Closed gordiig closed 1 year ago
Hm, looking at your readelf
output in https://github.com/Gallopsled/pwntools/issues/2266#issuecomment-1717766054, there are multiple segments with the same file offset but different virtual addresses and page flags, but only one of them is actually captured in the core dump file. What I'm wondering is if those addresses were actually valid and were really mapped to the same memory? Then this info of finding the needle in an executable section is important if you e.g. look for some gadget and the lookup using core.string(addr)
might be misleading?
I'll try to replicate your setup and debug a bit.
PR for #2266 and #2269
Description
As far as I researched ELF and your code, memory layout is looking something like this:
If it is true, you are reading more data than needed (
[offset:offset+memsz]
instead of[offset:offset+filesz]
).