Figure 4- 13 Shooting range (1)
The images’ starting addresses in virtual memory are like the target positions of the 600
targets, which are named image base addresses in terminology. Now the owner of this shooting
range thinks the previous targets are arranged rashly, shooters will hit all bulls’ eyes as soon he
gets familiar with the arrangement. So the owner relocates all these targets randomly. After
relocation, target 1 is placed in position 5, target 2 is placed in position 6, target 3 is placed in
position 8, target 4 is placed in position 13, target 5 is placed in position 15...... Target 600 is
placed in position 886, as shown in figure 4-14.
Figure 4- 14 Shooting range (2)
That’s to say, the offsets for target 1, 2, 3, 4, 5 and 600 are 4, 4, 5, 9, 10 and 286 respectively.
This random (ASLR) offset greatly increases the shooting difficulty. For target 1, it used to be at
position 1, and it is at position 5 for now, so the offset is 4, i.e.
image base address with offset = image base address without offset + ASLR offsetBack to the reverse engineering scene, let’s take the 4th image (i.e. Foundation) in the
output of “image list -o -f” as an example, its ASLR offset is 0x1645000, its image base address
with offset is 0x23c4f000, so according to the above formula, its image base address without
offset is 0x23c4f000 - 0x1645000 = 0x2260A000.
You may wonder, where does 0x2260A000 come from? Drag and drop Foundation’s binary
into IDA, after the initial analysis, IDA looks like figure 4-15.