ROPSHELL 
ropshell> use 317ee91acb99a10485c38cef56417839 (download)
name         : msctf_new.dll (x86_64/PE)
base address : 0x180001000
total gadgets: 6514

ropshell> suggest "load mem"
> 0x180002eeb : mov eax, [rdx]; ret
> 0x18003f790 : mov rax, [rcx + 0x10]; ret
> 0x18003ebac : movsxd rax, [rdx + 0x38]; ret
> 0x18003f740 : mov eax, [rcx + 0x10]; ret
> 0x180034248 : mov rcx, [r9]; mov [rcx], eax; ret
> 0x18003f25a : mov rax, [rdx]; mov eax, [rax + 0x34]; ret
> 0x180009baf : mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x180026df2 : mov rdi, [r11 + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1800e454a : mov r14, [r11 + 0x20]; mov rsp, r11; pop rbp; ret
> 0x180009bb0 : mov esi, [rbx + 0x18]; mov rsp, r11; pop rdi; ret
> 0x180026df3 : mov edi, [rbx + 0x18]; mov rsp, r11; pop rbp; ret
> 0x1800862d5 : mov edx, [rcx + 0x20]; cmp edx, [rcx - 0x10]; setg al; ret
> 0x18008cf9a : mov rbx, [r11 + 0x20]; mov rsp, r11; pop r15; pop r14; pop rdi; ret
> 0x180010f59 : mov rbp, [r11 + 0x30]; mov rsp, r11; pop r14; pop rdi; pop rsi; ret
> 0x180060b37 : mov r12, [r11 + 0x30]; mov rsp, r11; pop r15; pop r14; pop r13; ret
> 0x18002c8ca : mov r13, [r11 + 0x38]; mov rsp, r11; pop r15; pop r14; pop rbp; ret
> 0x1800d80ca : mov edx, [r10 + 0x18]; call [rip + 0x195ec]; add rsp, 0x38; ret
> 0x180010f5a : mov ebp, [rbx + 0x30]; mov rsp, r11; pop r14; pop rdi; pop rsi; ret
> 0x1800b0435 : mov r10, [rax]; movups xmm[r9], xmm0; mov [r9 + 0x10], ecx; ret
> 0x18007df0a : mov eax, [rcx]; cmove eax, ecx; mov [r9], eax; xor eax, eax; ret
> 0x18007df09 : mov eax, [r9]; cmove eax, ecx; mov [r9], eax; xor eax, eax; ret
> 0x1800b0436 : mov edx, [rax]; movups xmm[r9], xmm0; mov [r9 + 0x10], ecx; ret
> 0x180096600 : mov eax, [rdx + 0x10]; mov [rcx + 0x18], eax; mov eax, 1; ret
> 0x180040c80 : mov eax, [r8 + 8]; mov [rcx + 0x94], eax; add rsp, 0x58; ret
> 0x1800879aa : mov ecx, [rax + 0x10]; xor eax, eax; dec ecx; cmp edx, ecx; setg al; ret
> 0x180029dd0 : mov edx, [rax + 2]; add [rax], al; add [rax - 0x75], ecx; ret
> 0x1800ab9b1 : mov rax, [r9 + 0x18]; and rdx, r8; call [rip + 0x45d02]; add rsp, 0x28; ret
> 0x180039c8d : mov r9, [rcx + 0x30]; mov ecx, 2; call [rip + 0xb7a24]; add rsp, 0x38; ret
> 0x1800d40ad : mov rax, [rcx]; mov rax, [rax + 0x10]; call [rip + 0x1d606]; add rsp, 0x28; ret
> 0x1800b1472 : mov rax, [r9]; mov rax, [rax + 0x48]; call [rip + 0x40241]; add rsp, 0x28; ret
> 0x180002993 : mov rax, [r11]; mov rax, [rax + 0x50]; call [rip + 0xeed20]; add rsp, 0x38; ret
> 0x1800ad9ae : mov r8, [r9]; mov [r8 + 8], rax; mov [r9], r10; add rsp, 0x28; ret
> 0x180002994 : mov eax, [rbx]; mov rax, [rax + 0x50]; call [rip + 0xeed20]; add rsp, 0x38; ret
> 0x18003e788 : mov rax, [r10 + 0x28]; mov [r11 - 0x20], r9; call [rip + 0xb2f2a]; add rsp, 0x48; ret
> 0x18000499d : mov rax, [r8]; mov [rdx], rax; and [r8 + 8], 0; and [r8], 0; ret
> 0x180040a3f : mov rcx, [r10 + 0x20]; mov [rsp + 0x20], eax; call [rip + 0xb09db]; add rsp, 0x48; ret
> 0x1800372e1 : mov r8, [rax + 0x30]; mov rax, [rax + 0x28]; call [rip + 0xba3d1]; add rsp, 0x48; ret
> 0x180040a40 : mov ecx, [rdx + 0x20]; mov [rsp + 0x20], eax; call [rip + 0xb09db]; add rsp, 0x48; ret
> 0x18008d7b7 : movzx edx, [rsi]; mov rax, [rax + 0x20]; mov r9, [rip + 0x63efb]; call r9
> 0x18008defb : movzx edx, [rdi]; mov rax, [rax + 0x18]; mov r9, [rip + 0x637b7]; call r9
> 0x18008defa : movzx edx, [r15]; mov rax, [rax + 0x18]; mov r9, [rip + 0x637b7]; call r9
> 0x180028333 : mov rax, [rbx]; mov rcx, rbx; mov rax, [rax + 0x10]; mov rdx, [rip + 0xc937c]; call rdx
> 0x1800553b9 : mov rax, [r12]; mov rcx, r12; mov rax, [rax + 0x18]; mov rdx, [rip + 0x9c2f5]; call rdx
> 0x18000a8a1 : mov rax, [rdi]; mov edx, 1; mov rcx, rdi; mov rax, [rax]; mov r8, [rip + 0xe6e0a]; call r8
> 0x18000a8a2 : mov eax, [rdi]; mov edx, 1; mov rcx, rdi; mov rax, [rax]; mov r8, [rip + 0xe6e0a]; call r8
> 0x180009c37 : mov edx, [rbx + 0xc8]; mov rcx, r8; mov rax, [rax + 0x18]; mov r8, [rip + 0xe7a75]; call r8
> 0x1800250af : mov rax, [rbx + 0x80]; lea r11, [rsp + 0xb0]; mov rbx, [r11 + 0x10]; mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x18003e9e8 : mov r8, [rcx + 0x30]; mov ecx, 2; mov [rsp + 0x20], rdx; lea rdx, [rsp + 0x20]; call [rip + 0xb2cbf]; add rsp, 0x48; ret
> 0x1800250b0 : mov eax, [rbx + 0x80]; lea r11, [rsp + 0xb0]; mov rbx, [r11 + 0x10]; mov rsi, [r11 + 0x18]; mov rsp, r11; pop rdi; ret
> 0x1800d80be : mov r9, [r10 + 0x28]; lea r8, [r10 + 0x1c]; mov rax, [rax + 0x40]; mov edx, [r10 + 0x18]; call [rip + 0x195ec]; add rsp, 0x38; ret
> 0x18009c2af : mov eax, [r9 + 0x28]; mov [rcx + 0xa0], eax; mov al, [r9 + 0x2c]; mov [rcx + 0xa4], al; mov rax, rcx; mov [rcx + 0xa8], r10b; ret
> 0x18008def0 : mov rcx, [rsi + 0x20]; mov rax, [rcx]; mov r8, r12; movzx edx, [r15]; mov rax, [rax + 0x18]; mov r9, [rip + 0x637b7]; call r9
> 0x18008def1 : mov ecx, [rsi + 0x20]; mov rax, [rcx]; mov r8, r12; movzx edx, [r15]; mov rax, [rax + 0x18]; mov r9, [rip + 0x637b7]; call r9
> 0x18008d7ac : mov rcx, [rbx + 0x20]; mov rax, [rcx]; lea r8, [rsi + 4]; movzx edx, [rsi]; mov rax, [rax + 0x20]; mov r9, [rip + 0x63efb]; call r9
> 0x18008d7ad : mov ecx, [rbx + 0x20]; mov rax, [rcx]; lea r8, [rsi + 4]; movzx edx, [rsi]; mov rax, [rax + 0x20]; mov r9, [rip + 0x63efb]; call r9

© 2014 - 2019 - Powered by ROPEME | Contact