Address Error Exception: Difference between revisions

From Ukikipedia
Jump to navigation Jump to search
No edit summary
(errors aren't values)
Tags: Mobile edit Mobile web edit
 
(24 intermediate revisions by 7 users not shown)
Line 1: Line 1:
On the [[Nintendo 64]]'s CPU, the VR4300 can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a null-reference exception.
The [[Nintendo 64]]'s CPU, the VR4300, can throw an '''Address Error Exception'''. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a '''Null Pointer Exception''', which is an Address Error Exception caused by attempting to access an address of 0 (NULL).


== Exploits ==
== Exploits ==


Because the exception only occurs on the N64 and not the Wii VC it could potentially be exploited. The Wii VC will skip the write or read when the exception would occur. This means that a read from an invalid address into a register will actually leave the register untouched with its last value and resume normal execution.
Address Error Exceptions often have exploit potential on [[Wii VC]] since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.


We can then analyze [[Crash|crashes]] that cause Address Error Exceptions.  
We can then analyze [[Crash|crashes]] that cause Address Error Exceptions.  
Line 10: Line 10:
! Cause !! ACE Exploitable !! Any Exploitable !! Notes
! Cause !! ACE Exploitable !! Any Exploitable !! Notes
|-
|-
| Exceed the [[Objects#Object Limit|object limit]] || || ||
| Deleting a non-existent file on the File Select Screen || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Doubtful || sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game.
|-
|-
| Have too many [[Objects|objects]] at once on the screen || || ||
| Moving a shadow above surface 12 while it's over OOB ||style="background-color: #baffa8"| ||style="background-color: #baffa8"| ||
|-
|-
| [[Parallel_Universe#Floating_point_truncation_crash|Walking at PU speed for only a portion of the 4 quarter steps on a frame]] || || ||
| Killing a Monty Mole remotely || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null)
|-
|-
| Moving at PU speed with no joystick input for all 4 quarter steps on a frame || || ||
| Killing an uninitialized Monty Mole || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || (same as above)
|-
|-
| Moving at PU speed directly into a wall || || ||
| Going out of bounds in a room with a painting || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could ''maybe'' delay entering a painting by 1 frame
|-
|-
| Deleting a non-existent file on the File Select Screen || || || sMainMenuButtons[MENU_BUTTON_ERASE_FILE_A + sSelectedFile] (assignment) is NULL. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex.
| Being pushed off of a hang-able ceiling while in the idle hanging action || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Doubtful || No effect for idle loop hang t8, last use of t8 set is ''jr t8'' which is never the hang-able value 0x05)
|-
 
| Moving a shadow above surface 12 while it's over OOB || || ||
Relevant code (sp24 is gMarioState):
|-
    //! Crash if Mario's referenced ceiling is NULL (same for other hanging actions)
| Killing a Monty Mole remotely || || ||
    if (m->ceil->type != SURFACE_HANGABLE) {
|-
    12a4: 8fa80018 lw t0,24(sp)
| Killing an uninitialized Monty Mole || No || No ||
    12a8: 24010005 li at,5
    12ac: 8d090064 lw t1,100(t0)
    12b0: 85390000 lh t9,0(t1)
    12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0>
    12b8: 00000000 nop
Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. After that, `perform_hanging_step` will catch the fact that Mario's ceiling is NULL and stop the hang. Similar effects on PAL version.
|-
|-
| Going out of bounds in a room with a painting || No || Maybe? || `D_8035FF90` is set to ''t4''
| Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release.
|-
|-
| Being pushed off of a hang-able ceiling while in the idle hanging action || No || Doubtful || ''t9'' for start hang. Would potentially cause Mario to stay hanging for a single frame without a ceiling, No effect for idle loop hang t8, last use of t8 set is ''jr t8'' which is never the hang-able value 0x05)
| Teleporting while passing over a loading zone ||style="background-color: #ffb65e"| Unknown ||style="background-color: #baffa8"| Yes || Since the area changed, there is now no teleporter with the same ID as the one Mario used to warp. Thus the game returns NULL when trying to find the teleporter to warp to, and crashes when trying to access information about its destination. Under certain conditions, this can cause a Wrong Warp on PAL or Shindou VC.
|-
|-
| Sound glitch || || || Since sound glitch only exists on the original Japanese N64 version, which wasn't released in Wii VC, this cannot be used or exploited in Wii VC legitimately
| Warping out of a level while passing over a loading zone ||style="background-color: #ffb65e"| ||style="background-color: #ffb65e"| || Similar to above, but only hypothetical. Maybe possible in DDD using the Sub Gate warp and whirlpool cloning to reach the instant loading zone, but not yet achieved without hacks.
|-
| Moving the camera immediately when entering [[VCutM]] || || ||
|}
|}
[[Category:Mechanics]]

Latest revision as of 16:21, 27 September 2021

The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a Null Pointer Exception, which is an Address Error Exception caused by attempting to access an address of 0 (NULL).

Exploits

Address Error Exceptions often have exploit potential on Wii VC since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.

We can then analyze crashes that cause Address Error Exceptions.

Cause ACE Exploitable Any Exploitable Notes
Deleting a non-existent file on the File Select Screen No Doubtful sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game.
Moving a shadow above surface 12 while it's over OOB
Killing a Monty Mole remotely No No o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null)
Killing an uninitialized Monty Mole No No (same as above)
Going out of bounds in a room with a painting No No `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could maybe delay entering a painting by 1 frame
Being pushed off of a hang-able ceiling while in the idle hanging action No Doubtful No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05)

Relevant code (sp24 is gMarioState):

   //! Crash if Mario's referenced ceiling is NULL (same for other hanging actions)
   if (m->ceil->type != SURFACE_HANGABLE) {
   12a4:	8fa80018 	lw	t0,24(sp)
   12a8:	24010005 	li	at,5
   12ac:	8d090064 	lw	t1,100(t0)
   12b0:	85390000 	lh	t9,0(t1)
   12b4:	13210008 	beq	t9,at,12d8 <act_start_hanging+0xf0>
   12b8:	00000000 	nop

Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. After that, `perform_hanging_step` will catch the fact that Mario's ceiling is NULL and stop the hang. Similar effects on PAL version.

Sound glitch N/A N/A The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release.
Teleporting while passing over a loading zone Unknown Yes Since the area changed, there is now no teleporter with the same ID as the one Mario used to warp. Thus the game returns NULL when trying to find the teleporter to warp to, and crashes when trying to access information about its destination. Under certain conditions, this can cause a Wrong Warp on PAL or Shindou VC.
Warping out of a level while passing over a loading zone Similar to above, but only hypothetical. Maybe possible in DDD using the Sub Gate warp and whirlpool cloning to reach the instant loading zone, but not yet achieved without hacks.