Qiling offset values are different from GDB
rommarius opened this issue · comments
ql = Qiling('./PATH_TO_ELF'], '/', verbose=QL_VERBOSE.DISABLED, multithread=True)
ql.hook_code(self._disassemble_address)
q.run()
def _disassemble_address(self, ql, address, size) -> None:
print(hex(address))
0x7fffb7e4c1b5
0x7fffb7e4c1b6
0x4014e5
0x4014ea
when i iterate over all instruction, than i don't get the same addresses like in gdb and calculate offset or call a specified function in memory becomes impossible.
can someone help me?
Thanks :)
when i stopped modify my _dissassemle_address function like:
def _disassemble_address(self, ql, address, size) -> None:
if hex(address) = "0x401466":
print(hex(address))
it can't still find the instruction that i needed.
00007fffb7e4c1b3 [[mmap] libc.so.6 + 0x0381b3] 75 02 jne 0x7fffb7e4c1b7
[=] [Thread 2000] 00007fffb7e4c1b5 [[mmap] libc.so.6 + 0x0381b5] c9 leave
[=] [Thread 2000] 00007fffb7e4c1b6 [[mmap] libc.so.6 + 0x0381b6] c3 ret
[=] [Thread 2000] 00000000004014e5 [TCPForkSocketServer_64Bit + 0x0004e5] be 01 00 00 00 mov esi, 1
[=] [Thread 2000] 00000000004014ea [TCPForkSocketServer_64Bit + 0x0004ea] bf 11 00 00 00 mov edi, 0x11
There are only a few of the TCPForkSocketServer elf file.
Hi there.
The 7fff... addresses you see are typically ELF interpreter or loaded libc shared object, they are not part of your executable. Most of the times users will not be interested in debugging these. Because of that, Qiling attaches the debugger only after they run and when it is about to hit the primary binary entry point. If you have something specific on your mind, we can try and help you get there.
BTW - your hook has a bug: it compares between two operands with a single = instead of two: ==.