, r10; call [rax + 0x18]
> 0x0051ed15 : mov rdx, [r15 + 0x20]; mov rdi, r14; sub rdx, rsi; call [rbx + 0x38]
> 0x005294e1 : mov rsi, [rax + 0x18]; movsxd rdx, ebp; mov rdi, rbx; call [r14 + 0x38]
> 0x005294e2 : mov esi, [rax + 0x18]; movsxd rdx, ebp; mov rdi, rbx; call [r14 + 0x38]
> 0x004842af : mov esi, [rbx + 4]; xor edx, edx; mov rdi, r13; call [rax + 0x60]
> 0x00485bd3 : mov esi, [r14 + 4]; xor edx, edx; mov rdi, r15; call [rax + 0x60]
> 0x004a3ada : mov rdx, [rbp]; mov r8, rbx; mov rcx, rbp; or esi, 2; mov edi, 1; call rax
> 0x004a48c0 : mov rdx, [r10]; mov rax, [rsp + 8]; mov [rsp + 0x10], r10; call rax
> 0x004a40e1 : mov rdx, [r14]; mov r8, r12; mov rcx, r14; mov esi, 1; mov edi, 1; call rax
> 0x004a3adb : mov edx, [rbp]; mov r8, rbx; mov rcx, rbp; or esi, 2; mov edi, 1; call rax
> 0x004cdffd : movzx esi, [r12]; lea r15, [r12 + 1]; mov rdi, r14; call [rbx + 0x18]
> 0x0048de8b : mov rcx, [r13]; mov rax, [rdi]; lea rdx, [rsi + rbx]; call [rax + 0x58]
> 0x0047ee4f : mov rsi, [rax]; mov rax, [rbp]; lea rdx, [rsi + 0x1a]; call [rax + 0x58]
> 0x004ba1bd : mov rsi, [r13]; mov rdi, [r12]; mov rdx, r14; mov rax, [rsp + 8]; call rax
> 0x0048de8c : mov ecx, [rbp]; mov rax, [rdi]; lea rdx, [rsi + rbx]; call [rax + 0x58]
> 0x0047ee50 : mov esi, [rax]; mov rax, [rbp]; lea rdx, [rsi + 0x1a]; call [rax + 0x58]
> 0x004c72c1 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x004b4ba4 : mov rcx, [rdi + 0x78]; mov fs:[rax], rcx; cmp r8, rdx; mov rax, -1; cmove r8, rax; mov rax, r8; ret
> 0x005190b5 : mov rdx, [rcx + rdx]; lea rcx, [rip - 0x60]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x00451adf : mov rsi, [r9 + 0xe8]; mov r8, rdx; push rbx; push rcx; xor ecx, ecx; call [rax + 0x10]
> 0x00509542 : mov rdi, [r12 + 0x10]; push 1; xor edx, edx; push 1; lea r9, [rsp + 0x20]; call rbx
> 0x0044c94c : movzx eax, [r12 + 0x59]; mov [rbx + 0xe0], bpl; mov [rbx + 0xe1], 1; pop rbx; pop rbp; pop r12; ret
> 0x004c72c2 : mov ecx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x004b4ba5 : mov ecx, [rdi + 0x78]; mov fs:[rax], rcx; cmp r8, rdx; mov rax, -1; cmove r8, rax; mov rax, r8; ret
> 0x005190b6 : mov edx, [rcx + rdx]; lea rcx, [rip - 0x60]; mov [rax + 0x10], rcx; mov [rax + 8], rdx; ret
> 0x00451ae0 : mov esi, [rcx + 0xe8]; mov r8, rdx; push rbx; push rcx; xor ecx, ecx; call [rax + 0x10]
> 0x0042abc5 : mov rax, [r9]; mov [rbp - 0x60], cl; mov rdi, r9; mov [rbp - 0x50], rdx; call [rax + 0x48]
> 0x0051caae : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x004c83ab : mov rsi, [rbx + 0x10]; mov rdx, [rbx + 0x40]; mov rdi, rbx; sub rdx, rsi; call [rax + 0x70]
> 0x0051ed11 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, r14; sub rdx, rsi; call [rbx + 0x38]
> 0x00509371 : mov rdi, [r14]; lea rsi, [rsp + 0x20]; push 1; xor r8d, r8d; push 0; lea r9, [rsp + 0x18]; call r13
> 0x00509372 : mov edi, [rsi]; lea rsi, [rsp + 0x20]; push 1; xor r8d, r8d; push 0; lea r9, [rsp + 0x18]; call r13
> 0x00450f85 : mov rdi, [rcx + 0xe8]; mov edx, 1; xor esi, esi; mov ecx, 8; mov rax, [rdi]; call [rax + 0x20]
> 0x0046b51f : mov rdi, [r8 + 0xe8]; mov rsi, [rsp + 8]; mov rdx, r13; mov rax, [rdi]; call [rax + 0x60]
> 0x0049b6a6 : mov rdi, [r15 + 8]; mov rcx, [rsp + 0x10]; mov rsi, r14; mov r11, [rdi]; call [r11 + 0x30]
> 0x004a1780 : mov r8, [rdi + 8]; mov esi, [rdi]; mov rax, [r8]; mov rdi, r8; mov rax, [rax + 0x28]; jmp rax
> 0x0046b520 : mov edi, [rax + 0xe8]; mov rsi, [rsp + 8]; mov rdx, r13; mov rax, [rdi]; call [rax + 0x60]
> 0x00450f86 : mov edi, [rcx + 0xe8]; mov edx, 1; xor esi, esi; mov ecx, 8; mov rax, [rdi]; call [rax + 0x20]
> 0x004365f6 : mov rcx, [rbp + 0x20]; mov rax, [rdi]; lea rdx, [rsi + rbx]; mov rcx, [rcx]; call [rax + 0x58]
> 0x004365f7 : mov ecx, [rbp + 0x20]; mov rax, [rdi]; lea rdx, [rsi + rbx]; mov rcx, [rcx]; call [rax + 0x58]
> 0x0043fa9f : mov rax, [edi]; mov [rsp + 0x58], r9b; mov [rsp + 0x50], r8b; mov [rsp + 0x60], sil; call [rax + 0x48]
> 0x0051caaa : mov r13, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x0051caab : mov ebp, [rdi + 0x18]; mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; jmp rdx
> 0x00444995 : mov r8, [rbx + 0x10]; mov rcx, [rbx + 0xe0]; mov rax, [rdi]; mov rdx, r12; sub r8, [rbx + 8]; call [rax + 0x38]
> 0x0049b69e : mov rax, [rdx + rax]; lea rdx, [r12 + rax]; mov rdi, [r15 + 8]; mov rcx, [rsp + 0x10]; mov rsi, r14; mov r11, [rdi]; call [r11 + 0x30]

© 2014 - 2019 - Powered by ROPEME | Contact