Address Error Exception

From Ukikipedia
Revision as of 12:38, 17 July 2020 by MMMMMMMMMMMMM (talk | contribs) (show ASM and stuff)
Jump to navigation Jump to search

The Nintendo 64's CPU, the VR4300, can throw an Address Error Exception. This occurs when lookup to an invalid or non-existent address occurs, most commonly as a Null Pointer Exception, which is an Address Error Exception caused by attempting to access an address of 0 (NULL).

Exploits

Address Error Exceptions often have exploit potential on Wii VC since the Wii VC emulator ignores null pointer exceptions. This means that a read from a null address into a register will actually leave the register untouched with its last value and resume normal execution.

We can then analyze crashes that cause Address Error Exceptions.

Cause ACE Exploitable Any Exploitable Notes
Deleting a non-existent file on the File Select Screen No Doubtful sMainMenuButtons[MENU_BUTTON_ERASE]->oMenuButtonActionPhase is NULL when written to. For selecting 'NO' this results in the button zoom being unaffected. 'YES' is more complex. It's just a write and the copy menu doesn't allow for this glitch, so this is unlikely to be exploitable. Plus, there's barely anything to work with when we're not even in-game.
Moving a shadow above surface 12 while it's over OOB
Killing a Monty Mole remotely No No o->oMontyMoleCurrentHole->oMontyMoleHoleCooldown = 30 causes crash as mario needs to be < 1500 units for monty to select a hole (otherwise it's null)
Killing an uninitialized Monty Mole No No (same as above)
Going out of bounds in a room with a painting No No `gPaintingMarioFloorType` is what is affected, and it's updated every frame the OoB check happens; at most, you could maybe delay entering a painting by 1 frame
Being pushed off of a hang-able ceiling while in the idle hanging action No Doubtful No effect for idle loop hang t8, last use of t8 set is jr t8 which is never the hang-able value 0x05)

Relevant code (sp24 is gMarioState): 

   //! Crash if Mario's referenced ceiling is NULL (same for other hanging actions)
   if (m->ceil->type != SURFACE_HANGABLE) {
   12a4:	8fa80018 	lw	t0,24(sp)
   12a8:	24010005 	li	at,5
   12ac:	8d090064 	lw	t1,100(t0)
   12b0:	85390000 	lh	t9,0(t1)
   12b4:	13210008 	beq	t9,at,12d8 <act_start_hanging+0xf0>
   12b8:	00000000 	nop

Since the t9 load is skipped, the only effect could be to potentially cause Mario to stay hanging for a single frame without a ceiling.

Sound glitch N/A N/A The cause of sound glitch is unknown. Contrary to popular belief, it can sometimes occur on versions other than the original Japanese N64 release.
Retrieved from "https://ukikipedia.net/mediawiki/index.php?title=Address_Error_Exception&oldid=12168"