ROPSHELL 
ropshell> use fb81da21dafcf5e1c55b3ac564c831a6 (download)
name         : libSegFault.so (arm/ELF)
base address : 0xa28
total gadgets: 124

ropshell> suggest
jmpcall
    > 0x00000f7f : bx r3
    > 0x00000f81 : bx lr
    > 0x00001ca7 : blx r3
    > 0x00001d3d : blx r7
    > 0x00001adf : blx lr
load mem
    > 0x00001c7b : ldr r0, [r3, r0]; bx lr
    > 0x00001f77 : ldr r3, [r5, #0x10]; blx r3
    > 0x00000f52 : ldr r2, [r3, r2]; cmp r2, #0; bxeq lr
    > 0x00001b55 : ldr r0, [pc, #0x10]; add r0, pc; bx lr
    > 0x00001b5b : ldr r2, [pc, #0x10]; ldr r0, [r3, r2]; bx lr
pop pop ret
    > 0x0000257f : pop {pc}
    > 0x00000ff3 : pop {r3, pc}
    > 0x00000c70 : pop {r4, r5, pc}
    > 0x00001bd1 : pop {r4, r5, r6, pc}
stack pivoting
    > 0x0000257d : mov sp, ip; pop {pc}
write mem
    > 0x00001ea9 : str r3, [r2]; bx lr
    > 0x00002737 : str r2, [r3]; bx lr
    > 0x00000c6a : str r0, [r3]; add sp, sp, #0x9c; pop {r4, r5, pc}
    > 0x00001ca5 : str r7, [r4, #0x14]; blx r3
    > 0x00001bcd : str r3, [r4, #0x10]; add sp, #8; pop {r4, r5, r6, pc}

© 2014 - 2019 - Powered by ROPEME | Contact