0x1500 control code arbitrary code execution: Difference between revisions

Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
m (Fixed the link to the forum archives.)
No edit summary
Line 12: Line 12:


==Effects of the 0x15 control character==
==Effects of the 0x15 control character==
The 0x15 control character signifies a "mobile script" in Crystal. When the text engine reads the byte 0x15, it uses the following bytes as jump table indices to a list of specific functions ("mobile functions"). The valid jump table indices are 0x01 to 0x0f (i.e. 1 to 15), and an index >= 0x10 would end the mobile script interpretation procedure instead of being used as a jump table index. Notice that some mobile functions may "take parameters" by consuming them from the text stream.
The 0x15 control character signifies a "[[mobile script]]" in Crystal. When the text engine reads the byte 0x15, it uses the following bytes as jump table indices to a list of specific functions ("mobile functions"). The valid jump table indices are 0x01 to 0x0f (i.e. 1 to 15), and an index >= 0x10 would end the mobile script interpretation procedure instead of being used as a jump table index. Notice that some mobile functions may "take parameters" by consuming them from the text stream.


However, the byte 0x00 is not excluded by the above check. It would be interpreted as jump table index 256, and the jump target is $CD52, which is a WRAM address used in some mobile functions. Therefore, when the text engine sees the byte combination "0x15 0x00", it will jump there, leading to ACE exploits.
However, the byte 0x00 is not excluded by the above check. It would be interpreted as jump table index 256, and the jump target is $CD52, which is a WRAM address used in some mobile functions. Therefore, when the text engine sees the byte combination "0x15 0x00", it will jump there, leading to ACE exploits.
Retrieved from "https://glitchcity.wiki/wiki/0x1500_control_code_arbitrary_code_execution"