ROPSHELL 
ropshell> use acaa75aeac37f8dd789104d3fa40137a (download)
name         : libc_64.so (x86_64/ELF)
base address : 0x1f570
total gadgets: 17368

ropshell> suggest "load mem"
> 0x000718ec : mov eax, [rdx]; ret
> 0x000c7540 : mov eax, [rdi]; ret
> 0x00073407 : mov eax, [rsi]; pop rbx; ret
> 0x0013bb42 : mov rax, [rdi + 0x18]; ret
> 0x0013bb43 : mov eax, [rdi + 0x18]; ret
> 0x0016dc73 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x0008ebd3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x000e7087 : mov rax, [rdx]; mov [rdx], rdi; ret
> 0x0007d540 : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00020a4a : mov rdx, [rax]; call rbp
> 0x000a4e30 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x000b9c16 : mov rdi, [rax]; call r14
> 0x001047e8 : mov rdi, [rbx]; call rbp
> 0x000ab914 : mov rdi, [rbp]; call r12
> 0x001047da : mov rdi, [r12]; call rbp
> 0x00038d4c : mov rdi, [r13]; call r14
> 0x00102c26 : mov rdi, [r14]; call rbx
> 0x00102c67 : mov rdi, [r15]; call rbx
> 0x00020a4b : mov edx, [rax]; call rbp
> 0x000b9c17 : mov edi, [rax]; call r14
> 0x001047e9 : mov edi, [rbx]; call rbp
> 0x00102c27 : mov edi, [rsi]; call rbx
> 0x000ab915 : mov edi, [rbp]; call r12
> 0x0012ba06 : mov r8, [rax + 0x18]; jmp r8
> 0x0014460f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0007683a : mov edx, [rdi + 0xc0]; mov eax, edx; ret
> 0x0001fd75 : mov eax, [rbx + 4]; pop rbx; pop rbp; pop r12; ret
> 0x00166460 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x00103428 : mov rsi, [rbx]; mov rdi, r12; call rbp
> 0x000a1b26 : mov eax, [rcx]; mov [rdx], ax; mov rax, rdi; ret
> 0x00036016 : mov edx, [rdi]; xor eax, eax; test edx, edx; sete al; ret
> 0x00103429 : mov esi, [rbx]; mov rdi, r12; call rbp
> 0x000f6d56 : mov rdx, [rsi + 0x78]; mov [rdi + 0x100], rdx; ret
> 0x00038d49 : mov rsi, [r15]; mov rdi, [r13]; call r14
> 0x00038d4a : mov esi, [rdi]; mov rdi, [r13]; call r14
> 0x00078850 : mov rax, [rbx + 0x20]; mov [rbx + 0x28], rax; pop rbx; ret
> 0x0013af5f : mov rax, [r12 + 8]; call [rax + 8]
> 0x0013548f : mov rax, [r14 + 0x60]; call [rax + 8]
> 0x00138409 : mov rax, [r15 + 8]; call [rax + 0x18]
> 0x00078824 : mov rdx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x000896d8 : mov rdi, [rbx + 0x48]; call [rbx + 0x40]
> 0x001130d3 : mov rdi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x00074b1e : mov r9, [rax + 0x10]; call [rbp + 0x18]
> 0x00135490 : mov eax, [rsi + 0x60]; call [rax + 8]
> 0x00074b1f : mov ecx, [rax + 0x10]; call [rbp + 0x18]
> 0x00078825 : mov edx, [rax + 0x18]; mov [rax + 0x20], rdx; pop rbx; ret
> 0x000896d9 : mov edi, [rbx + 0x48]; call [rbx + 0x40]
> 0x001130d4 : mov edi, [rdx + 0x50]; mov rsi, rdx; call rax
> 0x0015ae04 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x00166586 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x000ca99b : mov rax, [rdx + 0x18]; mov [rdx + 0x18], rax; mov rax, -0xe; ret
> 0x00124b84 : mov rax, [rsi + 8]; mov [rdi + 0x10], rax; xor eax, eax; ret
> 0x00077677 : mov rdx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x00046f15 : mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00046b95 : mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x000a1ba9 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x000ca99c : mov eax, [rdx + 0x18]; mov [rdx + 0x18], rax; mov rax, -0xe; ret
> 0x000a97cd : mov eax, [r9 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x000762db : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x00046f16 : mov ecx, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00046b96 : mov ecx, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00077678 : mov edx, [rbx + 0xf8]; mov [rdx], rax; xor eax, eax; pop rbx; ret
> 0x001433f3 : mov ecx, [rdx]; mov rdx, r13; add r9, [rbp - 0x88]; call rax
> 0x0012cd38 : mov rax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x0012ca8d : mov rax, [r10 + 8]; mov rdi, r10; call [rax + 0x20]
> 0x000a4f74 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x001352a3 : mov rdx, [rdi + 0x90]; bswap eax; mov [rdx + 0x10], eax; mov eax, 1; ret
> 0x00074a8e : mov rbp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00075420 : mov r14, [rbx + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x0012cd39 : mov eax, [rbp + 8]; mov rdi, rbp; call [rax + 0x20]
> 0x00075421 : mov esi, [rbx + 0x98]; mov rdi, r14; call [r14 + 0x20]
> 0x00074a8f : mov ebp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x00138b10 : mov rax, [r12]; mov [rbx + 8], rax; mov eax, 1; pop rbx; pop rbp; pop r12; ret
> 0x00078cd3 : mov rdx, [rbp]; mov [rdx + rax], 0; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x00078cd4 : mov edx, [rbp]; mov [rdx + rax], 0; mov rax, rbx; pop rbx; pop rbp; pop r12; ret
> 0x0006c773 : mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x000cf1e6 : mov rdi, [rax + r15]; mov rsi, [rbp - 0x1c0]; call [r14 + 0x40]
> 0x00113d41 : mov edx, [rbp + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x001249fb : movzx edx, [r10 + 1]; add r10, 2; mov [r8], edx; mov [r9], r10; ret
> 0x00113c9e : mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x00113d40 : mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x0011450d : mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x000cf1e7 : mov edi, [rax + rdi]; mov rsi, [rbp - 0x1c0]; call [r14 + 0x40]
> 0x000738e8 : mov rax, [r13 + 0xd8]; mov esi, ebx; mov rdi, r13; call [rax + 0x18]
> 0x0012e5d8 : mov rsi, [rbx + 0x10]; mov rdx, rbp; mov rdi, r13; call [rax + 0x10]
> 0x00131b94 : mov rdi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000350a3 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00131b95 : mov edi, [rcx + 0x10]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x00136eb9 : mov rax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x001034c1 : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x00136eba : mov eax, [rbx]; mov rdx, [rax + 8]; mov rdi, rax; call [rdx + 0x20]
> 0x001034c2 : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r15d, r14d; mov rax, [rbp - 0x48]; call rax
> 0x0007c2e2 : movzx esi, [r14]; mov rdi, r12; lea rbx, [r14 + 1]; call [rax + 0x18]
> 0x00046f11 : mov r8, [rsi + 0x28]; mov r9, [rsi + 0x30]; mov rsi, [rsi + 0x70]; xor eax, eax; ret
> 0x00046b91 : mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00072f61 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0012d081 : mov rsi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x000f9664 : mov rdi, [r14 + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x0012d082 : mov esi, [rbp + 0x20]; mov r13d, eax; mov rdi, rbx; xor eax, eax; call [rbp + 0x28]
> 0x00135466 : mov esi, [r14 + 0x88]; mov rdi, r12; mov [r14 + 0x58], 0; call [rax + 0x28]
> 0x000f9665 : mov edi, [rsi + 0x18]; mov edx, 1; mov rsi, [rsp + 0x28]; call [r14 + 0x40]
> 0x0006c76c : mov rax, [r8 + 0x88]; mov rdx, [r8 + 0x88]; mov [rax + 8], r9; add [rdx + 4], 1; ret
> 0x00124b7d : mov rax, [rsi]; mov [rdi + 8], rax; mov rax, [rsi + 8]; mov [rdi + 0x10], rax; xor eax, eax; ret
> 0x0012a600 : mov rdx, [rbx]; mov [rbp], rax; mov rsi, rax; mov r8, r12; mov rcx, r15; mov rdi, r14; call r13
> 0x0012a601 : mov edx, [rbx]; mov [rbp], rax; mov rsi, rax; mov r8, r12; mov rcx, r15; mov rdi, r14; call r13
> 0x0004d6c8 : mov rcx, [r15 + 0xd8]; sub rax, rbx; mov rsi, rbx; mov rdx, rax; mov rdi, r15; call [rcx + 0x38]
> 0x00134978 : mov rsi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x001351f8 : mov rsi, [rdi + 0x20]; mov rdi, [rdi + 0x28]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x0003509f : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00134979 : mov esi, [rcx + 0x1c]; mov rdi, [rcx + 0x24]; mov eax, 1; mov [rdx], rsi; mov [rdx + 8], rdi; ret
> 0x000350a0 : mov esi, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00046b8a : mov rcx, [rdi + 0x98]; mov r8, [rdi + 0x28]; mov r9, [rdi + 0x30]; mov rdi, [rdi + 0x68]; xor eax, eax; ret
> 0x00075780 : mov rcx, [rbx + 0x10]; mov rdx, [rbx + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r14 + 0x30]
> 0x00113c95 : mov rdx, [r12 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r12 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r13; call rax
> 0x00113d38 : mov rdx, [r13 + 0x38]; mov [rbp - 0x70], rdx; mov edx, [r13 + 0x18]; mov [rbp - 0x80], edx; mov rdx, r14; call rax
> 0x00114502 : mov rdx, [r14 + 0x80]; mov [rbp - 0x70], rdx; mov edx, [r14 + 0x60]; mov [rbp - 0x80], edx; mov rdx, r12; call rax
> 0x000abf21 : mov rdi, [r12 + 0x10]; push 1; xor r8d, r8d; push 0; lea rcx, [rax + 4]; lea r9, [rsp + 0x20]; call rbx
> 0x00075781 : mov ecx, [rbx + 0x10]; mov rdx, [rbx + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r14 + 0x30]
> 0x001338c4 : mov rdi, [rsi + 8]; mov rcx, rsi; mov r8, [rdi + 0x18]; mov edx, [rax + 0x1c8]; lea rsi, [rax + 0x38]; mov rdi, rcx; jmp r8
> 0x0012ed2f : mov edx, [r15 + 0x48]; mov rdi, [r15]; mov r12, rbx; add r12, [r15 + 0x50]; sub edx, ebx; mov rsi, r12; call [r15 + 0x40]
> 0x00139346 : mov rbx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x00139347 : mov ebx, [rdi + 0x48]; mov rax, [rbx + 0x18]; lea r12, [rbx + 0x10]; mov [rbx + 0x10], 0; mov rdi, r12; call [rax + 0x28]
> 0x0003814f : movzx esi, [rax + 0xe]; mov [rdx + 0xe], sil; mov [rax + 0xe], cl; mov rdx, r13; mov rsi, [rsp + 0x18]; mov rdi, r12; call r15
> 0x0006eb96 : mov r8, [rdx + 0x88]; mov [rax + 8], r9; add [r8 + 4], 1; mov rax, [rdx + 0xd8]; mov rbx, rdx; mov rdi, rdx; call [rax + 0x60]

© 2014 - 2019 - Powered by ROPEME | Contact