Basic overflow is a state of the calculator, when the position of the cursor is larger than the length (in bytes) of the formula in the input area.

Method

For calculators with Σ and [CALC]

Π or or d/dx (the commands which takes a formula as input) will also work.

First, find a formula consisting of a Σ, without closing parentheses, contains a variable. For example Σ(X,1,1. Call this ƒ.

Do the following steps:

  • Go to LineIO mode.
  • Enter a formula at least 4 bytes longer than ƒ. For example X=Σ(X,1,123.
  • Press [=] ([EXE] on some calculator models) or [CALC].
  • Enter X=ƒ. Using other variables instead of X is fine. (note that in this step, it's possible to reuse the previous step, for example by pressing [◀])
  • Press [CALC] [=]. A Syntax ERROR (or equivalent in other languages) should appear.
  • Press [▶].

For calculators without Σ but with parentheses automatically added on ambiguous division

Try evaluating 1÷3(4). If the calculator changes it to 1÷(3(4)) then that calculator has the feature.

Follow this tutorial on tiplanet.org.

For calculators which can enter mode 68

Do the following steps:

  • Enter mode 68.
  • Choose LineIO input method. (or equivalent)
  • Enter 2^(2, press [=].
  • Press [Shift] [9] [1] [=] [AC] (menu Clear → option Setup → select Yes)
  • Press [▲]. Screen should display 2^(2 now.
  • Press [▶] [▶] [DEL]. Screen should display |⎕^(2.
  • Press [◀] [DEL] [DEL] [◀] to delete ^(2. Screen should display |⎕.
  • Press [▶].

Entering unsupported symbols using the unstable byte

Normally, only some particular symbols can be entered in a particular mode. For example, in COMP/LineIO mode, ∫( can be entered, but the imaginary symbol 𝐢 cannot. Using this method, it is possible to enter any symbol (except the null symbol).

Method:

  • Invoke basic overflow.
  • Put the cursor at index 208. The cursor is before index 208 right after basic overflow is executed, therefore it's possible to repeatedly type characters to advance the cursor.
  • Enter any symbol. This should overwrite the existing token to the right of the cursor.
  • Do nothing, wait for the cursor to flash.
  • Use [◀] or [▶] to move the cursor. The symbol entered will be advanced according to the symbol table.
  • After having obtained the correct character, it's possible to press [DEL] when the cursor is before the character to shift the character back.

Entering unsupported symbols using multibyte characters

Only works on CLASSWIZ calculators with multibyte characters.

In insert mode (change to/from replace mode by pressing [SHIFT] [DEL]), when a X-byte character is inserted on a CLASSWIZ calculator, the following (or equivalent) happens:

  • Compute the length of the formula (strlen) = L (modulo 256) to get the location of the NUL byte. Note that if the length is >= 256 then the character at that location will not be NUL.
  • Copy the bytes from the cursor location to location L forward by X bytes. If the cursor location > L, only the NUL byte is copied.
  • Insert the character at the cursor location.

Therefore:

  • If the cursor location is > L and before a 2-byte character XY, entering a 1-byte character will overwrite the byte X and leave Y intact.
  • If there's a 2-byte character XY at L+1 and a 2-byte character is entered, the byte Y is overwritten with the NUL byte (if the byte at L is NUL)

Which can be used to:

  • Extract the second byte from a 2-byte character.
  • Get a character X0 from XY.
  • Get character XZ provided that XY and Z can be entered:
    When a character X0 is at the end of the formula and [↓] is pressed (or [=] [AC] [←] in math mode) then the cursor will be placed before the null byte. After that, entering a byte Z will modify the 2-byte character to XZ.
  • Get character XZ provided that XY and TZ can be entered:
    • First get X0.
    • Put TZ after X, so we get XTZ.
    • Position the cursor before the block and press [→] (after that, the cursor will be after T)
    • Enter [0] [DEL] [→].
  • Get character XZ provided that XY and TZ can be entered (when length >= 256):
    • Put cursor at position L
    • Then enter XY, TZ and a 2-byte character. The X will be copied to the original location of T.

Interleave characters obtained from multibyte extraction and characters entered using variables/number format

See Exploits of Classwiz calculator model for details on how to enter characters using variables.

The limitation of that method is that only a very limited number of characters can be entered. It's possible to combine multibyte extraction with that method by creating a box after the other characters (byte 0x19), then enter basic overflow by pressing [>] when the cursor is before the box.

The method mentioned above cannot be used to interleave the two types — the characters generated by the number format method always come before the characters generated by the multibyte extraction — so, for example to generate (D2 03 03 D2) it's necessary to generate all those 4 bytes with the number format method. However there's a way to workaround the issue:

  • Use the number format method to generate the bytes D2 D2 19.
  • Edit the formula, so the byte representation becomes D2 FE 03 FE 03 D2 19.
  • Press [=]. The content is copied to the cache area (which is the formula shown when [AC] [<] is pressed)
  • Edit the formula again, so there are exactly 197 bytes before the box (after entering one more byte, it's not possible to enter any more). Note that the characters FE03 are 2 bytes each.
  • Put the cursor to the left of the box (position 197).
  • Press [>] [0]. Now the cursor is at position 200, and is in the "basic overflow" state.
  • Edit the cache area to extract the required bytes. In this particular case, the 03 bytes should be separated from the FE bytes, by pressing [>] [1] [>] [1].
  • Press [AC] [>] to copy the cache area to the input area. The content now should be D2 31 03 31 03 D2 19.
  • Modify the formula as necessary.

Pressing [=] when there are more than 99 characters on the screen

Note: For more information about the registers pc, lr, csr, lcsr, see page 1-8 to 1-10 (18-20), nX-U8/100 Core Instruction Manual.

This only apply for the ES-plus calculators. EX calculators have 200 bytes of memory for the input and last formula area.

Normally, the input area (100-byte char array starting from 0x8154) is copied to the cache (last formula) area (100-byte char array starting from 0x81B8, right after the input area) using an implementation of `strcpy` that looks like this:

char* strcpy(char* dest, char* src){
  char* olddest=dest;
  char tmp;
  do{
    tmp=*src;*dest=tmp;
    ++src;++dest;
  }while(tmp!=0);
  return olddest;
}

As you can see, when length of input area is more than 99 bytes and strcpy(0x81B8, 0x8154) is executed, the first 100 bytes will be repeated over and over…

However, the memory from address 0x8E00 to 0xEFFF is not writable, and reading from them always give 0, therefore strcpy would stop when it hits that area.

After that, the part of the calculator RAM after 0x8154 (input area), which includes the calculator stack, is filled with repeated copies of 100 bytes in 0x8154 - 0x81B8.

Because the stack is corrupted, when pop pc is executed, it is possible to execute code at a chosen location. See rop-chain-explanation for more details.