relativeToAbsolute

[Slavic]

I've been looking at the hooking method Osiris uses on Linux to hook SDL_SwapWindow and SDL_PollEvent and I just have a few questions.
The specific code in question is this
template <typename T> static constexpr auto relativeToAbsolute(uintptr_t address) noexcept { return (T)(address + 4 + *reinterpret_cast<std::int32_t*>(address)); } pollEvent = relativeToAbsolute<uintptr_t>(uintptr_t(dlsym(libSDL, "SDL_PollEvent")) + 2);
I've understand what the code is literally doing, and why it does it, but I don't understand how.
dlsym(libSDL, "SDL_GL_SwapWindow") returns the a pointer to memory which looks a like this
FF 25 CAFC3200 jmp qword ptr["libSDL...]
So the +2 makes sense to move our address to contain CAFC3200.
But then we take that address, reinterpret our current address to get the offset of the relative jump, add that, add 4, and somehow it gives us our absolute address? But relativeToAbsolute is also used for getting the addresses from modules with pattern scanning. I don't understand enough about Linux and PIC shared libraries to know why that resolves the address, but hoping someone could explain it to me.

Thanks

[danielkrupinski]

In your example bytes:

• FF 25 is the opcode of a relative jump with 4-byte offset
• CAFC3200 - is the offset

Absolute address is calculated by adding the offset to the address of the next instruction after rel jmp (which is the address of the offset + 4).

You can also remove the + 2 and then (pointer being std::uintptr_t):

• offset is *(int*)(pointer + 2)
• address of the next instruction is pointer + 6

relativeToAbsolute requires input address to point to the offset, not to the opcode, because it also has to support call instruction with relative offset whose opcode (E8) is a single byte.

Bonus:
The offset in relative jump is a signed integer so you can jump backwards. I've seen some source codes incorrectly treating the offset as an unsigned integer.