How can I track a specific cycle in a binary with a pin tool?

the address of the instructions changed in every run, how can I find a specific instruction or a specific loop, even if it changes in every run?

This may be due to the fact that you have ASLR enabled (which is enabled by default on Ubuntu). If you want your analyzed program to be loaded at the same address in every run, you can:

1) Disable ASLR:

• Disable it in the system-wide area: sysctl -w kernel.randomize_va_space=0
  
  as explained here .
• Disable it for each process: $> setarch $(uname -m) -R /bin/bash
  
  like here .

2) Calculate the delta (offsets) in your pintool:

For every address you manage, you need to use an RVA ( Relative Virtual Address ), not a full VA (Virtual Address).

Example:

• Suppose the first time you run your program, it boots at 0x80000000 (this is the "base address") and the loop starts at 0x80000210
• On the second run, the program is loaded at 0x90000000 ("base address") and loops start at 0x90000210

Just calculate the offsets of the loops from the base address:

• Base_Address - Program_Address = offset
• 0x80000210 - 0x80000000 = 0x210
• 0x90000210 - 0x90000000 = 0x210

Since both resulting offsets are the same, you know that you have the exact same command, regardless of the base address of the program.

How to do it in your pintool:

• For directions (instructions) use IMG_FindByAddress
  
  to find the corresponding image (module).
• From the image, use IMG_LowAddress
  
  it to get the base address of the module.
• Subtract the base of the module from the instructions: you have an RVA.

Now you can compare the RVAs between them and see if they are the same (they should also be in the same module).

Obviously this doesn't work for JIT code, since JITed code has no executable (think mmap () [linux] or VirtualAlloc () [windows]) ...

Finally there is some good paper (quite old, but still usable) when doing pin loop detection, if that might help you.