In step 1, we run netcat in a new Terminal tab to catch the socket connection, and then, in step 2, we execute the system call instruction. After the system call is made at 4000fb, the Registers window will look like the one shown in the following screenshot. RAX is set to 0, indicating that the connect system call succeeded. We can also check our Terminal tab running netcat to see that the connection did succeed:
The next block of instructions we analyze looks as follows. In step 3, we run through each instruction, reviewing the Registers window:
After executing each instruction before the syscall, we see the following in the Registers window. RAX is set up with the 0x21 (33) value, which is the dup2 system call number; RDI holds the socket file descriptor from the socket system call we examined earlier, and RSI is set up with the 0x2 (2) value, otherwise known as standard error:
In step 4, we execute the syscall instruction at 40010b and move on to the next block of instructions. We can see that this block performs a similar system call:
Before the syscall instruction is executed, we can see that our Registers window looks as follows. RAX is set with the 0x21 (33) value, RDI is set with the 0x3 (3) value, which is the socket file descriptor, and RSI is set with 0x1 (1), which is the value for standard out:
The next block of instructions works in a similar fashion; only this time, RSI is set to 0, which is the value for standard in, before the system call is executed.
In step 6, we continue to step into the next block of instructions, stopping before the instruction at 400132 is executed, and then we review the registers and stack. Our final block of instructions looks as follows:
The Registers window looks as follows before the instruction at 400132 is executed. Notice that RBX contains the 0x6974626330303030 value:
The stack looks as follows before the instruction at 400132 is executed with the NULL byte from RAX at the top of the stack:
In step 7, we execute the instruction at 400132 and examine the stack again. We can see the value from RBX on the top of the stack at 7fffc5a63b08 and the NULL byte from RAX at 7fffc5a63b10:
Next, in step 8, we place a breakpoint at 400146, which is the instruction immediately following the loop instruction. We continue to execute the next several instructions in step 9, which initialize R10 to 0, copy the stack pointer RSP into R10, initialize RCX to 0, and copy 0x8 into CL, respectively. After these instructions execute, the Registers window looks as follows:
One thing we should notice is that RSP and R10 are the same value and both point to the top of the stack. In step 9, we execute the instructions at 40013e and 400141, which decrements the value pointed to by the address in R10 by one, and then increments the address in R10 by one. The Registers window should look as follows:
As we examine the stack, we notice that a byte on top of the stack has been altered. The 0x6974626330303030 value is now 0x697462633030302f:
Step 11 has us execute the loop instruction, which changes program control back to the instruction at 40013e and decrements RCX by one. Step 12 has us repeat steps 10 and 11 three more times, resulting in the loop block executing a total of four times.
Notice that RCX is now set to 0x4 because the loop block has executed a total of four times. We can also see that R10 has been incremented by four. The value at the top of the stack has undergone some changes as well, as we can see in the following screenshot. The original value of 0x6974626330303030 is now 0x697462632f2f2f2f:
In step 13, we execute the remainder of the loop, pausing on the breakpoint we set at 400146. If we examine the stack after the loop has been executed, we will see that the top of the stack has been deobfuscated and shows us the ////bash value:
