Hello!

I have a really simple question. I disassembled a file using insight under linux, and I determined that the following location has to be modified:

0x804a4b5 <main+101>: call 0x8164b30 <c2init>

Now, the address here is the virtual address, hoever I need to lacate this in the binary elf file using emacs orsomething. How do I go about finding 0x804ab5 <main+101> in an elf file ? I know this is stupid question, but I amreally stuck. Thanks.

I'm sure this is explained in several locations linked in the FAQ, but I'll provide an answer anyway.

Read up on the ELF format and how file offsets translate to RVAs and VAs (if you haven't already done so). The most accurate way to deal with this problem is to load your target up in an ELF editor, find which section's image your VA loads into, subtract (your VA from the section's base VA) to find the offset into the section, then add this to the section's 'pointer to raw data'.

However, in practice it is often quicker and/or easier to find a unique-looking byte pattern in the virtual image and search for that in the disk image. Usually eight bytes or so is enough to get you to the right spot (but of course, you should use 'Find Next' to make sure you're in the right place).

By the way. If this question belongs anywhere (other than the FAQ) it's 'The Newbies Forum' or 'Linux RCE', not 'Advanced reversing and programming' .

Admiral

Thanks a lot.

there is a pretty neat hexeditor called HT Editor

http://hte.sourceforge.net/

it can show the image as well as file forum

for example ./ht --> alt+f --> open --> select your binary --> f6 --> selecting elf image



hit f6--> disasm.x86



alt+l (local disasm) -->assemble
change call 554 to call 555 or whatever you want




and use f2 to save

Thanks blabberer