4

I am fresh in using intel pin tool, and want to track a certain loop in a binary file, but i found in each run the address of the instructions changed in each run, how can i find a specific instruction or a specific loop even it change in each run ?

Edit 0:

I have the following address, which one of them is the RVA:( the first section of address(small address) are constant for each run, but the last section(big address) changed for each run)
Address loop_repeation No._of_Instruction_In_Loop
4195942    1    8
4195972    1    3
.......    ...    ...
140513052566480     1    2
......    ...    ...

Mos Moh
  • 317
  • 3
  • 15

1 Answers1

3

the address of the instructions changed in each run, how can i find a specific instruction or a specific loop even it change in each run ?

This is probably because you have ASLR enabled (which is enabled by default on Ubuntu). If you want your analyzed program to load at the same address in each run, you might want to:

1) Disable ASLR:

  • Disable it system-wide: sysctl -w kernel.randomize_va_space=0 as explained here.
  • Disable it per process: $> setarch $(uname -m) -R /bin/bash as explained here.

2) Calculate delta (offsets) in your pintool:

For each address that you manipulate, you need to use a RVA (Relative Virtual Address) rather than a full VA (Virtual Address).

Example:

  • Let's say on your first run your program loads at 0x80000000 (this is the "Base Address"), and a loop starts at 0x80000210
  • On the second run, the program loads at 0x90000000 ("Base Address") and the loops starts at 0x90000210

Just calculate the offsets of the loops from the Base Address:

  • Base_Address - Program_Address = offset
  • 0x80000210 - 0x80000000 = 0x210
  • 0x90000210 - 0x90000000 = 0x210

As both resulting offsets are the same, you know you have the exactly the same instruction, independently of the base address of the program.

How to do that in your pintool:

  • Given an (instruction) address, use IMG_FindByAddress to find the corresponding image (module).
  • From the image, use IMG_LowAddress to get the base address of the module.
  • Subtract the module base from the instruction: you have the RVA.

Now you can compare RVA between them and see if they are the same (they also must be in the same module).

Obviously this doesn't work for JITed code as JITed code has no executable module (think mmap() [linux] or VirtualAlloc() [windows])...

Finally there's a good paper (quite old now, but still applicable) on doing a loop detection with pin, if that can help you.

Neitsa
  • 7,693
  • 1
  • 28
  • 45
  • Thank you dear, i have the following address, which one of them is the RVA:( the first section of address(small address) are constant for each run, but the last section(big address) changed for each run) Address loop_repeation No._of_Instruction_In_Loop 4195942 1 8 4195972 1 3 ....... ... ... 140513052566480 1 2 ...... ... ... – Mos Moh May 31 '15 at 08:26
  • @MosMoh Could you edit and update your question with what you pasted here? It's hard to read if not formatted properly... Also, Did you tried to apply any of my suggestions? What doesn't work? – Neitsa Jun 01 '15 at 00:27
  • @ Neitsa, thanks dear, i edit the question, i hope it is clear now, i didn't try it, i still have misunderstanding, if number of executed instruction changed at run time( may be due to if condition of function call ) is this method still working?
    thanks for the paper i get it.     – Mos Moh Jun 01 '15 at 16:43