By sh.3.ll

2020-01-14 13:08:02 8 Comments

I am solving a binary exploitation challenge on picoCTF and came across this piece of code:

((void (*)())buf)();

where buf is a character array.

I solved the challenge but can't seem to understand what exactly it's doing. I looked at this thread but I couldn't make it out.

What does ((void (*)())buf)(); mean?


@Some programmer dude 2020-01-14 13:12:17

void (*)() is a type, the type being "pointer to function that takes indeterminate arguments and returns no value".

(void (*)()) is a type-cast to the above type.

(void (*)())buf casts buf to the above type.

((void (*)())buf)() calls the function (passing no arguments).

In short: It tells the compiler to treat buf as a pointer to a function, and to call that function.

@bta 2020-01-14 23:49:39

I find the cdecl utility (or website) helpful for translating the more complex C expressions into English.

@bolov 2020-01-15 01:00:33

@bta cdecl is not useful here as the syntax is not a declaration. It's a function call via a cast on a previously declared symbol

@bta 2020-01-15 01:11:11

@bolov - On the entire statement, no, but it does explain the most complex part of it. From there, decoding the rest is fairly straightforward.

@AvD 2020-01-15 02:04:43

I don't think that the contents of the character array buf[ ] plays a role, only the address of the "array" matters. I mean you cannot copy the character array buf[ ] to some real character array copy[ ] and expect that ((void (*)())copy)(); will call the function. It will crash.

@wrtlprnft 2020-01-15 04:39:54

@AvD If wherever buf or copy is located is at an executable address and the code itself is position-independent, this will work. It is of course as non-portable as it gets, but this should work in many bare-metal environments as well as older x86 OSes that don't set the no-execute (NX) bit on stack and heap.

@TonyK 2020-01-15 10:40:29

@AvD: It won't necessarily crash. Unless the data area is protected against execution (which depends on the architecture and the run-time environment), you can use this trick to compile a function into an array at run-time and call it on the fly. I first used this trick 35 years ago on a DEC Vax to compile Turing machines for a failed experiment in Turing machine evolution.

@S.S. Anne 2020-01-14 23:31:55

It casts the character array to a pointer to a function taking no arguments and returning void, and then calls it. Dereferencing the pointer is not required due to how function pointers work.

An explanation:

That "character array" is actually an array of machine code. When you cast the array to a void (*)() and call it, it runs the machine code inside of the array. If you provided the array's contents I could disassemble it for you and tell you what it's doing.

@lukeg 2020-01-14 13:12:21

It's a typecast, followed by a function call. Firstly, buf is cast to the pointer to a function that returns void. The last pair of parenthesis means that the function is then called.

@P__J__ 2020-01-14 13:11:23

pointer buf is converted to the pointer to void function taking unspecified number of parameters and then dereferenced (ie function called).

Related Questions

Sponsored Content

25 Answered Questions

[SOLVED] What is the "-->" operator in C++?

23 Answered Questions

[SOLVED] What is the difference between call and apply?

28 Answered Questions

19 Answered Questions

[SOLVED] What does "static" mean in C?

  • 2009-02-21 06:47:52
  • David
  • 915226 View
  • 1147 Score
  • 19 Answer
  • Tags:   c syntax static

40 Answered Questions

6 Answered Questions

[SOLVED] What does "dereferencing" a pointer mean?

26 Answered Questions

[SOLVED] What is the scope of variables in JavaScript?

4 Answered Questions

[SOLVED] What does the ??!??! operator do in C?

  • 2011-10-19 16:56:59
  • Peter Olson
  • 261072 View
  • 1998 Score
  • 4 Answer
  • Tags:   c operators trigraphs

9 Answered Questions

[SOLVED] What does the exclamation mark do before the function?

  • 2010-09-20 21:21:51
  • Sebastian Otto
  • 169732 View
  • 1254 Score
  • 9 Answer
  • Tags:   javascript function

18 Answered Questions

[SOLVED] What is the difference between const int*, const int * const, and int const *?

Sponsored Content