# Basic overflow

See basic-overflow for more details.

# Entering new character using variables

Apart from the variables that can be entered normally (`ABCDEFxyM`, and `z` on some models), the symbols with codepoint 4C, 4D, 4E, 4F and 25 are considered variables too. It's possible to assign values to them with `[CALC]`, and they're mapped to some memory area that the calculator uses for other purposes.

In particular, assigning `1.0000FD2023` to variable 4D will change the first formula in the calculation history to `an` (codepoint `FD20`).

**Note**: Because of the automatic rounding feature of the calculator, some values cannot be computed exactly. For example, `1.0000000000001` is rounded to `1`. Always check if the value is computed correctly on the emulator, because the behavior might be unpredictable (for example, 1.1212121212F2 is rounded to 1.121212121400) (and it's faster to check on the emulator anyway)

Note that a faster method is known for getting `an`, see basic-overflow.

# Exploits with `an`

`an` is similar to `r` on ES PLUS calculator that it executes some unintended piece of code. On fx-580VN X emulator, it changes the stack value depends on where the `an` is located on the stack.

For example: Pressing [=] or [CALC] [=] when there are 110 characters before the `an`, if the formula evaluates cleanly, will:

- Clear the screen
- Set the stack pointer such that: the copy of the formula to the undo buffer (using
`smart_strcpy`, this happens in linear mode when [=] is pressed) will overwrite the top of the stack — in particular the first POP PC that is affected (the one inside`smart_strcpy}`will have SP value before POP PC at`0xd522+34`. So if the formula is at least 34 bytes long the PC will be corrupted.

Note:

- The SP value is equal to the number of characters before
`an`plus a fixed offset. - Before being copied to the undo buffer, depending on the calculator model, the formula may be transformed (
`÷AB`is transformed to`÷(AB)`. ÷ and ÷R are affected) which changes the formula.**Note**: Always double-check if any parentheses are added (for example with the emulator), because there's some corner cases where it's not easy to see (for example the formula`<FE FE> ÷R 0 )`is transformed into`<FE FE> ÷R ( 0 ) )`despite`÷R 0 )`are not usually transformed) Alternatively it's possible to simply fill all of the remaining spaces (total 199 bytes), no parentheses will be added in this case.

Another way to control PC:

- get
`an` - enter 12 numbers (e.g. 9s)
- the next 2 bytes are gonna be PC in little endian
- add 4 more numbers
- press [=]
- the PC should be the value you entered

# Number format exploit

It's possible to obtain some particular invalid number values (Number format) with variables (see the section above)