October 22, 2017

A function address of the shared library in a process

❑ File overview
❍ The 32bit elf "bf" of pwnable.kr is used. There is one shared library "bf_libc.so".
❍ .plt : 08048430
❍ .got.plt : 0804a000




chnaged function address of shared library

The address of the "fgets" in the shared library is changed.

Before execution, "fgets" points to the address of "plt"(0x8048450), but after execution, the "fgets" points the changed "fgets" address(0xf7e65620) that is in "got".




valid function address of shared library

The "fgets" address(0xf7e65620) in "got" is set only when it is running, and it(0x08048456) is not the real address when the process is finished.

This is because the shared library must be loaded into the process's memory to determine the address of "fgets".




function offset of shared library

The base address of the loaded library(bf_libc.so) is the value that a function address of "got" minus the offset of the function. The offset(0x5d540) can be checked in the shared library as shown in the image above.

In this case, the base address of the loaded shared library is 0xf7e080e0(0x08048456-0x5d540).

Check environment
O      S Ubuntu 15.10 (64bit) CPU Intel i7-4710MQ 2.50GHz
SHELL GNU bash (4.3.42) GPU Gallium 0.4 on SVGA3D
RAM 984MiB