That's the syscall instruction (0f 05).

It's not jumping to that address, it's injecting the exit syscall right under the instruction pointer. If you wanted to modify the register, you'd do `set $rip = 0x050f` without the `{short}`

So would this not work if the program's code is mapped read-only?

Debuggers typically bypass normal memory permissions.

"typically" being important. Here's an example of where they can't: https://gist.github.com/josephcsible/c8ce72a6084634fe56928c4...

I'm kind of confuses as to what this is doing. I see that it just unmaps everything but the loop but what does this have to do with strace?

There's only one page of executable memory left in the whole process. It doesn't contain any syscall instructions, and it's a shared mapping of a read-only file. That means the debugger can't point the instruction pointer at any existing syscall instructions, and it also can't create any new ones.

Right, but why would the debugger need to do this?

Because on Linux, those are the only ways to make another process execute a syscall. (Note that the technique I'm using wouldn't work on Windows, since there, you could use VirtualAllocEx to allocate new pages in other processes.)

They're not changing the rip register at all. They're setting the contents of the memory location pointed to by the rip register to 0x050f. The equivalent of "set {x}y = z" in C would be "*(x *)y = z;".