Sex with Strings

Talk about programming CreatiVision (except games programming). Projects of homebrew hardware are also welcome.
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Sex with Strings

Post by @username@ » Sun Jan 05, 2014 9:48 pm

Today's discovery is ... Sex with strings for BASIC82/83

OK, the BASIC82/3 manual states that strings can only be 32 bytes long. This isn't actually true, you can concatenate strings up to 75 bytes for printing.

However, there's a darker, sexier side to our concatenated strings ... they don't like vector tables :)

Here's some code to demonstrate

Code: Select all

10   REM ********************
20   REM * SEX WITH STRINGS *
30   REM ********************
40   REM
50   REM STEP 1. CREATE A$
60   A$="++++++++++++++++++++++++++++++++++++++++"
70   REM
80   REM STEP 2. CREATE B$ TWICE A$
90   B$=A$+A$
100  REM 
110  REM STEP 3. CREATE C$ TWICE B$
120  C$=B$+B$
130  REM
140  REM THE TRAP IS SET ...
150  REM
160  REM LET'S PUT SOME ASM AT $3AA
170  REM
180  DATA 32,56,254,76,22,169 
190  FORA=0TO5
200  READ B
210  POKE 938+A,B
220  NEXT
230  REM
240  REM FINALLY - LET'S RUN THE ASM!
250  PRINTLEN(C$)
260  CLS
270  PRINT
280  PRINT TAB(11);"=>?@[\]^_"
290  GOTO 280
Here we create three strings, A$, B$ and C$. By concatenating them so that each new string is twice as long - we fool BASIC 82/83 into making a string longer than 128 bytes!

Note that the character MUST be a plus sign.

This sexy exploit works by overloading the lookup for the function table at $A77A. "+" in hex is $2B - and that's the magical offset!

BASIC 82/83 does not check the bounds of X, so we tell it to happily RTS to $3AA !!!

Let the ASM in BASIC begin!

I'd appreciate someone with a real CV letting me know if this works on it - I see no reason it should not!

The DATA statement contains this asm:

Code: Select all

03AA: jsr $FE38 ; ROM Reload Original Character Set
03AD: jmp $A916 ; BASIC Continue to next code line
You do not have the required permissions to view the files attached to this post.
Last edited by @username@ on Mon Jan 06, 2014 12:39 am, edited 2 times in total.
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Re: Sex with Strings - It Sings!

Post by @username@ » Mon Jan 06, 2014 12:03 am

Attached is BASIC playing a tune you all know - using ROM play song!

The additional DATA contains this new ASM

Code: Select all

03AA: lda #$EB
03AC: sta $04
03AE: lda #$FC
03B0: sta $05
03B2: php
03B3: sei
03B4: lda #$C4
03B6: sta $00
03B8: lda #$03
03BA: sta $01
03BC: ldy #$27
03BE: jsr $FBED ; ROM play song using our values
03C1: jmp $A916
The song data is taken straight from a commercial ROM

Code: Select all

03C0: FB 4C 16 A9 15 D5 05 21 0B 9B 22 0B AB B9 C0 13
03D0: 00 1F 0B D3 07 13 23 13 22 0B FF 07 13 23 D5 33
03E0: 3B 9D 07 10 22 08 10 20 06 07 07 14 00 00 00 00
You do not have the required permissions to view the files attached to this post.
Last edited by @username@ on Mon Jan 06, 2014 12:35 am, edited 1 time in total.
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Re: Sex with Strings

Post by @username@ » Mon Jan 06, 2014 12:08 am

To help you find more functions you can use from ordinary BASIC, I've attached my sym for DASMx.

Should save you time disassembling ROM.

DASMx Download -http://myweb.tiscali.co.uk/pclare/DASMx/dasmx140.zip
You do not have the required permissions to view the files attached to this post.
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Re: Sex with Strings

Post by @username@ » Mon Jan 06, 2014 1:43 am

Another useful offset found!

Change A$ to be single quote instead of plus will RTS to $286. The current command line is at $270, so be careful not to overwrite yourself. BASIC uses addresses $345-$360 - so avoid!
User avatar
Scouter3d
Posts: 646
Joined: Mon Jun 28, 2010 7:02 am
Location: Wien
Contact:

Re: Sex with Strings

Post by Scouter3d » Mon Jan 06, 2014 7:55 am

Sexy! I am totally impressed! :0)
User avatar
Mobsie
Posts: 708
Joined: Fri Jun 13, 2008 10:38 am
Location: Weinheim, Germany

Re: Sex with Strings

Post by Mobsie » Tue Jan 07, 2014 11:13 am

Amazing!
Today i test the "Sex with Strings" on my real CV. And yes all works. Thats great news, can all people play no with a little asm without burn the modified basic.
Here 2 pic`s show the ASM on the real CV. I only don`t find all the needed chars to type the complete "CREATIVISION" logo.
I forget to write, i test all! And all works fine!
Foto 1.JPG
Foto 2.JPG
You do not have the required permissions to view the files attached to this post.
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Re: Sex with Strings

Post by @username@ » Wed Jan 08, 2014 1:11 am

Can't thank you enough Mobsie - superb!

Maybe it's just me, but I find it incredibly amusing to think that we've hacked a 30+ year old console :)
User avatar
Mobsie
Posts: 708
Joined: Fri Jun 13, 2008 10:38 am
Location: Weinheim, Germany

Re: Sex with Strings

Post by Mobsie » Wed Jan 08, 2014 7:18 am

No, for me is also amusing. I show this some who said before CV shit basic shit design. But now they don`t understand how this is possible. I cannot wait`t to see what you found in 30 years again :lol:
User avatar
@username@
Posts: 320
Joined: Tue Oct 22, 2013 6:59 pm
Location: Scotland

Re: Sex with Strings

Post by @username@ » Sat Jun 02, 2018 1:04 am

Wow - it's been a while!

I was thinking on how to test small routines on a real CV - and I remembered the string overload in BASIC83B.

Attached is my prototype of how to load a screen shot from BASIC.

Just load and type CRUN ... and wait. The CV (emu) is loading at 600baud just over 16K of data - so a small beer could be consumed while it's loading :D

BASIC83B loads and runs the BASIC program, which has a modified CLOAD routine in CHAR statements, and the "Sex with strings" loader, which copies the CLOAD routine from VRAM to RAM and executes it. The CLOAD routine just loads a VRAM snapshot, which in this case is a converted Spectrum SCR.

If this works on a real CV - then this could be a method to test small ASM routines on real hardware.

Enjoy!
You do not have the required permissions to view the files attached to this post.
User avatar
Mobsie
Posts: 708
Joined: Fri Jun 13, 2008 10:38 am
Location: Weinheim, Germany

Re: Sex with Strings

Post by Mobsie » Sun Jun 03, 2018 10:28 am

Amazing!
I will fire on my CV to test.
Post Reply