Free Online ROP Gadgets Search

ropshell> use 68cd9310086d1c545a9caae905b77444 (download)
name         : libstdc.so.6.0.25 (x86_64/ELF)
base address : 0x8c490
total gadgets: 9895

ropshell> suggest "load mem"
> 0x000ddca0 : mov rax, [rsi]; ret
> 0x00092920 : mov rax, [rdi]; ret
> 0x000bbf3d : mov rax, [r8]; ret
> 0x000ddca1 : mov eax, [rsi]; ret
> 0x00092921 : mov eax, [rdi]; ret
> 0x000a4814 : mov rax, [rbx]; pop rbx; ret
> 0x000a4815 : mov eax, [rbx]; pop rbx; ret
> 0x00123ca0 : mov rax, [rdi + 0x10]; ret
> 0x00123ca1 : mov eax, [rdi + 0x10]; ret
> 0x000a86ae : mov rax, [rbx + 8]; pop rbx; ret
> 0x000a86af : mov eax, [rbx + 8]; pop rbx; ret
> 0x001251f4 : mov rdx, [rdi]; lea rax, [rdx + rax - 1]; ret
> 0x001251f5 : mov edx, [rdi]; lea rax, [rdx + rax - 1]; ret
> 0x000c0845 : mov rax, [rbp]; call [rax + 0x18]
> 0x000ad843 : mov rax, [r10]; call [rax + 0x40]
> 0x001120b4 : mov rax, [r12]; call [rax + 0x10]
> 0x000e0513 : mov rax, [r13]; call [rax + 0x10]
> 0x000e983f : mov rax, [r14]; call [rax + 0x50]
> 0x000ea729 : mov rax, [r15]; call [rax + 0x30]
> 0x000c2a69 : mov rbx, [rax]; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x001380ed : mov rcx, [rax]; call [rcx + 0x50]
> 0x00136ad3 : mov rcx, [rdi]; call [rcx + 0x10]
> 0x000d3050 : mov rdx, [rsi]; mov rax, rdi; mov [rdi], rdx; ret
> 0x000e632b : mov r8, [rdi]; call [r8 + 0x58]
> 0x000ad844 : mov eax, [rdx]; call [rax + 0x40]
> 0x000e0514 : mov eax, [rbp]; call [rax + 0x10]
> 0x000c2a6a : mov ebx, [rax]; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x0013aa01 : mov ebx, [rcx]; cmc ; jmp [rsi + 0x2e]
> 0x001380ee : mov ecx, [rax]; call [rcx + 0x50]
> 0x00136ad4 : mov ecx, [rdi]; call [rcx + 0x10]
> 0x000d3051 : mov edx, [rsi]; mov rax, rdi; mov [rdi], rdx; ret
> 0x000e8d29 : mov esi, [rbp]; call [rax + 0x60]
> 0x000e8d28 : mov esi, [r13]; call [rax + 0x60]
> 0x0012fa54 : mov esi, [r14]; call [rax + 0x60]
> 0x00112b7a : mov rdx, [rsi + 8]; mov [rdi + rax], rdx; ret
> 0x00112b7b : mov edx, [rsi + 8]; mov [rdi + rax], rdx; ret
> 0x0009f246 : mov rdx, [rax]; mov [rsi], rdx; mov [rax], rsi; ret
> 0x0009f247 : mov edx, [rax]; mov [rsi], rdx; mov [rax], rsi; ret
> 0x000f3520 : mov rdx, [rax + 0x84]; mov [rax + 0x8c], rdx; pop rbx; ret
> 0x000ba41d : mov eax, [rdx + 0x10]; cmp [rdi + 8], eax; setne al; ret
> 0x000f3521 : mov edx, [rax + 0x84]; mov [rax + 0x8c], rdx; pop rbx; ret
> 0x0008ea45 : mov rdx, [rbx]; mov rdi, rbx; call [rdx + 8]
> 0x000b77c0 : mov rbp, [rbx]; mov rdi, rbx; call [rbx + 8]
> 0x00091e98 : mov r8, [rax]; lea rax, [rax + 8]; mov [rcx], r8; ret
> 0x000ea475 : mov r11, [rax]; mov rdi, rax; call [r11 + 0x50]
> 0x0008ea46 : mov edx, [rbx]; mov rdi, rbx; call [rdx + 8]
> 0x000ea7ae : mov esi, [rbx]; mov rdi, r15; call [rax + 0x60]
> 0x000b77c1 : mov ebp, [rbx]; mov rdi, rbx; call [rbx + 8]
> 0x0009057b : mov rax, [rsi + 8]; mov [rax], rdi; mov [rsi + 8], rdi; ret
> 0x000f9e1a : mov rax, [rbp + 0x30]; mov [rbx + 0x10], rax; pop rbx; pop rbp; pop r12; ret
> 0x000f28d3 : mov rcx, [rbx + 0xe0]; sar r8, 2; call [rax + 0x38]
> 0x000f201c : mov rdx, [rbx + 0xd0]; sar r8, 2; call [rax + 0x38]
> 0x00090593 : mov rdx, [rdi + 8]; mov [rdx], rax; mov [rax + 8], rdx; ret
> 0x0009057c : mov eax, [rsi + 8]; mov [rax], rdi; mov [rsi + 8], rdi; ret
> 0x000f9e1b : mov eax, [rbp + 0x30]; mov [rbx + 0x10], rax; pop rbx; pop rbp; pop r12; ret
> 0x000f28d4 : mov ecx, [rbx + 0xe0]; sar r8, 2; call [rax + 0x38]
> 0x000f201d : mov edx, [rbx + 0xd0]; sar r8, 2; call [rax + 0x38]
> 0x00090594 : mov edx, [rdi + 8]; mov [rdx], rax; mov [rax + 8], rdx; ret
> 0x0012a646 : mov esi, [rdi + 8]; mov rdi, r14; call [rax + 0x60]
> 0x0012a645 : mov esi, [r15 + 8]; mov rdi, r14; call [rax + 0x60]
> 0x0012cdc1 : mov rax, [rdx]; mov rdi, rdx; mov esi, 0x78; call [rax + 0x50]
> 0x000d42be : mov rdx, [rbp]; mov [rbx], rdx; add rsp, 8; mov rax, rbx; pop rbx; pop rbp; ret
> 0x000ac690 : mov rdx, [r14]; mov esi, eax; mov rdi, r14; call [rdx + 0x68]
> 0x0012b264 : mov rsi, [rdx]; lea rdx, [rsi + 0xb]; call [r8 + 0x58]
> 0x000d42bf : mov edx, [rbp]; mov [rbx], rdx; add rsp, 8; mov rax, rbx; pop rbx; pop rbp; ret
> 0x0012b265 : mov esi, [rdx]; lea rdx, [rsi + 0xb]; call [r8 + 0x58]
> 0x0009053e : mov rcx, [rsi + 8]; mov [rdx + 8], rcx; mov [rsi + 8], rax; ret
> 0x000a9a14 : mov rdx, [rbp + 0x10]; mov [rbx + rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000ee6dd : mov rdi, [rbx + 0xc8]; mov rax, [rdi]; call [rax + 0x28]
> 0x000935b2 : mov rdi, [rbp + 0x18]; mov rax, [rdi]; call [rax + 0x18]
> 0x000f07a5 : mov rdi, [r15 + 0xc8]; mov rax, [rdi]; call [rax + 0x30]
> 0x0009053f : mov ecx, [rsi + 8]; mov [rdx + 8], rcx; mov [rsi + 8], rax; ret
> 0x000d2f71 : mov edx, [rcx + 0x1f0ffffb]; add [rdi], cl; mov dh, 6; mov [rdi], al; ret
> 0x000a9a15 : mov edx, [rbp + 0x10]; mov [rbx + rax], rdx; add rsp, 8; pop rbx; pop rbp; ret
> 0x000ee6de : mov edi, [rbx + 0xc8]; mov rax, [rdi]; call [rax + 0x28]
> 0x000935b3 : mov edi, [rbp + 0x18]; mov rax, [rdi]; call [rax + 0x18]
> 0x000e8d37 : mov esi, [rbx + 4]; xor edx, edx; mov rdi, r14; call [rax + 0x60]
> 0x0012fb59 : mov rcx, [rbp]; xor edx, edx; mov rdi, rbp; mov esi, eax; call [rcx + 0x60]
> 0x000e8ec1 : mov rcx, [r14]; xor edx, edx; mov rdi, r14; mov esi, eax; call [rcx + 0x60]
> 0x000e8ec2 : mov ecx, [rsi]; xor edx, edx; mov rdi, r14; mov esi, eax; call [rcx + 0x60]
> 0x0012fb5a : mov ecx, [rbp]; xor edx, edx; mov rdi, rbp; mov esi, eax; call [rcx + 0x60]
> 0x0012a589 : mov esi, [rdi]; mov rdi, r14; lea r12, [r15 + 4]; call [rax + 0x60]
> 0x0012a588 : mov esi, [r15]; mov rdi, r14; lea r12, [r15 + 4]; call [rax + 0x60]
> 0x0012ac64 : mov rsi, [rax]; mov rax, [rbp]; lea rdx, [rsi + 0x1a]; call [rax + 0x58]
> 0x0012ac65 : mov esi, [rax]; mov rax, [rbp]; lea rdx, [rsi + 0x1a]; call [rax + 0x58]
> 0x000fd66d : mov rsi, [r9 + 0xe8]; mov r8, rdx; push r14; push rcx; xor ecx, ecx; call [rax + 0x10]
> 0x000f00b3 : mov rdi, [r13 + 0xc8]; lea r15, [rbp - 0x48]; mov rax, [rdi]; call [rax + 0x40]
> 0x000f890c : movzx eax, [r12 + 0x59]; mov [rbx + 0xe0], bpl; mov [rbx + 0xe1], 1; pop rbx; pop rbp; pop r12; ret
> 0x000fd66e : mov esi, [rcx + 0xe8]; mov r8, rdx; push r14; push rcx; xor ecx, ecx; call [rax + 0x10]
> 0x00114a46 : mov rsi, [rbp + 0xe8]; movsd xmm0, [rsp + 8]; test rsi, rsi; sete dl; call [rax + 0x38]
> 0x00114a47 : mov esi, [rbp + 0xe8]; movsd xmm0, [rsp + 8]; test rsi, rsi; sete dl; call [rax + 0x38]
> 0x000bda39 : mov rbx, [rdi + 0x10]; mov [rdi + 8], 0; mov [rdi + 0x10], 0; call [rax + 0x10]
> 0x000bda3a : mov ebx, [rdi + 0x10]; mov [rdi + 8], 0; mov [rdi + 0x10], 0; call [rax + 0x10]
> 0x000ea5c0 : mov rax, [rcx]; mov [rsp + 0x10], rdx; mov rdi, rcx; mov [rsp + 8], rcx; call [rax + 0x48]
> 0x000ea5c1 : mov eax, [rcx]; mov [rsp + 0x10], rdx; mov rdi, rcx; mov [rsp + 8], rcx; call [rax + 0x48]
> 0x00116ff2 : mov rsi, [r14 + 0xe8]; push [rbp + 0x18]; push [rbp + 0x10]; test rsi, rsi; sete dl; call [rax + 0x40]
> 0x00114c35 : mov rsi, [r15 + 0xe8]; push [rbp + 0x18]; push [rbp + 0x10]; test rsi, rsi; sete dl; call [rax + 0x40]
> 0x000fcc6c : mov rdi, [rcx + 0xe8]; mov edx, r12d; mov rsi, rbp; mov ecx, 8; mov rax, [rdi]; call [rax + 0x20]
> 0x00116093 : mov rdi, [rdx + 0xe8]; mov rsi, [rsp + 8]; mov rdx, r14; mov rax, [rdi]; call [rax + 0x60]
> 0x000fca40 : mov rdi, [rsi + 0xe8]; mov ecx, 8; mov edx, 1; xor esi, esi; mov rax, [rdi]; call [rax + 0x20]
> 0x000fcc6d : mov edi, [rcx + 0xe8]; mov edx, r12d; mov rsi, rbp; mov ecx, 8; mov rax, [rdi]; call [rax + 0x20]
> 0x00116094 : mov edi, [rdx + 0xe8]; mov rsi, [rsp + 8]; mov rdx, r14; mov rax, [rdi]; call [rax + 0x60]
> 0x000fca41 : mov edi, [rsi + 0xe8]; mov ecx, 8; mov edx, 1; xor esi, esi; mov rax, [rdi]; call [rax + 0x20]
> 0x000f0ae5 : mov r8, [rbx + 0x10]; mov rcx, [rbx + 0xe0]; mov rax, [rdi]; mov rdx, r12; sub r8, [rbx + 8]; call [rax + 0x38]