## get the version string
[dvorak@redhat get-offset]$ strings in.ftpd | grep ^Version
Version wu-2.6.1-16

## get the GOT address of free
[dvorak@redhat get-offset]$ objdump --dynamic-reloc in.ftpd > dynrel
[dvorak@redhat get-offset]$ grep free dynrel
0807314c R_386_JUMP_SLOT   free
0807319c R_386_JUMP_SLOT   globfree64

## get cbuf
[dvorak@redhat get-offset]$ objdump --disassemble in.ftpd > disass
objdump: in.ftpd: no symbols
[dvorak@redhat get-offset]$ objdump -T in.ftpd > dynsym
## first get address of strncasecmp
[dvorak@redhat get-offset]$ grep strncasecmp dynsym
0804acd8      DF *UND*	00000065  GLIBC_2.0   strncasecmp

## look for calls with 3rd argument 0xa
[dvorak@redhat get-offset]$ grep 804acd8 -B3 disass | grep '\$0xa'
 805a788:	6a 0a                	push   $0xa

## see what is used as first argument (cbuf) to strncasecmp
[dvorak@redhat get-offset]$ grep -A3 '^ 805a788' disass
 805a788:	6a 0a                	push   $0xa
 805a78a:	68 43 d7 06 08       	push   $0x806d743
 805a78f:	53                   	push   %ebx
 805a790:	e8 43 05 ff ff       	call   0x804acd8

## its, ebx, see where ebx gets set
[dvorak@redhat get-offset]$ grep -B100 '^ 805a788' disass | grep ebx
 805a68a:	bb e0 5d 08 08       	mov    $0x8085de0,%ebx
 805a6b0:	43                   	inc    %ebx
 805a6b1:	0f b6 13             	movzbl (%ebx),%edx
 805a6de:	89 df                	mov    %ebx,%edi
 805a6fa:	bb 04 00 00 00       	mov    $0x4,%ebx
 805a704:	89 1d e0 64 07 08    	mov    %ebx,0x80764e0
### EUREKA last place where ebx is set .. so cbuf is at .. 0x8085de0
 805a70a:	bb e0 5d 08 08       	mov    $0x8085de0,%ebx
 805a712:	0f b6 14 1e          	movzbl (%esi,%ebx,1),%edx
 805a719:	c6 04 1e 00          	movb   $0x0,(%esi,%ebx,1)
 805a71d:	53                   	push   %ebx
 805a72d:	53                   	push   %ebx
 805a752:	53                   	push   %ebx
 805a772:	53                   	push   %ebx


## that's all folks