In step 1, we launch EDB against the polymorphed binary and prepare for the dynamic analysis phase. Then, in step 2, we begin to execute each instruction, one at a time, stopping before the first system call:

As EDB executes the first six instructions, RAX, RSI, and RDI are initialized to 0. Starting with the instruction at 400092, as shown in the preceding screenshot, the RSI register is increased by 1, and this is followed by two inc dil instructions that increase the value in RDI by two in total. At 40009b, the 0x2a value is copied into AL and then decreased at 40009d so that AL contains the 0x29 value. The result of all of these instructions executing can be seen in the following screenshot:

We should be aware by now that this block of code sets up the socket system call with RAX holding the 0x29 (41) system call number , RDI holding 0x2 (2) for AF_INET, RSI holding 0x1 (1) for SOCK_STREAM, and RDX holding 0x00 (0), which is the Internet Protocol (IP) that's given in /etc/protocols. Once the syscall instruction is executed in step 3, we can see the impact it has on these registers. The first thing we notice is that RAX contains the 0x3 value. This is the file descriptor return value for the socket system call. A -1 return value indicates an error, but, as we can see, we received 0x3 (3), indicating the socket was created successfully:

In step 4, we place a breakpoint at 4000fb before executing the next several instructions. First, we can see that the R8 register is initialized to 0 and then the R8 register gets the value of RAX copied into it. At this point, the R8 register holds the file descriptor for the socket system call. The last two instructions in the following screenshot initialize RAX:

As we examine the Registers window, we start to see the effects of these four instructions. RAX is 0, RBX has the 0x3 (3) value since we copied RAX into it, and then the XOR instruction initialized RAX to 0. Essentially, in case this still isn't clear, the instructions at 4000a7 and 4000aa accomplish the same thing as the instruction XOR RAX, RAX, only it does so with two instructions instead of one:

The next two instructions we execute place the 0x1111118a value onto the stack at a location 4 bytes below the current stack pointer. Remember, the stack grows toward lower memory addresses. The instruction at 4000b5 then subtracts 0x1010100b from 0x1111118a:

Here's what the stack looks like after the instruction at 4000ad. Note that this part of the display is grayed out because, technically, this value was put on top of the stack, but the stack pointer hasn't been adjusted yet:

As a result of the instruction at 4000b5, we can see that the value above the stack has been impacted, as shown in the following screenshot. This should be familiar once converted because it's the 127.1.1.1 IP address:

The next two instructions perform a similar task by copying the values to an area of memory just above the top of the stack and then adding to that value:

The result of the instruction at 4000bd is shown in the following screenshot:

Once the ADD instruction is executed at 4000c4 address, the changed value should resemble what's shown in the following screenshot. Converting 0x697a (don't forget to also convert from Little Endian) gives us the 31337 value which, if we recall, is the port number to which the non-polymorphed version connected:

The next four instructions accomplish a similar task with manipulating bytes just above the top of the stack in memory:

The results of the instructions at 4000cb and 4000cf are shown in the following screenshot:

The instruction at 4000d4 increases the value at [RSP-8] by 1, as shown in the following screenshot:

Finally, the last instruction in this block at 4000d8 is executed, and the stack pointer is adjusted. EDB uses color highlighting to represent the actual stack as opposed to memory that's been reserved for stack use, as shown in the following screenshot:

Continuing with step 5, we see the next block of instructions, as shown in the following screenshot. First, RAX is initialized to 0 and the 0x2c value is copied into AL:

Here's what the Registers window should look like after the instructions at 4000dc and 4000df have been executed:

The instructions at 4000e1 and 4000e3 reduce the value of AL by two, resulting in the following Registers window output. Notice that RAX is set to 0x2a (42), which is the connect system call:

Finally, before the system call is executed, there is more to set up. First, the stack pointer is copied into RSI. Next, RDX is initialized to 0, and so is RDI. R8 is copied into RDI, which is the socket file descriptor from the socket system call we saw earlier. At 4000f1, RCX is initialized to 0, and then 0x10 (16) is copied into CL, as follows:

Before the instruction at 4000f7 is executed, the Registers window looks as follows:

After the instruction at 4000f7 is executed, we see RDX increase by one, as follows:

When the instruction at 4000f9 is executed, RCX decreases by one, and the instruction pointer points back to the instruction at 4000f7, as shown in the following screenshot:

The next time the entire loop runs through, we see RDX increased by 1, RIP pointing to 4000f7, and RCX decreased by 1 again. The following is what we accomplish with step 6:

In step 7, we play the loop through until our breakpoint and make note of the Registers window after the loop runs its course. Notice that RCX is 0, RDX is 0x10 (16), and RIP points to the next instruction, which is the syscall instruction at 4000fb:

Here's what the stack looks like before the syscall is executed. Between the preceding screenshot and the following screenshot, we should see that RAX is set with 0x2a, which is the connect system call. The connect system call requires the socket file descriptor, which is in RDI. Next, it requires a struct, which is set in RSI as an address on the stack, pointing to the IP address and port.

Finally, RDX is set to 0x10 (16), which is the length of the address and port: