Author Topic: Hacked Lists!  (Read 3800 times)

0 Members and 1 Guest are viewing this topic.

Offline Xeda112358

  • they/them
  • Moderator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 4704
  • Rating: +719/-6
  • Calc-u-lator, do doo doo do do do.
    • View Profile
Hacked Lists!
« on: November 04, 2018, 10:56:56 am »
So, fun fact: floating point numbers can be changed to a variable reference instead, kind of like a shortcut on your computer, and the OS doesn't verify it.

In assembly, when you are looking for a variable, you put a name in OP1 and use FindSym or ChkFindSym. Those names are 9 bytes, which is also the size of a float (not a coincidence-- it's part of why names are limited to 8 bytes).
You can actually change the contents of a Real variable to such a name, and when you try to read it's value, it will instead return the value of the variable it points to.
For example, change the bytes of the Real variable, A, from 008000000000000000 (the number 0) to 015D01000000000000 and when you read A, it will return the contents of L2.

Or, since lists are just stored as a bunch of Real (or Complex) numbers, you can modify elements of the list to be pointers. In this way, you could read Str1, Str2, Str3,..., Str0 by reading an element of L1, which could be useful, occasionally :P

Some things to note:
You can't modify the contents of the original variable in this way. If A points to Str2, then "33"+A→A does not modify Str2. However, "33"+A will work like "33"+Str2.
Storing the names of programs and appvars and whatnot isn't useful.


Attached is a program that turns L1 into a 4-element list {L2,[A],Str1,L1}. Here is the source. You need to delete L1 first, my code wasn't reliably deleting it.
Code: [Select]
#define bcall(x) rst 28h \ .dw x
rMOV9TOOP1  = 20h
_ChkFindSym = 42F1h
_CreateRList= 4315h
.db $BB,$6D
.org $9D95
  ld hl,name
  rst rMOV9TOOP1
  bcall(_ChkFindSym)
  ret c
  ld hl,name
  rst rMOV9TOOP1
  ld hl,4
  bcall(_CreateRList)
  inc de
  inc de
  ld hl,data
  ld bc,31
  ldir
  ret
data:
  .db 1,$5D,1,0,0,0,0,0,0
  .db 2,$5C,0,0,0,0,0,0,0
  .db 4,$AA,0,0,0,0,0,0,0
name:
  .db 1,$5D,0,0

Offline TIfanx1999

  • ಠ_ಠ ( ͡° ͜ʖ ͡°)
  • CoT Emeritus
  • LV13 Extreme Addict (Next: 9001)
  • *
  • Posts: 6173
  • Rating: +191/-9
    • View Profile
Re: Hacked Lists!
« Reply #1 on: November 04, 2018, 12:35:16 pm »
Very neat little discovery!