First, open the IDA, dragged into the program
you can see a very simple procedure.
getshell function is as follows:
getshell function addresses:
a breakpoint in a function of the hello:
Debug to read, it is determined spill point.
payload as follows: