ROPSHELL 
ropshell> use 1ab5406f33d8be8febd070750080329a (download)
name         : win32k.sys (i386/PE)
base address : 0xbf800380
total gadgets: 16986

ropshell> suggest
call
    > 0xbf805231 : call eax
    > 0xbf8176ec : call ebx
    > 0xbf803379 : call ecx
    > 0xbf818ff5 : call edx
    > 0xbf800995 : call esi
jmp
    > 0xbf8b8a17 : push esp; ret
    > 0xbf86aae5 : jmp eax
    > 0xbf8f0d99 : jmp ecx
    > 0xbf8ad743 : jmp edx
    > 0xbf89f80d : jmp edi
load mem
    > 0xbf868636 : mov eax, [ecx]; ret
    > 0xbf8c4ec4 : mov eax, [edx]; ret 4
    > 0xbf833af4 : mov eax, [esi]; pop esi; ret 4
    > 0xbf8e9c46 : mov eax, [ecx + 4]; ret
    > 0xbf934460 : mov eax, [edx + 0x38]; pop ebp; ret 8
load reg
    > 0xbf88e5eb : pop eax; ret
    > 0xbf800fc5 : pop ebx; ret
    > 0xbf81d092 : pop ecx; ret
    > 0xbf8019b0 : pop esi; ret
    > 0xbf8014c9 : pop edi; ret
pop pop ret
    > 0xbf88e5eb : pop eax; ret
    > 0xbf8b6a5c : pop ebx; pop ebp; ret
    > 0xbf860a84 : pop ebx; pop edi; pop esi; ret
    > 0xbf8ff932 : pop ebx; pop edi; pop esi; pop ebp; ret
    > 0xbf981baf : pop ebp; pop edi; pop esi; pop ebx; pop ebp; ret
stack pivoting
    > 0xbf84d730 : xchg eax, esp; ret
    > 0xbf8688bc : push ecx; pop esp; ret
    > 0xbf8016a6 : mov esp, ebp; pop ebp; ret
    > 0xbf88374d : xchg esp, edi; dec [ebx - 0x36a4a13a]; ret 0x18
    > 0xbf8b7d54 : mov esp, esi; jmp [esi - 0x2f]
write mem
    > 0xbf988af1 : adc [ebx], eax; ret
    > 0xbf8061ef : add [ebx], esi; ret
    > 0xbf89bc0b : add [ebx], edi; ret
    > 0xbf9248ac : add [edx], ecx; ret
    > 0xbf8c7d59 : add [edx], edi; ret

© 2014 - 2019 - Powered by ROPEME | Contact