14

I have this piece of code to test a shellcode but I don't understand it so can anyone explain it to me?

Forget about the assembly shellcode, what I want to understand is the C code,

char shellcode[] = "...";

int main(int argc, char **argv)

{

int (*func)();

func = (int (*)()) shellcode;

(int)(*func)();

}

I mean everything, what are the empty (), please explain it as if you are explaining it to a beginner.

Sam
  • 7,252
  • 16
  • 46
  • 65
0xab3d
  • 527
  • 1
  • 6
  • 14
  • Since the shell code is "unimportant", I've elided it (just to be safe). – Marcelo Cantos May 09 '10 at 14:55
  • 1
    User name seems like a good way to get put on CIA and GCHQ databases. Together with the question, you can probably expect a visit from the SAS at any moment... –  May 09 '10 at 15:01

2 Answers2

16
int (*func)();

This is a declaration of a function pointer. A function pointer is essentially a variable that holds the address of a function. In this case, the type of function that func points to is a one that takes no arguments and returns an int. You can assign the address of a function to this variable like so:

func = foo;

Where foo is a function with the prototype int foo();.

Once a function has been assigned to this variable, you can call the function that func points to like so:

(*func)();

There is an alternate syntax (which is equivalent), which I think is more clear:

func();

So if foo was assigned to func, then both examples above would actually call the function foo.

You can also cast values to function pointers. In the code example

(int (*)())

is a cast to a function pointer that takes no arguments and returns an int. This is so the compiler won't complain about assigning what is essentially a char* to the function pointer func.

In the code you gave above, there is one last thing. After func is called, the result is (for some reason) cast to an int. As far as I can tell, this cast is totally unnecessary. So the last line

(int)(*func)();

could be replaced with

(*func)();
E.M.
  • 4,498
  • 2
  • 23
  • 30
3

int (*func)(); is the definition of a pointer to a function with return type int, func = (int (*)()) shellcode; assigns a function pointer an address to the shellcode[] (assembler bytecode, the instructions your CPU executes), (int)(*func)(); calls the function by its address (assembler instructions) with no arguments passed, because () is specified. For example the assembler instruction \x90 has name NOP (N o Op eration) and does nothing, other assembler instructions do different things depending on the system you're executing them on.

YasirA
  • 9,531
  • 2
  • 40
  • 61
  • thnx Yasir, but didn't get so well, so func = (int (*)()) shellcode , what does it do? does it take the address of shellcode and place it in func? and is the function implementation – 0xab3d May 09 '10 at 15:00
  • 1
    To the question author: every function in C has the address, `func = (int (*)()) shellcode;` tells the compiler that the code of the function begins from the first byte of `shellcode[]`, but you have a function that is just the assembler code. Since every C program after compilation becomes an assembler code, this is not a problem, and calling `(int)(*func)();` should result in execution of the assembler instructions you put in `shellcode[]`. – YasirA May 09 '10 at 15:13