Thank you so much for the encouraging comment @shahril!
This is because the instruction jmp *0x804a00c will take the 4 bytes value at the 0x804a00c address. You can imagine that this instruction is the same as jmp dword ptr [0x804a00c].
You are right about that. That’s the Intel version of the instruction (which I prefer way more than AT&T’s tbh ). If I remember correctly, the official term is indirect jump. Weirdly enough objdump cut the address in half if you noticed while in my recent write-up GDB shows it fully, that’s why I was surprised in the beginning.
I love how you introduced the concept of GOT through array indices [0][1][2], which really makes sense for me.
I’m really glad! The ELF specs refer to the binary structures as tables (i.e symbol table, global offset table, relocation table), but in reality they are arrays either containing C structs or pointers.
If you enjoyed learning about GOT/PLT you might be interested in having a look at my most recent write-up on Bypassing ASLR via Format String Bug, where I abuse the GOT to redirect code execution. I’m hoping to release another write-up soon where I’ll be abusing PLT in order to leak addresses via ROP.
Thank you once again for taking the time to read them both. I hope you developed a mental model as to how the linking internals work.
Cheers!