Address Error Exception: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
m (added colors (thanks nim for the code)) |
||
| Line 10: | Line 10: | ||
! Cause !! ACE Exploitable !! Any Exploitable !! Notes | ! Cause !! ACE Exploitable !! Any Exploitable !! Notes | ||
|- | |- | ||
| Exceed the [[Objects#Object Limit|object limit]] || No || No || There's a `while (1) ;` that prevents this from occurring | | Exceed the [[Objects#Object Limit|object limit]] || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || There's a `while (1) ;` that prevents this from occurring | ||
|- | |- | ||
| Deleting a non-existent file on the File Select Screen || || || sMainMenuButtons[MENU_BUTTON_ERASE_FILE_A + sSelectedFile] (assignment) is NULL. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. | | Deleting a non-existent file on the File Select Screen || style="background-color: #baffa8"| || style="background-color: #baffa8"| || sMainMenuButtons[MENU_BUTTON_ERASE_FILE_A + sSelectedFile] (assignment) is NULL. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. | ||
|- | |- | ||
| Moving a shadow above surface 12 while it's over OOB || || || | | Moving a shadow above surface 12 while it's over OOB ||style="background-color: #baffa8"| ||style="background-color: #baffa8"| || | ||
|- | |- | ||
| Killing a Monty Mole remotely || No || No || o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) | | Killing a Monty Mole remotely || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) | ||
|- | |- | ||
| Killing an uninitialized Monty Mole || No || No || (same as above) | | Killing an uninitialized Monty Mole || style="background-color: #ff9696"| No || style="background-color: #ff9696"| No || (same as above) | ||
|- | |- | ||
| Going out of bounds in a room with a painting || No || Maybe? || `D_8035FF90` is set to ''t4'' | | Going out of bounds in a room with a painting || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Maybe? || `D_8035FF90` is set to ''t4'' | ||
|- | |- | ||
| Being pushed off of a hang-able ceiling while in the idle hanging action || No || Doubtful || ''t9'' for start hang. Would potentially cause Mario to stay hanging for a single frame without a ceiling, No effect for idle loop hang t8, last use of t8 set is ''jr t8'' which is never the hang-able value 0x05) | | Being pushed off of a hang-able ceiling while in the idle hanging action || style="background-color: #ff9696"| No || style="background-color: #fffca8"| Doubtful || ''t9'' for start hang. Would potentially cause Mario to stay hanging for a single frame without a ceiling, No effect for idle loop hang t8, last use of t8 set is ''jr t8'' which is never the hang-able value 0x05) | ||
|- | |- | ||
| Sound glitch || N/A || N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | | Sound glitch || style="background-color: #ffb65e"| N/A || style="background-color: #ffb65e"| N/A || The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. | ||
|} | |} | ||
Revision as of 14:53, 23 April 2019
The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a null-reference exception.
Exploits
Because the exception only occurs on the N64 and not the Wii VC it could potentially be exploited. The Wii VC will skip the write or read when the exception would occur. This means that a read from an invalid address into a register will actually leave the register untouched with its last value and resume normal execution.
We can then analyze crashes that cause Address Error Exceptions.
| Cause | ACE Exploitable | Any Exploitable | Notes |
|---|---|---|---|
| Exceed the object limit | No | No | There's a `while (1) ;` that prevents this from occurring |
| Deleting a non-existent file on the File Select Screen | sMainMenuButtons[MENU_BUTTON_ERASE_FILE_A + sSelectedFile] (assignment) is NULL. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. | ||
| Moving a shadow above surface 12 while it's over OOB | |||
| Killing a Monty Mole remotely | No | No | o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null) |
| Killing an uninitialized Monty Mole | No | No | (same as above) |
| Going out of bounds in a room with a painting | No | Maybe? | `D_8035FF90` is set to t4 |
| Being pushed off of a hang-able ceiling while in the idle hanging action | No | Doubtful | t9 for start hang. Would potentially cause Mario to stay hanging for a single frame without a ceiling, No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05) |
| Sound glitch | N/A | N/A | The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release. |