0x1500 control code arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
m (Fixed the link to the forum archives.) |
No edit summary |
||
Line 12: | Line 12: | ||
==Effects of the 0x15 control character== |
==Effects of the 0x15 control character== |
||
The 0x15 control character signifies a "mobile script" in Crystal. When the text engine reads the byte 0x15, it uses the following bytes as jump table indices to a list of specific functions ("mobile functions"). The valid jump table indices are 0x01 to 0x0f (i.e. 1 to 15), and an index >= 0x10 would end the mobile script interpretation procedure instead of being used as a jump table index. Notice that some mobile functions may "take parameters" by consuming them from the text stream. |
The 0x15 control character signifies a "[[mobile script]]" in Crystal. When the text engine reads the byte 0x15, it uses the following bytes as jump table indices to a list of specific functions ("mobile functions"). The valid jump table indices are 0x01 to 0x0f (i.e. 1 to 15), and an index >= 0x10 would end the mobile script interpretation procedure instead of being used as a jump table index. Notice that some mobile functions may "take parameters" by consuming them from the text stream. |
||
However, the byte 0x00 is not excluded by the above check. It would be interpreted as jump table index 256, and the jump target is $CD52, which is a WRAM address used in some mobile functions. Therefore, when the text engine sees the byte combination "0x15 0x00", it will jump there, leading to ACE exploits. |
However, the byte 0x00 is not excluded by the above check. It would be interpreted as jump table index 256, and the jump target is $CD52, which is a WRAM address used in some mobile functions. Therefore, when the text engine sees the byte combination "0x15 0x00", it will jump there, leading to ACE exploits. |