From 256a7c93c7e2e8c043a3168dc740466c4cf2b008 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 24 Jan 2012 08:23:17 +0100
Subject: Follow the call.

---
 ptrace-offset-finder.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/ptrace-offset-finder.c b/ptrace-offset-finder.c
index 34e5682..d339c18 100644
--- a/ptrace-offset-finder.c
+++ b/ptrace-offset-finder.c
@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <errno.h>
 #include <unistd.h>
@@ -9,7 +10,6 @@
 #include <sys/user.h>
 #include <sys/ptrace.h>
 #include <sys/reg.h>
-#include <asm/unistd_64.h>
 
 int main(int argc, char *argv[])
 {
@@ -31,9 +31,23 @@ int main(int argc, char *argv[])
 			ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
 			wait(NULL);
 			ptrace(PTRACE_GETREGS, child, NULL, &regs);
-			if (regs.rip < 0x700000000000) {
-				printf("0x%lx\n", regs.rip);
-				break;
+#if defined(__i386__)
+#define instruction_pointer regs.eip
+#define upper_bound 0xb0000000
+#elif defined(__x86_64__)
+#define instruction_pointer regs.rip
+#define upper_bound 0x700000000000
+#else
+#error "That platform is not supported."
+#endif
+			if (instruction_pointer < upper_bound) {
+				uint32_t instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
+				int operator = instruction & 0xFF;
+				if (operator == 0xe8 /* call */) {
+					int32_t offset = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer + 1, NULL) + 5;
+					printf("0x%lx\n", instruction_pointer + offset);
+					break;
+				}
 			}
 		}
 	} else {
-- 
cgit v1.2.3-59-g8ed1b