问题描述

int eax = ((int(*)())("\xc3 <- This returns the value of the EAX register"))();

如何工作的吗？字符串被铸造为一个函数指针

推荐答案

C3 是 RET 指令。当一个x86机器跳到PTED为code这串间$ P $，它将执行 RET ，因此跳右后卫，而无需做任何事情（的休息因此字符串被忽略）。由于在x86标准调用约定是把你的返回值 EAX ，而code没有返回之前做任何事情，无论已经在 EAX 仍然会在那里，并在为C code国米preT它为已的位置返回。

c3 is the RET instruction. When an x86 machine jumps to this string interpreted as code, it will execute RET and therefore jump right back without having done anything (the rest of the string is therefore ignored). Since standard calling convention on x86 is to put your return value in eax, but the code didn't do anything before returning, whatever was already in eax will still be there, and in a position for the C code to interpret it as having been "returned".

这是高度依赖于你的机器是x86和您所允许的数据和函数指针之间的投（和执行的结果） - 一个的非常的特定系统的黑客。这不符合标准的或的任何延伸可移植的C！

This is highly dependent on your machine being x86 and that you're allowed to cast between data and function pointers (and execute the result) - a very system-specific hack. This is not standard compliant or portable C by any stretch!

（ \\ XXX 是C的在十六进制通过他们的ASCII code插入单一的不可读字符转换为字符串，如果你不知道那一部分转义语法。）

(\xXX is C's escape syntax for inserting single nonreadable characters into strings via their ASCII code in hex, if you didn't know that part.)

这篇关于C语言程序设计（函数指针铸造）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！