How to decode this relocated call?

Question

I am trying to learn a thing or two about assembly language by studying the instructions in some shared objects. I have encountered a construction where a call instruction leads to 1 byte after its beginning, for example (output from hte):

af6fc | e8fcffffff   call af6fdh

Clearly the destination address must be replaced by a proper function (which I know in this case is strcmp). I find this strange because in other parts of the same shared object the same strcmp function is called using the .got / .plt mechanism eliminating the need to rewrite parts of .text. In the latter case the destination function can be identified by studying the .rel.plt table along with .dynsym. But how do I find where the immediate address is redirected to in the former? I could not find any occurrence of the addresses af6fc or af6fd in any of the sections, at least not in those made accessible by hte.

Answer 1

You didn't say which platform you are on. It appears to be ix86.

On ix86, it is possible to link non--fPIC compiled code into a shared library (this produces a library with text relocations, which is suboptimal).

If you dump dynamic relocations with objdump -R foo.so, you should see that there is a relocation against address 0xaf6fd. The dynamic linker will update 4 bytes at 0xaf6fd to point to wherever the relocation tells it to after loading foo.so.

in other parts of the same shared object the same strcmp function is called using the .got / .plt mechanism

These calls come from objects that were (properly) compiled with -fPIC.