QEMURunner base_address mismatch

[bannsec]

Running QEMURunner on a test binary from the recent UTCTF (Jendy's), I noticed that the base_address was off.

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

t = tracer.QEMURunner('pwnable', inp)
hex(t.base_addr)
# 0x400000
hex(t.trace[0])
# 0x4000802090

t._p.loader
# <Loaded pwnable, maps [0x400000:0x5008000]>

t._p.loader.describe_addr(0x4000802090)
# 'not part of a loaded object'

[rhelmot]

Those addresses are the emulated ld-linux.so.2. If you look further in the trace you will find stuff at 0x400000.

Unless you're using archr, you can't expect addresses from a trace to correspond to addresses in angr.