here i've repeatedly typed 'ni' to move it to the function call that initiates the mysterious behavior of the malware. you don't have to type 'ni' over and over again, gdb will assume you meant to type the same thing again if you just hit 'enter'. here, we don't want to type 'ni'. we'll type 'si' instead: 'step instruction'. this makes sure it gently steps into the function call, without puking out the entire thing waiting to get to the instruction following it, which is unlikely to be what would happen. ┌─Register group: general──────────────────────────────────────────────┐ │eax 0x0 0 ││ecx 0xffffc944 -14012 │ │edx 0x0 0 │ │ebx 0x0 0 ││esp 0xffffc920 0xffffc920 ││ebp 0x0 0x0 ││esi 0x1 1 │ │edi 0x0 0 │ │eip 0x8048180 0x8048180 │ │eflags 0x282 [ SF IF ] ││cs 0x23 35 ││ss 0x2b 43 │ │ds 0x2b 43 │ ┌──────────────────────────────────────────────────────────────────────┐ │ 0x804817b push $0x804a540 ││ > 0x8048180 call 0x804d23f │ │ 0x8048185 hlt │ │ 0x8048186 nop ││ 0x8048187 nop ││ 0x8048188 nop ││ 0x8048189 nop │ │ 0x804818a nop │ │ 0x804818b nop │ │ 0x804818c nop ││ 0x804818d nop │ │ 0x804818e nop │ │ 0x804818f nop │ └──────────────────────────────────────────────────────────────────────┘native process 28422 In: L?? PC: 0x8048180 0x0804816c in ?? () (gdb) ni 0x0804816d in ?? () (gdb) ni 0x0804816e in ?? () (gdb) ni 0x0804816f in ?? () (gdb) ni 0x08048174 in ?? () (gdb) ni 0x08048179 in ?? () (gdb) ni 0x0804817a in ?? () (gdb) ni 0x0804817b in ?? () (gdb) ni 0x08048180 in ?? () (gdb) [0] <h 19:bash 20:vim 21:gdb* Battery 100% | Tue 2021-12-14 07:33 -05