ROPSHELL 
ropshell> use 96711de1f151b1ad63ca5767c425052c (download)
name         : win32k.sys (x86_64/PE)
base address : 0x140001000
total gadgets: 15131

ropshell> suggest
jmp
    > 0x14002d393 : jmp rax
    > 0x14001501f : jmp rcx
    > 0x14006d15c : push rsp; add eax, edi; ret
    > 0x14005de12 : jmp [rax + 2]
    > 0x140018584 : jmp [rbx]
load mem
    > 0x14002aed1 : mov eax, [rbx]; add [rax], al; ret
    > 0x140028ed1 : mov eax, [rcx]; add [rax], al; ret
    > 0x140029ed1 : mov eax, [rdx]; add [rax], al; ret
    > 0x140002b1f : mov rsi, [r11 + 0x20]; mov rsp, r11; pop rdi; ret
    > 0x140008444 : mov r14, [r11 + 0x28]; mov rsp, r11; pop rbp; ret
load reg
    > 0x140001153 : pop rbx; ret
    > 0x14006d624 : pop rcx; ret
    > 0x140064682 : pop rdx; ret
    > 0x140008653 : pop rsi; ret
    > 0x14000108a : pop rdi; ret
pop pop ret
    > 0x1400272d1 : pop r12; ret
    > 0x140012d5a : pop r12; pop rbp; ret
    > 0x140013fa9 : pop r12; pop rdi; pop rsi; ret
    > 0x140016023 : pop r12; pop rdi; pop rsi; pop rbp; ret
    > 0x140016021 : pop r13; pop r12; pop rdi; pop rsi; pop rbp; ret
sp lifting
    > 0x140001bea : add rsp, 0x28; ret
    > 0x140001bea : add rsp, 0x28; ret
    > 0x140017c88 : add rsp, 0x38; ret
    > 0x14002d36e : add rsp, 0x48; ret
stack pivoting
    > 0x140017e77 : xchg eax, esp; ret
    > 0x140008448 : mov rsp, r11; pop rbp; ret
    > 0x140008449 : mov esp, ebx; pop rbp; ret
    > 0x1400161a0 : leave ; mov rax, [rax + rcx*8]; ret
syscall
    > 0x14002c711 : syscall ; add [rax], al; ret
write mem
    > 0x14006d4c8 : adc [rdx], eax; ret
    > 0x14006d4f3 : adc [rcx + rax], eax; ret
    > 0x14002a731 : adc [rbx], eax; add [rax], al; ret
    > 0x14006d2a3 : adc [rbx], ecx; movaps xmm[rcx - 0x10], xmm0; ret
    > 0x140028731 : adc [rcx], eax; add [rax], al; ret

© 2014 - 2019 - Powered by ROPEME | Contact