Free Online ROP Gadgets Search

ropshell> use f4b11cd1870e77dc8d5cde6d8704c449 (download)
name         : step5_2 (x86_64/ELF)
base address : 0x400390
total gadgets: 8345

ropshell> suggest "load mem"
> 0x00410fd0 : mov eax, [rdx]; ret
> 0x0046cab7 : mov eax, [rsi]; pop rbx; ret
> 0x00417930 : mov rax, [rdi + 0x68]; ret
> 0x0047cb1c : mov eax, [rsi + 4]; ret
> 0x00417931 : mov eax, [rdi + 0x68]; ret
> 0x00423a73 : movzx eax, [rdi]; sub eax, ecx; ret
> 0x0042f893 : movzx ecx, [rsi]; sub eax, ecx; ret
> 0x004274f3 : movzx edx, [rsi]; sub eax, edx; ret
> 0x004175ee : mov rax, [rdi]; mov [rdx], rax; ret
> 0x00436710 : mov rdx, [rsi]; mov [rdi], rdx; ret
> 0x0049d868 : mov rsi, [rbx]; call r14
> 0x0049d8b7 : mov rsi, [r15]; call r14
> 0x0046f2e4 : mov rdi, [rbp]; call r12
> 0x004417af : mov rdi, [r12]; call rbx
> 0x0040e9cc : mov rdi, [r13]; call r14
> 0x00441326 : mov rdi, [r14]; call rbx
> 0x00441367 : mov rdi, [r15]; call rbx
> 0x0047f694 : mov eax, [rcx]; add [rcx - 0x77], cl; ret
> 0x0046c998 : mov edx, [rax]; mov eax, edx; pop rbx; ret
> 0x0049d869 : mov esi, [rbx]; call r14
> 0x0049d8b8 : mov esi, [rdi]; call r14
> 0x00441327 : mov edi, [rsi]; call rbx
> 0x0046f2e5 : mov edi, [rbp]; call r12
> 0x0049da2b : mov rax, [rsi + 0x10]; add rsp, 8; ret
> 0x00423b9f : movzx edx, [rsi + rcx]; sub eax, edx; ret
> 0x0043a900 : mov rax, [rcx]; mov [rdx], rax; mov rax, rdi; ret
> 0x0049cd98 : mov rdx, [r12]; mov edi, 1; call rax
> 0x0049eb38 : mov rdx, [r15]; mov rdi, rbp; call rbx
> 0x0049eb39 : mov edx, [rdi]; mov rdi, rbp; call rbx
> 0x0048cc10 : mov rax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x0048cbf0 : mov rdx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x0048cc04 : mov rdx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0048cc11 : mov eax, [rbx + 0x18]; mov [rax], rdi; pop rbx; ret
> 0x0048cbf1 : mov edx, [rbx + 0x18]; mov [rdx], rax; pop rbx; ret
> 0x0048cc05 : mov edx, [rdi + 0x30]; mov [rax], rdx; pop rbx; ret
> 0x0041385b : mov rax, [rbp + 0xd8]; call [rax + 0x40]
> 0x00460ab3 : mov rax, [r14 + 0xd8]; call [rax + 0x38]
> 0x0041385c : mov eax, [rbp + 0xd8]; call [rax + 0x40]
> 0x0047eab4 : mov rax, [r13]; add rax, [rdx + 8]; call rax
> 0x004366a4 : mov rcx, [rsi]; mov [rdi + 1], rdx; mov [rdi], rcx; ret
> 0x0049d3c3 : mov rdx, [r13]; mov esi, 1; mov edi, 1; call rax
> 0x00441762 : mov rdi, [rax]; mov [rsp + 8], rax; call rbx
> 0x0047eab5 : mov eax, [rbp]; add rax, [rdx + 8]; call rax
> 0x0049d3c4 : mov edx, [rbp]; mov esi, 1; mov edi, 1; call rax
> 0x00441763 : mov edi, [rax]; mov [rsp + 8], rax; call rbx
> 0x0043aa26 : mov rax, [rcx + 5]; mov [rdx + 5], rax; mov rax, rdi; ret
> 0x0043a9d4 : mov eax, [rcx + 3]; mov [rdx + 3], eax; mov rax, rdi; ret
> 0x0043f4f0 : mov eax, [r8 + 4]; add rsp, 8; pop rbx; pop rbp; pop r12; pop r13; ret
> 0x0046da0b : mov ecx, [rdx + 0x48]; cmp ecx, [rdx + 0x4c]; cmove eax, ecx; ret
> 0x00423a54 : movzx ecx, [rsi + rdx]; movzx eax, [rdi + rdx]; sub eax, ecx; ret
> 0x00411567 : mov rbx, [r15 + 0x98]; mov rdi, rbx; call [rbx + 0x20]
> 0x0043c7a4 : mov rcx, [rsi + 0x10]; movdqu xmm[rdi], xmm0; mov [rdi + 0x10], rcx; ret
> 0x0043c6b3 : mov rdx, [rsi + 5]; mov [rdi], rcx; mov [rdi + 5], rdx; ret
> 0x0041146d : mov rdx, [r15 + 0x40]; sub rdx, rsi; mov rdi, r15; call rax
> 0x00410b8e : mov rbp, [rdi + 0x98]; mov rdi, rbp; call [rbp + 0x20]
> 0x004114b0 : mov r13, [r15 + 0x98]; mov rdi, r13; call [r13 + 0x20]
> 0x00411568 : mov ebx, [rdi + 0x98]; mov rdi, rbx; call [rbx + 0x20]
> 0x004114b1 : mov ebp, [rdi + 0x98]; mov rdi, r13; call [r13 + 0x20]
> 0x0049aee8 : mov r8, [rax]; lea rax, [rax + 8]; mov [r10], r8; add rsp, 8; ret
> 0x0049eb34 : mov rsi, [r14 + 8]; mov rdx, [r15]; mov rdi, rbp; call rbx
> 0x0041036f : mov rax, [rdx + 0xd8]; mov rbx, rdx; mov rdi, rdx; call [rax + 0x60]
> 0x0046ce3a : mov rax, [r13 + 0xd8]; mov esi, ebx; mov rdi, r13; call [rax + 0x18]
> 0x00410c16 : mov r9, [rax + 0x10]; lea r8, [rsp + 0x18]; call [rbp + 0x18]
> 0x00481603 : mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00410370 : mov eax, [rdx + 0xd8]; mov rbx, rdx; mov rdi, rdx; call [rax + 0x60]
> 0x00410c17 : mov ecx, [rax + 0x10]; lea r8, [rsp + 0x18]; call [rbp + 0x18]
> 0x00441bf1 : mov rsi, [rax]; mov rdi, [rbp - 0x40]; mov r13d, ebx; mov rax, [rbp - 0x48]; call rax
> 0x00441bf2 : mov esi, [rax]; mov rdi, [rbp - 0x40]; mov r13d, ebx; mov rax, [rbp - 0x48]; call rax
> 0x00416282 : movzx esi, [r14]; mov rdi, r12; lea rbx, [r14 + 1]; call [rax + 0x18]
> 0x0049d808 : mov rcx, [rdx + 8]; mov edx, 1; sbb eax, eax; cmp [rsi + 8], rcx; cmova eax, edx; ret
> 0x0046c2bc : mov rax, [r12 + 0xd8]; movsxd rdx, ebx; mov rsi, r13; mov rdi, r12; call [rax + 0x38]
> 0x0046c641 : mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0046c98e : mov rax, [rdx]; lea rcx, [rax + 4]; mov [rdx], rcx; mov edx, [rax]; mov eax, edx; pop rbx; ret
> 0x0047c204 : mov r12, [rax]; mov rbx, rax; mov [rip + 0x2518ef], r15; mov rdi, r14; mov [rax], 0; call r13
> 0x004815ff : mov r14, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00481600 : mov esi, [rdi + 0x20]; mov r15, [rdi + 0x28]; mov eax, esi; mov rsp, r8; mov rbp, r9; nop ; jmp rdx
> 0x00411850 : mov rcx, [r15 + 0x10]; mov rdx, [r15 + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r13 + 0x30]
> 0x00411851 : mov ecx, [rdi + 0x10]; mov rdx, [r15 + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r13 + 0x30]
> 0x0045e0eb : mov rsi, [r15 + 0x18]; mov rdx, [r15 + 0x20]; mov rax, [rdi + 0xd8]; sub rdx, rsi; sar rdx, 2; call [rax + 0x38]
> 0x00411849 : mov rax, [r15 + 0xa0]; mov rcx, [r15 + 0x10]; mov rdx, [r15 + 0x18]; sar r8, 2; lea rsi, [rax + 0x58]; call [r13 + 0x30]
> 0x0046c639 : mov rdx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x0046c63a : mov edx, [rax + 0x40]; mov [rax + 8], rcx; mov rcx, [rax + 0x10]; mov [rax], rdx; mov [rax + 0x10], rdx; mov [rax + 0x40], rcx; ret
> 0x00451b92 : movzx esi, [rax + 0xe]; mov [rdx + 0xe], sil; mov [rax + 0xe], cl; mov rdx, r13; mov rsi, [rsp + 0x20]; mov rdi, r12; call r15
> 0x0041035f : mov r8, [rdx + 0x88]; mov [r8 + 8], r9; add [r8 + 4], 1; mov rax, [rdx + 0xd8]; mov rbx, rdx; mov rdi, rdx; call [rax + 0x60]
> 0x00411556 : mov r14, [rax + 0x40]; mov rax, [rax + 0x50]; mov [rsp + 8], r14; mov [rsp], rax; mov rbx, [r15 + 0x98]; mov rdi, rbx; call [rbx + 0x20]