Address Error Exception: Difference between revisions
Jump to navigation
Jump to search
Tag: Rollback |
(show ASM and stuff) |
||
| Line 20: | Line 20: | ||
| Going out of bounds in a room with a painting || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could ''maybe'' delay entering a painting by 1 frame | | Going out of bounds in a room with a painting || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could ''maybe'' delay entering a painting by 1 frame | ||
|- | |- | ||
| Being pushed off of a hang-able ceiling while in the idle hanging action || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Doubtful || | | Being pushed off of a hang-able ceiling while in the idle hanging action || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Doubtful || No effect for idle loop hang t8, last use of t8 set is ''jr t8'' which is never the hang-able value 0x05) | ||
Relevant code (sp24 is gMarioState): | |||
//! Crash if Mario's referenced ceiling is NULL (same for other hanging actions) | |||
if (m->ceil->type != SURFACE_HANGABLE) { | |||
12a4: 8fa80018 lw t0,24(sp) | |||
12a8: 24010005 li at,5 | |||
12ac: 8d090064 lw t1,100(t0) | |||
12b0: 85390000 lh t9,0(t1) | |||
12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0> | |||
12b8: 00000000 nop | |||
Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. | |||
|- | |- | ||
| Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | | Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | ||
|} | |} | ||
Revision as of 12:38, 17 July 2020
The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a Null Pointer Exception, which is an Address Error Exception caused by attempting to access an address of 0 (NULL).
Exploits
Address Error Exceptions often have exploit potential on Wii VC since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.
We can then analyze crashes that cause Address Error Exceptions.
| Cause | ACE Exploitable | Any Exploitable | Notes |
|---|---|---|---|
| Deleting a non-existent file on the File Select Screen | No | Doubtful | sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game. |
| Moving a shadow above surface 12 while it's over OOB | |||
| Killing a Monty Mole remotely | No | No | o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) |
| Killing an uninitialized Monty Mole | No | No | (same as above) |
| Going out of bounds in a room with a painting | No | No | `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could maybe delay entering a painting by 1 frame |
| Being pushed off of a hang-able ceiling while in the idle hanging action | No | Doubtful | No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05)
Relevant code (sp24 is gMarioState): //! Crash if Mario's referenced ceiling is NULL (same for other hanging actions)
if (m->ceil->type != SURFACE_HANGABLE) {
12a4: 8fa80018 lw t0,24(sp)
12a8: 24010005 li at,5
12ac: 8d090064 lw t1,100(t0)
12b0: 85390000 lh t9,0(t1)
12b4: 13210008 beq t9,at,12d8 <act_start_hanging+0xf0>
12b8: 00000000 nop
Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling. |
| Sound glitch | N/A | N/A | The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. |