Use the below steps to review the binary containing the decoder stub.
- Run the signature detection script against the binary by typing the following in the open Terminal session:
$ ./sigDetect.py ch09-revshell64-decoder
- Next, run objdump against the binary:
$ objdump -d -M intel ch09-revshell64-decoder
- After reviewing the output, let's look at the binary in EDB:
$ edb --run ./ch09-revshell64-decoder
- Next, press the Run button so that EDB hits the breakpoint on the main function within the binary.
- Left-click and highlight the call rdx instruction at 004004ef and press F2 on the keyboard to place a breakpoint.
- Press the Run button so that EDB hits the breakpoint.
- Step into the call rdx instruction by pressing the Step Into button.
- Press the Step Into button.
- Press the Step Into button.
- Place a breakpoint on the jmp 0x60105c instruction at the 00601055 address by highlighting that line and pressing F2 on the keyboard.
- Press the Step Into button.
- Review the Registers window, specifically the rcx register and the r10 register.
- Press the Step Into button.
- Continue to press the Step Into button and watch the instructions beginning at address 0060105c transform.
- Press the Run button to hit the breakpoint we set in step 10.
- Review the decoded instructions starting at address 060105c. Do they look familiar?