Basic overflow is a state of the calculator, when the position of the cursor is larger than the length (in bytes) of the formula in the input area.

Method

For calculators with Σ and [CALC]

Π or or d/dx (the commands which takes a formula as input) will also work.

First, find a formula consisting of a Σ, without closing parentheses, contains a variable. For example Σ(X,1,1. Call this ƒ.

Do the following steps:

  • Go to LineIO mode.
  • Enter a formula at least 4 bytes longer than ƒ. For example X=Σ(X,1,123.
  • Press [=] ([EXE] on some calculator models) or [CALC].
  • Enter X=ƒ. Using ther variables instead of X is fine. (note that in this step, it's possible to reuse the previous step, for example by pressing [◀])
  • Press [CALC] [=]. A Syntax ERROR (or equivalent in other languages) should appear.
  • Press [▶].

For calculators without Σ but with parentheses automatically added on ambiguous division

Try evaluating 1÷3(4). If the calculator changes it to 1÷(3(4)) then that calculator has the feature.

Follow this tutorial on tiplanet.org.

For calculators which can enter mode 68

Do the following steps:

  • Enter mode 68.
  • Choose LineIO input method. (or equivalent)
  • Enter 2^(2, press [=].
  • Press [Shift] [9] [1] [=] [AC] (menu Clear → option Setup → select Yes)
  • Press [▲]. Screen should display 2^(2 now.
  • Press [▶] [▶] [DEL]. Screen should display |⎕^(2.
  • Press [◀] [DEL] [DEL] [◀] to delete ^(2. Screen should display |⎕.
  • Press [▶].

Entering unsupported symbols using the unstable byte

Normally, only some particular symbols can be entered in a particular mode. For example, in COMP/LineIO mode, ∫( can be entered, but the imaginary symbol 𝐢 cannot. Using this method, it is possible to enter any symbol (except the null symbol).

Method:

  • Invoke basic overflow.
  • Put the cursor at index 208. The cursor is before index 208 right after basic overflow is executed, therefore it's possible to repeatedly type characters to advance the cursor.
  • Enter any symbol. This should overwrite the existing token to the right of the cursor.
  • Do nothing, wait for the cursor to flash.
  • Use [◀] or [▶] to move the cursor. The symbol entered will be advanced according to the symbol table.
  • After having obtained the correct character, it's possible to press [DEL] when the cursor is before the character to shift the character back.

Entering unsupported symbols using multibyte characters

Only works on CLASSWIZ calculators with multibyte characters.

In insert mode (change to/from replace mode by pressing [SHIFT] [DEL]), when a X-byte character is inserted on a CLASSWIZ calculator, the following (or equivalent) happens:

  • Compute the length of the formula (strlen) = L (modulo 256) to get the location of the NUL byte. Note that if the length is >= 256 then the character at that location will not be NUL.
  • Copy the bytes from the cursor location to location L forward by X bytes. If the cursor location > L, only the NUL byte is copied.
  • Insert the character at the cursor location.

Therefore:

  • If the cursor location is > L and before a 2-byte character XY, entering a 1-byte character will overwrite the byte X and leave Y intact.
  • If there's a 2-byte character XY at L+1 and a 2-byte character is entered, the byte Y is overwritten with the NUL byte (if the byte at L is NUL)

Which can be used to:

  • Extract the second byte from a 2-byte character.
  • Get a character X0 from XY.
  • Get character XZ provided that XY and Z can be entered:
    When a character X0 is at the end of the formula and [↓] is pressed (or [=] [AC] [←] in math mode) then the cursor will be placed before the null byte. After that, entering a byte Z will modify the 2-byte character to XZ.
  • Get character XZ provided that XY and TZ can be entered:
    • First get X0.
    • Put TZ after X, so we get XTZ.
    • Position the cursor before the block and press [→] (after that, the cursor will be after T)
    • Enter [0] [DEL] [→].
  • Get character XZ provided that XY and TZ can be entered (when length >= 256):
    • Put cursor at position L
    • Then enter XY, TZ and a 2-byte character. The X will be copied to the original location of T.

Pressing [=] when there are more than 99 characters on the screen

Note: For more information about the registers pc, lr, csr, lcsr, see page 1-8 to 1-10 (18-20), nX-U8/100 Core Instruction Manual.

This only apply for the ES-plus calculators. EX calculators have 200 bytes of memory for the input and last formula area.

Normally, the input area (100-byte char array starting from 0x8154) is copied to the cache (last formula) area (100-byte char array starting from 0x81B8, right after the input area) using an implementation of `strcpy` that looks like this:

char* strcpy(char* dest, char* src){
  char* olddest=dest;
  char tmp;
  do{
    tmp=*src;*dest=tmp;
    ++src;++dest;
  }while(tmp!=0);
  return olddest;
}

As you can see, when length of input area is more than 99 bytes and strcpy(0x81B8, 0x8154) is executed, the first 100 bytes will be repeated over and over…

However, the memory from address 0x8E00 to 0xEFFF is not writable, and reading from them always give 0, therefore strcpy would stop when it hits that area.

After that, the part of the calculator RAM after 0x8154 (input area), which includes the calculator stack, is filled with repeated copies of 100 bytes in 0x8154 - 0x81B8.

Because the stack is corrupted, when pop pc is executed, it is possible to execute code at a chosen location. See rop-chain-explanation for more details.