Now that we're ready to continue our analysis, we can use the following instructions to work through this portion of the analysis:
- Open a new Terminal tab and type the following in the new Terminal session:
$ nc -lnvp 31337
- In EDB, review the Registers and Stack windows and then press the Step Into button to execute the syscall instruction.
- Click the Step Into button, stopping before the next syscall instruction is executed. Review the Registers window after each instruction is executed.
- Click the Step Into button to execute the syscall instruction.
- Repeat steps 3 and 4 two more times.
- Next, click the Step Into button, stopping before the PUSH RBX instruction is executed at 400132 address. Review the stack and registers.
- Click the Step Into button again to execute the PUSH RBX instruction, and review the stack.
- Click and highlight the POP RBX instruction at 400146 and press F2 on your keyboard to set a breakpoint.
- Click the Step Into button continually, stopping before the dec byte [r10] instruction at 40013e. Review the Registers and Stack windows.
- Click the Step Into button, stopping before the loop 0x40013e instruction is executed. Review the Registers and Stack windows.
- Click the Step Into button again to execute the loop instruction.
- Repeat steps 10 and 11 three more times. Review the Registers and Stack windows.
- Finally, press the Run button to finish executing the entire loop, pausing on the breakpoint we set in step 8. Review the Registers and Stack windows.