Get absolute memory addresses instead of relative offsets from hexdump

Question

I'm trying to get a better understanding of memory addresses. I've just begun examining binaries with hexdump. Ex output:

0000000 cf fa ed fe 07 00 00 01 03 00 00 80 02 00 00 00
0000010 0e 00 00 00 b0 03 00 00 85 00 00 00 00 00 00 00
0000020 19 00 00 00 48 00 00 00 5f 5f 50 41 47 45 5a 45
0000030 52 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000040 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00

My understanding is that the codes I see at the beginning of each line are relative memory addresses expressed as an offset from a base address. I'm trying to figure out if there's a way I can get the absolute addresses instead.

I'd be happy with a solution that either shows me those addresses explicitly, or simply helps me figure out what the base address is that they are relative to, so I can calculate them myself.

It's giving offsets from the start of the file, what would you consider as "absolute addresses"? — Torin, Apr 26 '19 at 14:52
I was hoping to find a logical address in my machine's virtual address space. My understanding is that finding a physical memory address is no longer simple or practical. I'm sorry if my questions are uneducated, this is a learning exercise for me. — David Kennell, Apr 26 '19 at 14:58
I'm not using MacOS and have no idea of objdump's support for Mach-O binaries, but if you have objdump, you add an offset with its --adjust-vma option, and can use the -b binary option to let it treat the file as a bunch of bytes (just like hexdump). — , Apr 26 '19 at 15:12

score 3 · Answer 1 · answered Apr 26 '19 at 15:19

Hexdump doesn't know anything about addresses (or memory). It's just printing a stream of bytes and prefixing it with the number of bytes seen so far. If its input comes from a file, those numbers thus correspond to a position in the file.

To figure out where do these bytes end up in memory once the file gets loaded, you need to look at the metadata in the file. For ELF files, this means the section headers (and sometimes program headers as well).

readelf -S path/to/your/binary shows something like this:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
…
  [13] .text             PROGBITS         000000000050eac0  0010eac0
       0000000001833275  0000000000000000  AX       0     0     16
…

Here, the value under "Offset" is the position in the file where a particular section starts, and the value under "Address" is the corresponding virtual address (where it ends up in memory). You just need to add the difference between these two to the numbers from hexdump to get the addresses.

You can also use objdump -h path/to/your/binary to get the same data:

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
…
 12 .text         01833275  000000000050eac0  000000000050eac0  0010eac0  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
…

Again, "File off" is the offset in the file and "VMA" is the corresponding virtual address. If you're wondering what "LMA" is about, take a look here.

score 0 · Answer 2 · answered Mar 24 '21 at 18:39

According to my understanding absolute physical addresses are highly secured.But there is a way to find logical addresses.For learning purposes you can write a simple c program which contains infinite loop and runs on background. While the program is running you can use "pmap" which is a Linux utility to get around the virtual address of your program. command to run the executable in background on Linux zsh:

executable_filename&
pmap -x process_id

Get absolute memory addresses instead of relative offsets from hexdump

2 Answers2