Re: Sex with Strings
Posted: Mon Feb 27, 2023 9:58 am
Here's how this buffer overflow works - and the available addresses.
By making the string too long for BASIC, it tries to copy to RAM. Once $A8 has been poulated - the function above is called, and uses the ASCII character as the X register offset to tables at $A77A and $A78B.
The '+' symbol (ASCII $2B) pushes $03 and $A9 to the stack and the subsequent RTS increments to give $3AA.
Code: Select all
A63F: lda $a8
A641: beq $a646
A643: jsr $a76b
A76B: tax
A76C: dex
A76D: lda $a77a, x
A770: pha
A771: lda $a78b, x
A774: pha
A775: lda #$00
A777: sta $e0
A779: rts
The '+' symbol (ASCII $2B) pushes $03 and $A9 to the stack and the subsequent RTS increments to give $3AA.
Code: Select all
27 ['] : 0286
2B [+] : 03AA
2F [/] : 0021
3D [=] : 01AD
5F [_] : 0181
90 [É] : 01A9
AA [¬] : 0086
CB [╦] : 0203
D3 [Ë] : 0201
DC [▄] : 0221
E2 [Ô] : 024D
E4 [õ] : 00B4
FC [³] : 02CA
