Sex with Strings

[@username@]

Today's discovery is ... Sex with strings for BASIC82/83

OK, the BASIC82/3 manual states that strings can only be 32 bytes long. This isn't actually true, you can concatenate strings up to 75 bytes for printing.

However, there's a darker, sexier side to our concatenated strings ... they don't like vector tables

Here's some code to demonstrate

Code: Select all

10   REM ********************
20   REM * SEX WITH STRINGS *
30   REM ********************
40   REM
50   REM STEP 1. CREATE A$
60   A$="++++++++++++++++++++++++++++++++++++++++"
70   REM
80   REM STEP 2. CREATE B$ TWICE A$
90   B$=A$+A$
100  REM 
110  REM STEP 3. CREATE C$ TWICE B$
120  C$=B$+B$
130  REM
140  REM THE TRAP IS SET ...
150  REM
160  REM LET'S PUT SOME ASM AT $3AA
170  REM
180  DATA 32,56,254,76,22,169 
190  FORA=0TO5
200  READ B
210  POKE 938+A,B
220  NEXT
230  REM
240  REM FINALLY - LET'S RUN THE ASM!
250  PRINTLEN(C$)
260  CLS
270  PRINT
280  PRINT TAB(11);"=>?@[\]^_"
290  GOTO 280

Here we create three strings, A$, B$ and C$. By concatenating them so that each new string is twice as long - we fool BASIC 82/83 into making a string longer than 128 bytes!

Note that the character MUST be a plus sign.

This sexy exploit works by overloading the lookup for the function table at $A77A. "+" in hex is $2B - and that's the magical offset!

BASIC 82/83 does not check the bounds of X, so we tell it to happily RTS to $3AA !!!

Let the ASM in BASIC begin!

I'd appreciate someone with a real CV letting me know if this works on it - I see no reason it should not!

The DATA statement contains this asm:

Code: Select all

03AA: jsr $FE38 ; ROM Reload Original Character Set
03AD: jmp $A916 ; BASIC Continue to next code line

[@username@]

Attached is BASIC playing a tune you all know - using ROM play song!

The additional DATA contains this new ASM

Code: Select all

03AA: lda #$EB
03AC: sta $04
03AE: lda #$FC
03B0: sta $05
03B2: php
03B3: sei
03B4: lda #$C4
03B6: sta $00
03B8: lda #$03
03BA: sta $01
03BC: ldy #$27
03BE: jsr $FBED ; ROM play song using our values
03C1: jmp $A916

The song data is taken straight from a commercial ROM

Code: Select all

03C0: FB 4C 16 A9 15 D5 05 21 0B 9B 22 0B AB B9 C0 13
03D0: 00 1F 0B D3 07 13 23 13 22 0B FF 07 13 23 D5 33
03E0: 3B 9D 07 10 22 08 10 20 06 07 07 14 00 00 00 00

[@username@]

To help you find more functions you can use from ordinary BASIC, I've attached my sym for DASMx.

Should save you time disassembling ROM.

DASMx Download -http://myweb.tiscali.co.uk/pclare/DASMx/dasmx140.zip

[@username@]

Another useful offset found!

Change A$ to be single quote instead of plus will RTS to $286. The current command line is at $270, so be careful not to overwrite yourself. BASIC uses addresses $345-$360 - so avoid!

[Scouter3d]

Sexy! I am totally impressed! :0)

[Mobsie]

Amazing!
Today i test the "Sex with Strings" on my real CV. And yes all works. Thats great news, can all people play no with a little asm without burn the modified basic.
Here 2 pic`s show the ASM on the real CV. I only don`t find all the needed chars to type the complete "CREATIVISION" logo.
I forget to write, i test all! And all works fine!

Foto 1.JPG

Foto 2.JPG

[@username@]

Can't thank you enough Mobsie - superb!

Maybe it's just me, but I find it incredibly amusing to think that we've hacked a 30+ year old console

[Mobsie]

No, for me is also amusing. I show this some who said before CV shit basic shit design. But now they don`t understand how this is possible. I cannot wait`t to see what you found in 30 years again

[@username@]

Wow - it's been a while!

I was thinking on how to test small routines on a real CV - and I remembered the string overload in BASIC83B.

Attached is my prototype of how to load a screen shot from BASIC.

Just load and type CRUN ... and wait. The CV (emu) is loading at 600baud just over 16K of data - so a small beer could be consumed while it's loading

BASIC83B loads and runs the BASIC program, which has a modified CLOAD routine in CHAR statements, and the "Sex with strings" loader, which copies the CLOAD routine from VRAM to RAM and executes it. The CLOAD routine just loads a VRAM snapshot, which in this case is a converted Spectrum SCR.

If this works on a real CV - then this could be a method to test small ASM routines on real hardware.

Enjoy!

[Mobsie]

Amazing!
I will fire on my CV to test.