Address Error Exception: Difference between revisions
(show ASM and stuff) |
(complete this discussion) |
||
| Line 31: | Line 31: | ||
12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0> | 12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0> | ||
12b8: 00000000 nop | 12b8: 00000000 nop | ||
Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. | Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. After that, `perform_hanging_step` will catch the fact that Mario's ceiling is NULL and stop the hang. Similar effects on PAL version. | ||
|- | |- | ||
| Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | | Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | ||
|} | |} | ||
Revision as of 13:17, 17 July 2020
The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a Null Pointer Exception, which is an Address Error Exception caused by attempting to access an address of 0 (NULL).
Exploits
Address Error Exceptions often have exploit potential on Wii VC since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.
We can then analyze crashes that cause Address Error Exceptions.
| Cause | ACE Exploitable | Any Exploitable | Notes |
|---|---|---|---|
| Deleting a non-existent file on the File Select Screen | No | Doubtful | sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game. |
| Moving a shadow above surface 12 while it's over OOB | |||
| Killing a Monty Mole remotely | No | No | o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) |
| Killing an uninitialized Monty Mole | No | No | (same as above) |
| Going out of bounds in a room with a painting | No | No | `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could maybe delay entering a painting by 1 frame |
| Being pushed off of a hang-able ceiling while in the idle hanging action | No | Doubtful | No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05)
Relevant code (sp24 is gMarioState): //! Crash if Mario's referenced ceiling is NULL (same for other hanging actions)
if (m->ceil->type != SURFACE_HANGABLE) {
12a4: 8fa80018 lw t0,24(sp)
12a8: 24010005 li at,5
12ac: 8d090064 lw t1,100(t0)
12b0: 85390000 lh t9,0(t1)
12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0>
12b8: 00000000 nop
Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. After that, `perform_hanging_step` will catch the fact that Mario's ceiling is NULL and stop the hang. Similar effects on PAL version. |
| Sound glitch | N/A | N/A | The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. |