问题描述
我已经阅读并搜索了左右规则来解码函数指针.
I have read and googled about the right-left rule to decode function pointers.
例如:
int (*(*fun_one)(char *,double))[9][20];
是: fun_one是指向期望的函数的指针(char *,double),并且 返回指向int数组(大小20)的数组(大小9)的指针.
is: fun_one is pointer to function expecting (char *,double) and returning pointer to array (size 9) of array (size 20) of int.
那是
const char code[] = "\x31\xc0";
int main(){
((void(*)( ))code)();
}
"代码是??返回指向函数的指针,该函数返回void ... ????那之后()"
我对此完全感到困惑.
推荐答案
const char code[] = "\x31\xc0";
int main(){
((void(*)( ))code)();
}
这是它的工作方式. code
变量将衰减到第一个元素(\x31
)的地址.
Here's how it works. The code
variable will decay to the address of the first element (\x31
).
该地址将被强制转换为带有不确定参数且不返回任何内容的函数的地址.
That address will then be cast to the address of a function taking indeterminate arguments, and returning nothing.
它涵盖了整个((void(*)( ))code)
位,并且到此为止,您基本上已经构造了一个指向字符串的函数指针.
That covers the entire ((void(*)( ))code)
bit and, up to there, you've basically constructed a function pointer pointing to your string.
()
然后只需调用您要指向的函数.
The ()
then simply calls the function that you're pointing to.
如果这是您要针对的Intel CPU,31 c0
会反汇编为xor eax, eax
,但是当缓冲区的末端用尽时,我并不期望它很高兴,它很有可能崩溃.标记字符串结尾的\x00
是add
指令的第一位,但是,关于此之后的内容,不能保证.
If that's an Intel CPU you're targeting, 31 c0
disassembles to xor eax, eax
but I'm not expecting much joy when it runs off the end of the buffer, it's likely to crash spectacularly. The \x00
marking the end of the string is the first bit of an add
instruction but, as to what comes after that, there's no guarantee.
在字符串的末尾添加ret
指令可能使它更安全,但是您可能必须检查所生成的汇编代码以用于调用本身,以找出哪个 >应该使用ret
.
Adding a ret
instruction to the end of the string may make it safer but you may have to examine the generated assembler code for the call itself to figure out which ret
should be used.
这篇关于函数指针声明语法混乱的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!