Free Online ROP Gadgets Search

ropshell> use 8495d453d5b3d09a9b38750c50289555 (download)
name         : libc_ (x86_64/ELF)
base address : 0x1f9c0
total gadgets: 18589

ropshell> suggest "load mem"
> 0x000719fc : mov eax, [rdx]; ret
> 0x000c83b0 : mov eax, [rdi]; ret
> 0x0013de22 : mov rax, [rdi + 0x18]; ret
> 0x0013de23 : mov eax, [rdi + 0x18]; ret
> 0x0016aa63 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x000903d3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000e8397 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0007eece : mov rax, [rdi]; mov [rdx], rax; ret
> 0x0002037b : mov rdx, [rax]; call rbp
> 0x000a5540 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000ba853 : mov rdi, [rax]; call r14
> 0x001032de : mov rdi, [rbp]; call rbx
> 0x00039268 : mov rdi, [r12]; call r14
> 0x001031a9 : mov rdi, [r13]; call rbx
> 0x00103116 : mov rdi, [r14]; call rbx
> 0x00103157 : mov rdi, [r15]; call rbx
> 0x0002037c : mov edx, [rax]; call rbp
> 0x000ba854 : mov edi, [rax]; call r14
> 0x00103117 : mov edi, [rsi]; call rbx
> 0x001031aa : mov edi, [rbp]; call rbx
> 0x00146eaf : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x00076dca : mov edx, [rdi + 0xc0]; mov eax, edx; ret
> 0x0007361f : mov eax, [rsi]; add rsp, 8; pop rbx; pop rbp; ret
> 0x0010ef5a : mov eax, [r14]; pop rbp; pop r12; pop r13; pop r14; ret
> 0x00163250 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00103938 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x000a2236 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x000e0faa : movzx ecx, [rbp]; movzx eax, al; or [0], rdx; ret
> 0x00036618 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x00103939 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x000cc3c3 : mov rcx, [rdi + 0x18]; mov [rdi + 0x18], rcx; ret
> 0x000f72c6 : mov rdx, [rsi + 0x78]; mov [rdi + 0x100], rdx; ret
> 0x000db250 : mov rdi, [rsi + 0x28]; call -7; xor eax, eax; pop rbx; ret
> 0x000cc3c4 : mov ecx, [rdi + 0x18]; mov [rdi + 0x18], rcx; ret
> 0x000db251 : mov edi, [rsi + 0x28]; call -7; xor eax, eax; pop rbx; ret
> 0x000ed8bd : mov rcx, [rbx]; mov rdi, [rbp - 0xa8]; call r13
> 0x00039265 : mov rsi, [r15]; mov rdi, [r12]; call r14
> 0x000ed8be : mov ecx, [rbx]; mov rdi, [rbp - 0xa8]; call r13
> 0x00039266 : mov esi, [rdi]; mov rdi, [r12]; call r14
> 0x00078d90 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x00139b02 : mov rax, [r12 + 8]; call [rax + 0x10]
> 0x001377a4 : mov rax, [r14 + 0x60]; call [rax + 8]
> 0x00139d3a : mov rax, [r15 + 8]; call [rax + 0x10]
> 0x0006eee9 : mov rcx, [rax + 0xa0]; mov [rcx + 0x130], rdx; rep ; ret
> 0x00078d64 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0008ad6b : mov rdi, [rbx + 0x48]; call [rbx + 0x40]
> 0x001141f3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00074ea3 : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x00078d91 : mov eax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x001377a5 : mov eax, [rsi + 0x60]; call [rax + 8]
> 0x00074ea4 : mov ecx, [rax + 0x10]; call [rbp + 0x18]
> 0x00078d65 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x0008ad6c : mov edi, [rbx + 0x48]; call [rbx + 0x40]
> 0x001141f4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0015a6c4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00163376 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x00078dc1 : mov rax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x00077bb7 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x000483e5 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x000480b5 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x000a22b9 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x00078dc2 : mov eax, [rdx + 0x20]; sub rax, [rdx + 0x18]; sar rax, 2; ret
> 0x000a9ee0 : mov eax, [r8 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0007687b : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x000483e6 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00077bb8 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x000f833d : mov ebp, [rax + rax]; neg eax; mov fs:[rcx], eax; or rax, -1; ret
> 0x00036914 : mov rax, [rsi]; and rax, [rdx]; mov [rdi], rax; xor eax, eax; ret
> 0x00107f6f : mov rdx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; rep ; ret
> 0x00145aa3 : mov ecx, [rdx]; mov rdx, r13; add r9, [rbp - 0x88]; call rax
> 0x00107f70 : mov edx, [rbx]; mov [rax], rdx; add rsp, 8; pop rbx; pop rbp; rep ; ret
> 0x0002e090 : mov rax, [rsi + 0x70]; movsxd rdi, edi; mov eax, [rax + rdi*4]; ret
> 0x0012e517 : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0012e437 : mov rax, [r13 + 8]; mov rdi, r13; call [rax + 0x20]
> 0x000a5684 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x001375f3 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x0007afb8 : mov rbp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x00075860 : mov rbp, [r15 + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x0007527a : mov r9, [rdx + 8]; mov rdx, r12; call [rbp + 0x18]
> 0x00075961 : mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0012e438 : mov eax, [rbp + 8]; mov rdi, r13; call [rax + 0x20]
> 0x00075962 : mov esi, [rdi + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0007afb9 : mov ebp, [rdi + 0x90]; pop rbx; sub rbp, rax; mov rax, rbp; pop rbp; pop r12; ret
> 0x0013ae40 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x001386dd : mov rdi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x001386de : mov edi, [rbx]; mov rax, [rdi + 8]; call [rax + 0x20]
> 0x00108354 : mov ebp, [rbx]; add bh, dh; fsub [rcx + rcx*4 + 1]; or rax, -1; ret
> 0x0006c3ec : mov rdx, [r9 + 0x88]; mov [rdx + 8], r8; add [rdx + 4], 1; ret
> 0x000d05e7 : mov rdi, [rax + r14]; mov rsi, [rbp - 0x1c8]; call [r15 + 0x40]
> 0x001152d6 : mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x001151e9 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00125b8b : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x001151e8 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x0011537e : mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000d05e8 : mov edi, [rax + rsi]; mov rsi, [rbp - 0x1c8]; call [r15 + 0x40]
> 0x00074e9f : mov rcx, [rbx + 8]; mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0012fd58 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00133ef4 : mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00035653 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x000d5de5 : movzx eax, [r9 + rax]; mov [rdi + 8], 1; mov [rdi], al; mov eax, 1; ret
> 0x00074ea0 : mov ecx, [rbx + 8]; mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x0012fd59 : mov esi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00133ef5 : mov edi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x001391f9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x001039c8 : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r13d, ebx; mov rax, [rbp - 0x48]; call rax
> 0x001391fa : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x001039c9 : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r13d, ebx; mov rax, [rbp - 0x48]; call rax
> 0x0007d9fb : movzx esi, [rbp]; mov rdi, r15; lea rbx, [r13 + 1]; call [rax + 0x18]
> 0x0007d9fa : movzx esi, [r13]; mov rdi, r15; lea rbx, [r13 + 1]; call [rax + 0x18]
> 0x000483e1 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x000480b1 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00125d0e : mov r10, [rsi + 8]; mov [rdi + rdx + 8], r9; mov [rdi + rdx + 0x10], r10; ret
> 0x0012bdb0 : mov rdx, [r15]; mov [rbx], rax; mov r8, rbp; mov rcx, r14; mov rdi, r13; call r12
> 0x000757f7 : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov [rsp + 8], rcx; mov rdi, r15; call rax
> 0x0012e861 : mov rsi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x000f9c4c : mov rdi, [r14 + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x0012e862 : mov esi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x0013777d : mov esi, [r14 + 0x88]; mov rdi, rbp; mov [r14 + 0x58], 0; call [rax + 0x28]
> 0x00125d0b : mov r9, [rsi]; mov r10, [rsi + 8]; mov [rdi + rdx + 8], r9; mov [rdi + rdx + 0x10], r10; ret
> 0x00133ef0 : mov rsi, [rcx + 8]; mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00136c88 : mov rsi, [rdi + 0x1c]; mov rdi, [rdi + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x0003564f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00133ef1 : mov esi, [rcx + 8]; mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000ea7f4 : movsxd rax, [r14]; mov rbx, [rbp - 0x70]; lea rsi, [rip + 0xa4e8e]; lea rdi, [rip + 0x9f637]; mov edx, 5; mov r13, [0]; ret
> 0x00075958 : mov rbx, [rax + 0x50]; mov [rsp + 8], rsi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x00075d4d : mov rcx, [r15 + 0x10]; mov rax, [rax + 0x60]; sar r8, 2; mov [rsp + 0x30], rax; call [r14 + 0x30]
> 0x001152ce : mov rdx, [rcx + 0x38]; mov [rbp - 0x70], rdx; mov edx, [rcx + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x001151e0 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00115376 : mov rdx, [r14 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x18]; mov [rbp - 0x80], edx; mov rdx, rbx; call rax
> 0x000ac611 : mov rdi, [rbp + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x00075959 : mov ebx, [rax + 0x50]; mov [rsp + 8], rsi; mov r14, [r15 + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x000ac612 : mov edi, [rbp + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x00057301 : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rdi, [rbp - 0x4b0]; sub rdx, rsi; sar rdx, 2; call [rbx + 0x38]
> 0x0013b676 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x0013b677 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x000386b0 : movzx esi, [rax + 0xe]; mov [rdx + 0xe], sil; mov [rax + 0xe], cl; mov rdx, r13; mov rsi, [rsp + 0x10]; mov rdi, r12; call r15
> 0x000235ff : movsx rcx, [rdx + 0x19]; mov [rax + 0x4c], ecx; movsx ecx, [rdx + 0x1a]; movsx edx, [rdx + 0x1b]; mov [rax + 0x50], ecx; mov [rax + 0x54], edx; ret