Address Error Exception: Difference between revisions
Jump to navigation
Jump to search
(I looked into this and it seems RIP for the reasons given, correct me daddy) |
(wii vc does not ignore all aees) |
||
| Line 1: | Line 1: | ||
The [[Nintendo 64]]'s CPU, the VR4300, can throw an '''Address Error Exception'''. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a | The [[Nintendo 64]]'s CPU, the VR4300, can throw an '''Address Error Exception'''. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a '''Null Pointer Exception''', which is an Address Error Exception caused by attempting to access an address of 0 (NULL). | ||
== Exploits == | == Exploits == | ||
Address Error Exceptions often have exploit potential on [[Wii VC]] since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution. | |||
We can then analyze [[Crash|crashes]] that cause Address Error Exceptions. | We can then analyze [[Crash|crashes]] that cause Address Error Exceptions. | ||
Revision as of 22:15, 27 December 2019
The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a Null Pointer Exception, which is an Address Error Exception caused by attempting to access an address of 0 (NULL).
Exploits
Address Error Exceptions often have exploit potential on Wii VC since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.
We can then analyze crashes that cause Address Error Exceptions.
| Cause | ACE Exploitable | Any Exploitable | Notes |
|---|---|---|---|
| Deleting a non-existent file on the File Select Screen | No | Doubtful | sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game. |
| Moving a shadow above surface 12 while it's over OOB | |||
| Killing a Monty Mole remotely | No | No | o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) |
| Killing an uninitialized Monty Mole | No | No | (same as above) |
| Going out of bounds in a room with a painting | No | No | `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could maybe delay entering a painting by 1 frame |
| Being pushed off of a hang-able ceiling while in the idle hanging action | No | Doubtful | t9 for start hang. Would potentially cause Mario to stay hanging for a single frame without a ceiling, No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05) |
| Sound glitch | N/A | N/A | The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. |