ROPSHELL 
ropshell> use ceb3c6477662a97134986a305ba814ad (download)
name         : libc.so.6 (x86_64/ELF)
base address : 0x243c0
total gadgets: 15660

ropshell> suggest "load mem"
> 0x00081d40 : mov eax, [rdx]; ret
> 0x000e2034 : mov eax, [rdi]; ret
> 0x0008ed94 : mov rax, [rdi + 0x68]; ret
> 0x00144a11 : mov eax, [rdx + 8]; ret
> 0x0013b3f4 : mov eax, [rdi + 0x20]; ret
> 0x000b0125 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x00084afd : mov edx, [rax]; mov eax, edx; ret
> 0x000b5290 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0011834e : mov rsi, [rbx]; call r13
> 0x00117fa9 : mov rdi, [rbx]; call r12
> 0x000b5231 : mov edx, [rsi]; mov [rdi], dx; ret
> 0x0011834f : mov esi, [rbx]; call r13
> 0x00117faa : mov edi, [rbx]; call r12
> 0x0017ee17 : movzx ecx, [rsi + rcx]; sub eax, ecx; ret
> 0x000ec54f : mov edx, [rax + 0xc]; add cl, ch; ret
> 0x0018b0af : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00034f02 : mov edi, [rax + rdx]; mov eax, edi; ret
> 0x00096f34 : mov rax, [rdi]; mov [rip + 0x15018a], rax; ret
> 0x0014401a : mov eax, [rbp]; pop r12; pop r13; pop r14; pop rbp; ret
> 0x00144019 : mov eax, [r13]; pop r12; pop r13; pop r14; pop rbp; ret
> 0x000d437b : movsxd rdx, [rbp + 0x28]; pop rbp; sub rax, rdx; ret
> 0x0003f4f9 : mov rdi, [rbx + 8]; call rax
> 0x0016957a : mov rdi, [rbp + 8]; pop rbp; jmp rax
> 0x000efca0 : mov eax, [r12 + 0x4c]; pop rbx; pop r12; pop rbp; ret
> 0x0003f4fa : mov edi, [rbx + 8]; call rax
> 0x0016957b : mov edi, [rbp + 8]; pop rbp; jmp rax
> 0x0016984f : mov rax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax
> 0x001896ae : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x000fe48b : mov rdx, [rax]; mov [rax], rdi; mov rax, rdx; ret
> 0x0012a604 : mov rdx, [rdi]; add rax, rdx; mov [rdi], rax; ret
> 0x00169850 : mov eax, [rbx]; pop rbx; pop r12; pop rbp; jmp rax
> 0x001896e0 : mov eax, [rcx]; mov [rdx], eax; mov rax, rdi; ret
> 0x0012a605 : mov edx, [rdi]; add rax, rdx; mov [rdi], rax; ret
> 0x0013d475 : mov edi, [r12]; call [rbp - 0x40]
> 0x0013d8ba : mov edi, [r15]; call [rbp - 0x40]
> 0x00109461 : mov rax, [r14 + 0x10]; pop r12; pop r13; pop r14; pop rbp; ret
> 0x0007edfd : mov rcx, [rax + 0xa0]; mov [rcx + 0xe0], rdx; ret
> 0x0009e1a4 : mov rcx, [rdi + 0x18]; mov [rax + 0x18], rcx; ret
> 0x00109462 : mov eax, [rsi + 0x10]; pop r12; pop r13; pop r14; pop rbp; ret
> 0x0007edfe : mov ecx, [rax + 0xa0]; mov [rcx + 0xe0], rdx; ret
> 0x0009e1a5 : mov ecx, [rdi + 0x18]; mov [rax + 0x18], rcx; ret
> 0x0003a542 : mov ecx, [rbp + 1]; fnstcw [rsi]; jmp r9
> 0x000ac441 : mov edx, [rbp + 0x18]; mov [rax], rdx; pop rbp; ret
> 0x001191a4 : mov rdx, [rbx]; mov [rax], rdx; pop rbx; pop r12; pop rbp; ret
> 0x00118421 : mov rsi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x00100634 : mov eax, [rsi]; mov [rdi + 0x108], eax; xor eax, eax; ret
> 0x001191a5 : mov edx, [rbx]; mov [rax], rdx; pop rbx; pop r12; pop rbp; ret
> 0x00118422 : mov esi, [rax]; mov rdi, [rbp - 0x50]; call r15
> 0x001570a0 : mov rax, [rbx + 8]; call [rax + 0x28]
> 0x0015ef1f : mov rax, [r15 + 0x60]; call [rax + 8]
> 0x000a1373 : mov rdx, [rdi + 0x28]; mov [rdx + 0x20], rax; pop rbp; ret
> 0x0009cf57 : mov rdi, [rax + 8]; call [rax]
> 0x0012346b : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00026b8f : mov rdi, [r14 + 0x10]; add rdi, rbx; call r13
> 0x001570a1 : mov eax, [rbx + 8]; call [rax + 0x28]
> 0x000a1374 : mov edx, [rdi + 0x28]; mov [rdx + 0x20], rax; pop rbp; ret
> 0x0012346c : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00026b90 : mov edi, [rsi + 0x10]; add rdi, rbx; call r13
> 0x000b52a0 : mov rcx, [rsi]; mov [rdi + 8], dh; mov [rdi], rcx; ret
> 0x001896cb : mov rax, [rcx + 8]; mov [rdx + 8], rax; mov rax, rdi; ret
> 0x00089225 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000f29a0 : mov rdi, [rsi + 0x28]; call [rip + 0xf436e]; xor eax, eax; pop rbp; ret
> 0x00042891 : mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x00189706 : mov eax, [rcx + 8]; mov [rdx + 8], eax; mov rax, rdi; ret
> 0x00042892 : mov ecx, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0003dd09 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x0009e881 : mov r12, [rbx]; call [rip + 0x14848e]; mov rdi, r13; call r12
> 0x00090f88 : mov rax, [rsi + 0x18]; sub rcx, rdx; lea rax, [rcx + rax + 0x4000]; ret
> 0x001621c2 : mov rax, [r12 + 0x18]; mov rdi, r14; call [rax + 0x20]
> 0x00156b81 : mov rax, [r13 + 8]; mov rdi, r13; call [rax + 0x20]
> 0x000b53d4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0016033e : mov rdx, [rax + 0x38]; mov rdi, rax; call [rdx + 0x20]
> 0x000b52e3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x00144770 : mov r8, [rbx + 8]; mov rdi, [rbp - 0x78]; push rax; call r12
> 0x00156b82 : mov eax, [rbp + 8]; mov rdi, r13; call [rax + 0x20]
> 0x0015eeff : mov esi, [rdi + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x0015eefe : mov esi, [r15 + 0x88]; mov rdi, rbx; call [rax + 0x28]
> 0x0015ba4e : mov rdi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x000417b0 : mov rdi, [r12]; mov rdx, [rbp - 0x40]; mov rax, [rbp - 0x38]; call rax
> 0x0015f581 : mov rdi, [r13]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0015bb13 : mov rdi, [r14]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0015ba4f : mov edi, [rax]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x0015bb14 : mov edi, [rsi]; mov rax, [rdi + 0x38]; call [rax + 0x10]
> 0x0015f582 : mov edi, [rbp]; mov rax, [rdi + 0x38]; call [rax + 0x18]
> 0x000ac4f8 : mov rcx, [rbp + 0x18]; mov [rax], rcx; lea rax, [rax + rdx - 1]; pop rbp; ret
> 0x0008fdb9 : mov rdx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax
> 0x0008fdba : mov edx, [rbx + 0x20]; cmove rdi, r11; sub rsp, 8; push r10; call rax
> 0x000a05bd : mov rbx, [r8]; mov rdi, r8; call [rip + 0x14674f]; mov rdi, r12; call rbx
> 0x0013d352 : mov rdx, [r15]; mov rcx, [rbp - 0x48]; mov r8, rbx; mov rdi, r14; call r13
> 0x000a05be : mov ebx, [rax]; mov rdi, r8; call [rip + 0x14674f]; mov rdi, r12; call rbx
> 0x001585e0 : mov rsi, [rbx + 0x10]; mov rdx, r12; mov rdi, r14; call [rax + 0x10]
> 0x00034d4c : mov rsi, [rdi + 0x78]; mov fs:[rcx], rsi; cmp rax, rdx; mov rdx, -1; cmove rax, rdx; ret
> 0x0003cfb3 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x001585e1 : mov esi, [rbx + 0x10]; mov rdx, r12; mov rdi, r14; call [rax + 0x10]
> 0x0011cafd : mov rcx, [r8]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xca76e], 0; ret
> 0x0011cafe : mov ecx, [rax]; mov [rdx + 0x10], rcx; mov [r8], rax; mov [rip + 0xca76e], 0; ret
> 0x0008d858 : movzx esi, [rdi]; lea rbx, [r15 + 1]; mov rdi, r13; call [rax + 0x18]
> 0x0008d857 : movzx esi, [r15]; lea rbx, [r15 + 1]; mov rdi, r13; call [rax + 0x18]
> 0x00084b2f : mov rcx, [rdx + 0x20]; cmp rax, rcx; cmovb rax, rcx; sub rax, [rdx + 0x10]; sar rax, 2; ret
> 0x0008602a : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rbp - 0xe8], rcx; mov rdi, r15; call rax
> 0x0004288d : mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x000a05b9 : mov r12, [r8 + 8]; mov rbx, [r8]; mov rdi, r8; call [rip + 0x14674f]; mov rdi, r12; call rbx
> 0x0009e87a : mov r13, [rbx + 8]; mov rdi, rbx; mov r12, [rbx]; call [rip + 0x14848e]; mov rdi, r13; call r12
> 0x0003cfaf : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x0009e87b : mov ebp, [rbx + 8]; mov rdi, rbx; mov r12, [rbx]; call [rip + 0x14848e]; mov rdi, r13; call r12
> 0x0016323c : mov rax, [r11]; lea rsi, [rbp - 0x20]; mov [rbp - 0x20], rax; mov rax, [rdi + 8]; call [rax + 8]
> 0x0016c4ce : mov rax, [r15]; sub eax, [rsi]; mov ecx, [rdi + rdx - 4]; mov edi, [rsi + rdx - 4]; sub ecx, edi; or eax, ecx; ret
> 0x0015d3ba : mov rsi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x00071d4b : movzx ecx, [rbx + rcx]; lea rbx, [rip - 0xde5]; movsxd rdx, [rdx + rcx*4]; add rdx, rbx; mov ebx, 1; jmp rdx
> 0x0015d3bb : mov esi, [rax + 0x40]; mov rax, [rdi + 8]; mov edx, [rsi + 0x1c8]; add rsi, 0x38; jmp [rax + 0x18]
> 0x000ce72e : mov rdi, [r12 + 0x10]; lea rsi, [rbp - 0x70]; push 1; lea r9, [rbp - 0x88]; push 0; lea rcx, [rax + 4]; call rbx
> 0x00123bdc : mov edx, [r12 + 0x18]; movdqu xmm0, xmm[r12 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r13; movups xmm[rbp - 0x108], xmm0; call rax
> 0x00123b6b : mov edx, [r13 + 0x18]; movdqu xmm0, xmm[r13 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r14; movups xmm[rbp - 0x108], xmm0; call rax
> 0x001240eb : mov edx, [r15 + 0x18]; movdqu xmm0, xmm[r15 + 0x30]; mov [rbp - 0x110], edx; mov rdx, r12; movups xmm[rbp - 0x108], xmm0; call rax
> 0x0005177e : mov rsi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0005177f : mov esi, [rdx + 0x70]; mov rcx, [rdx + 0x98]; mov r8, [rdx + 0x28]; mov r9, [rdx + 0x30]; mov rdx, [rdx + 0x88]; xor eax, eax; ret
> 0x0016218d : mov r12, [rdi + 0x48]; mov rax, [r12 + 0x18]; lea r14, [r12 + 0x10]; mov [r12 + 0x10], 0; mov rdi, r14; call [rax + 0x28]

© 2014 - 2019 - Powered by ROPEME | Contact