why the jmp address seems not synced with the actual address it jump in runtime?

[realyukii]

I wrote a simple program to print the current RIP address at runtime. However, I noticed that the target of the unconditional jmp instruction doesn’t match the next RIP value that gets printed after the jump, here's the snippet of the log:

0x7fa98e939db4: jmp [0x00007FA98E9C53C8]
0x7fa98e939d70: endbr64

and here's the snippet of the code that use the library:

insn = 0;
ret = __sys_ptrace(
	PTRACE_PEEKTEXT, child_pid, (void *)regs.rip, &insn
);
assert(!ret);

if (ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, regs.rip, &insn, sizeof(insn), &instruction)))
	printf("%p: %s\n", (void *)regs.rip, instruction.text);

__sys_ptrace(PTRACE_SINGLESTEP, child_pid, NULL, NULL);

if the next RIP address is 0x7fa98e939d70, I thought the address in jmp will be the same, I think I use it wrong? but I'm not sure, I guess my understanding is not deep enough at this point :) (EDIT: hmm, wait, maybe the square bracket is a dereference like *ptr in C? in that case the content of 0x7FA98E9C53C8 is 0x7fa98e939d70? I guess I need to refresh my assembly course)

the full code is available in this repository, thanks for reading and thanks for making this great library!

[ZehMatt]

When the jump has the address in brackets then it is indeed a memory read and not the target address.

[realyukii]

by the way, did you know how to identify error code in case ZYAN_SUCCESS is not true? I can't find documentation about error handling in the docs.

[realyukii]

oh nvm, I just found ZYAN_STATUS_CODE in Status.h

[mappzor]

See https://doc.zydis.re/master/html/Status_8h, each status has its code part on the lowest bits, so they are easy to identify e.g. during debugging. If you want to print codes as strings there is no library function for that but you can take a look at this function from ZydisInfo.