If objdump doesn't show the definitive virtual addresses then how can I get the real definitive virtual addresses in a program?

Question

I'm on an Ubuntu ( 22.04.3 ) x86_64 system. I have this little C program in a file named test.c :

void fx1(){
    int b = 20;
    b++;
}

int main(){
    int a = 10;
    a++;
    fx1();
}

I've compiled this program with "gcc test.c -o test" and then ran "objdump -d test" and I got this :

0000000000001129 <fx1>:
    1129:   f3 0f 1e fa             endbr64 
    112d:   55                      push   %rbp
    112e:   48 89 e5                mov    %rsp,%rbp
    1131:   c7 45 fc 14 00 00 00    movl   $0x14,-0x4(%rbp)
    1138:   83 45 fc 01             addl   $0x1,-0x4(%rbp)
    113c:   90                      nop
    113d:   5d                      pop    %rbp
    113e:   c3                      ret    

000000000000113f <main>:
    113f:   f3 0f 1e fa             endbr64 
    1143:   55                      push   %rbp
    1144:   48 89 e5                mov    %rsp,%rbp
    1147:   48 83 ec 10             sub    $0x10,%rsp
    114b:   c7 45 fc 0a 00 00 00    movl   $0xa,-0x4(%rbp)
    1152:   83 45 fc 01             addl   $0x1,-0x4(%rbp)
    1156:   b8 00 00 00 00          mov    $0x0,%eax
    115b:   e8 c9 ff ff ff          call   1129 <fx1>
    1160:   b8 00 00 00 00          mov    $0x0,%eax
    1165:   c9                      leave  
    1166:   c3                      ret

I know that these addresses are not definitive because of ASLR and other stuff. So my question: how can I get the definitive virtual addresses for this program ?

Just take the address of your function or variable in your program. The addresses are not known before the program is loaded for execution. What do you want to do with the addresses outside of your program? — Gerhardh, Aug 16 '23 at 09:32
@Gerhardh, I know I can take the address of a function or variable in my C program. However I wanna know every real virtual address corresponding to the ones shown by the objdump command. Is there any tool for doing this in Linux ? — alessio solari, Aug 16 '23 at 09:37
If I understand you question correctly, you would like to know what the value of %rpb is. First the value of the base pointer will change with every function you are in, as well as with every invocation of your program. If you really need to know these values, you could run it under a debugger (gdb) and use commands to get information on the registers (in gdb, use info reg). However when doing reverse engineering, what I care about is noting that -4(%rpb) is where the variable 'b' is located in the function 'fx1' — thurizas, Aug 16 '23 at 10:07
"_I know that these addresses are not definitive because of ASLR and other stuff._": As you are says, there are no definitive addresses with ASLR. They are different in every run of the program. So what exactly are you looking for? — user17732522, Aug 16 '23 at 10:16
@user17732522, I'm looking for the final virtual addresses after the loading process. Basically the actual virtual addresses as seen at run time. The ones the RIP register refers to when the program is running — alessio solari, Aug 16 '23 at 10:34
@alessiosolari You can attach a debugger to the process and let it show you the address of any given function/instruction. — user17732522, Aug 16 '23 at 10:54
"I'm looking for the final virtual addresses after the loading process", so look for them after loading the process instead of before. — Erik Eidt, Aug 16 '23 at 11:41
In principle, you first need to find the base address in the ELF file by looking at the program headers with `objdump -p test` and looking for the `LOAD` header with the lowest `vaddr`, and then if necessary round it down to the page size. Then you need the base address where the process is loaded by looking for the lowest address in the /proc//maps file. Then to find the virtual address of a function or object in memory, subtract the ELF base address and add the loaded base address. — Ian Abbott, Aug 16 '23 at 12:46
@Ian Abbott, isn't there a less manual way to do this ? A tool that basically does the same as objdump but instead it prints the actual runt time virtual addresses ? — alessio solari, Aug 16 '23 at 12:55
You can script GDB. But the base address is randomized (unless you disable ASLR like GDB does by default), so there isn't a unique answer for run-time virtual addresses; that's the whole point of ASLR. You have to check each time you run the program. A tool that printed an address from one run would be incorrect for a different run. (Again, unless you're running with ASLR disabled for that process or in general, so the kernel always picks the same address when relocating. e.g. `0x000055555555....` on x86-64 Linux.) — Peter Cordes, Aug 16 '23 at 16:23
Generally you'd start the process in GDB and `p &main` or `p &_start` or something. Assuming those are near the start of the `.text` or `.text.init` section, that's the base address. Or for any address you want to know, just print it in GDB once you have a running process. You don't need to manually do what @IanAbbott suggested unless you want to avoid GDB. — Peter Cordes, Aug 16 '23 at 16:27
@Peter Cordes, https://stackoverflow.com/questions/76915234/function-address-in-executable-inspected-by-objdump-not-matching-the-address?noredirect=1#comment135592601_76915234 — alessio solari, Aug 16 '23 at 16:29
In theory, a tool could be written that looks for symbols in /proc//exe (if the symbols have not been stripped) and translates the compile-time virtual addresses to the live virtual addresses. It's more complicated if you also need to resolve symbols in dynamically loaded shared libraries. — Ian Abbott, Aug 16 '23 at 16:52
It might help if you answered our question what you want to do with that address information. — Gerhardh, Aug 16 '23 at 18:51

If objdump doesn't show the definitive virtual addresses then how can I get the real definitive virtual addresses in a program?

0 Answers0