Jumping to address in assembly

Question

I'm trying to jump to an address in memory but it's only the offset in the file so 0x530 instead 0x555555.... but I don't know how to do. Here is the code.

global _start

_start:
    push rax
    push rdi
    push rsi
    push rdx

    mov rax,1
    mov rdi,1
    lea rsi,[rel msg]
    mov rdx,msg_end - msg
    syscall

    pop rdx
    pop rsi
    pop rdi
    pop rax

    mov rax,0x1111111111111111
    jmp rax

align 8
    msg db "....WOODY....",10,0
    msg_end db 0x0

Here I'm moving to 0x11111111111, a value that I change to 0x530 before the execution of the file, so it will give mov rax,0x530, however I don't know how to get the absolute address.

---

Basically I'm trying to inject some code inside a ELF files, I need to change the entry point of the executable and then jump back, since I don't know at first where to jump I put a value in memory 0x111111111111, that I will change by the original entry point of the program, as example I gave, let's say we have a original entry point at offset 0x530, I should access the memory of the computer something like 0x55555555fff530, instead of that, I'm jumping to the offset of the file.

I'm working on Ubuntu.

Answer 1

You probably want to build non-PIE executables to start with, so things are simpler with no ASLR for the base-address of the executable. Use gcc -no-pie -static foo.o. Then objdump will be able to give you absolute addresses.

Or just use a RIP-relative LEA to get the address of other code in the same section/segment of the binary. That offset is known at link time (or at edit-binary time).

Using mov r64, imm64 is just making life difficult for yourself because you're trying to use absolute addresses without runtime fixups, but your program will be ASLRed when mapped to somewhere near 0x5555... unless you disable ASLR for it (e.g. by running it under GDB), or globally in /proc/sys.