Qiling offset values are different from GDB

[rommarius]

ql = Qiling('./PATH_TO_ELF'], '/', verbose=QL_VERBOSE.DISABLED, multithread=True)
ql.hook_code(self._disassemble_address)
q.run()

def _disassemble_address(self, ql, address, size) -> None:
        print(hex(address))

0x7fffb7e4c1b5 0x7fffb7e4c1b6 0x4014e5 0x4014ea

when i iterate over all instruction, than i don't get the same addresses like in gdb and calculate offset or call a specified function in memory becomes impossible. can someone help me?

Thanks :)

[rommarius]

when i stopped modify my _dissassemle_address function like:

def _disassemble_address(self, ql, address, size) -> None:
    if hex(address) = "0x401466":    
        print(hex(address))

it can't still find the instruction that i needed.

00007fffb7e4c1b3 [[mmap] libc.so.6     + 0x0381b3]  75 02                jne                  0x7fffb7e4c1b7
[=] [Thread 2000]   00007fffb7e4c1b5 [[mmap] libc.so.6     + 0x0381b5]  c9                   leave                
[=] [Thread 2000]   00007fffb7e4c1b6 [[mmap] libc.so.6     + 0x0381b6]  c3                   ret                  
[=] [Thread 2000]   00000000004014e5 [TCPForkSocketServer_64Bit + 0x0004e5]  be 01 00 00 00       mov                  esi, 1
[=] [Thread 2000]   00000000004014ea [TCPForkSocketServer_64Bit + 0x0004ea]  bf 11 00 00 00       mov                  edi, 0x11

There are only a few of the TCPForkSocketServer elf file.

[elicn]

Hi there. The 7fff... addresses you see are typically ELF interpreter or loaded libc shared object, they are not part of your executable. Most of the times users will not be interested in debugging these. Because of that, Qiling attaches the debugger only after they run and when it is about to hit the primary binary entry point. If you have something specific on your mind, we can try and help you get there.

BTW - your hook has a bug: it compares between two operands with a single = instead of two: ==.