By sh.3.ll

2020-01-14 13:08:02 8 Comments

I am solving a binary exploitation challenge on picoCTF and came across this piece of code:

((void (*)())buf)();

where buf is a character array.

I solved the challenge but can't seem to understand what exactly it's doing. I looked at this thread but I couldn't make it out.

What does ((void (*)())buf)(); mean?


@Some programmer dude 2020-01-14 13:12:17

void (*)() is a type, the type being "pointer to function that takes indeterminate arguments and returns no value".

(void (*)()) is a type-cast to the above type.

(void (*)())buf casts buf to the above type.

((void (*)())buf)() calls the function (passing no arguments).

In short: It tells the compiler to treat buf as a pointer to a function, and to call that function.

@bta 2020-01-14 23:49:39

I find the cdecl utility (or website) helpful for translating the more complex C expressions into English.

@bolov 2020-01-15 01:00:33

@bta cdecl is not useful here as the syntax is not a declaration. It's a function call via a cast on a previously declared symbol

@bta 2020-01-15 01:11:11

@bolov - On the entire statement, no, but it does explain the most complex part of it. From there, decoding the rest is fairly straightforward.

@AvD 2020-01-15 02:04:43

I don't think that the contents of the character array buf[ ] plays a role, only the address of the "array" matters. I mean you cannot copy the character array buf[ ] to some real character array copy[ ] and expect that ((void (*)())copy)(); will call the function. It will crash.

@wrtlprnft 2020-01-15 04:39:54

@AvD If wherever buf or copy is located is at an executable address and the code itself is position-independent, this will work. It is of course as non-portable as it gets, but this should work in many bare-metal environments as well as older x86 OSes that don't set the no-execute (NX) bit on stack and heap.

@TonyK 2020-01-15 10:40:29

@AvD: It won't necessarily crash. Unless the data area is protected against execution (which depends on the architecture and the run-time environment), you can use this trick to compile a function into an array at run-time and call it on the fly. I first used this trick 35 years ago on a DEC Vax to compile Turing machines for a failed experiment in Turing machine evolution.

@S.S. Anne 2020-01-14 23:31:55

It casts the character array to a pointer to a function taking no arguments and returning void, and then calls it. Dereferencing the pointer is not required due to how function pointers work.

An explanation:

That "character array" is actually an array of machine code. When you cast the array to a void (*)() and call it, it runs the machine code inside of the array. If you provided the array's contents I could disassemble it for you and tell you what it's doing.

@lukeg 2020-01-14 13:12:21

It's a typecast, followed by a function call. Firstly, buf is cast to the pointer to a function that returns void. The last pair of parenthesis means that the function is then called.

@P__J__ 2020-01-14 13:11:23

pointer buf is converted to the pointer to void function taking unspecified number of parameters and then dereferenced (ie function called).

Related Questions

Sponsored Content

39 Answered Questions

22 Answered Questions

[SOLVED] What is the "-->" operator in C++?

25 Answered Questions

[SOLVED] What is the scope of variables in JavaScript?

28 Answered Questions

17 Answered Questions

[SOLVED] What is the difference between const int*, const int * const, and int const *?

18 Answered Questions

[SOLVED] What does "static" mean in C?

  • 2009-02-21 06:47:52
  • David
  • 871978 View
  • 1080 Score
  • 18 Answer
  • Tags:   c syntax static

21 Answered Questions

[SOLVED] What is the difference between call and apply?

10 Answered Questions

[SOLVED] What does the exclamation mark do before the function?

  • 2010-09-20 21:21:51
  • Sebastian Otto
  • 158727 View
  • 1206 Score
  • 10 Answer
  • Tags:   javascript function

4 Answered Questions

[SOLVED] What does the C ??!??! operator do?

  • 2011-10-19 16:56:59
  • Peter Olson
  • 254278 View
  • 1941 Score
  • 4 Answer
  • Tags:   c operators trigraphs

6 Answered Questions

[SOLVED] What does "dereferencing" a pointer mean?

Sponsored Content