Basic overflow

See basic-overflow for more details.

Entering new character using variables

Apart from the variables that can be entered normally (ABCDEFxyM, and z on some models), the symbols with codepoint 4C, 4D, 4E, 4F and 25 are considered variables too. It's possible to assign values to them with [CALC], and they're mapped to some memory area that the calculator uses for other purposes.

In particular, assigning 1.0000FD2023 to variable 4D will change the first formula in the calculation history to an (codepoint FD20).

Note: Because of the automatic rounding feature of the calculator, some values cannot be computed exactly. For example, 1.0000000000001 is rounded to 1. Always check if the value is computed correctly on the emulator, because the behavior might be unpredictable (for example, 1.1212121212F2 is rounded to 1.121212121400) (and it's faster to check on the emulator anyway)

Note that a faster method is known for getting an, see basic-overflow.

Exploits with an

an is similar to r on ES PLUS calculator that it executes some unintended piece of code. On fx-580VN X emulator, it changes the stack value depends on where the an is located on the stack.

For example: Pressing [=] or [CALC] [=] when there are 110 characters before the an, if the formula evaluates cleanly, will:

  • Clear the screen
  • Set the stack pointer such that: the copy of the formula to the undo buffer (using smart_strcpy, this happens in linear mode when [=] is pressed) will overwrite the top of the stack — in particular the first POP PC that is affected (the one inside smart_strcpy} will have SP value before POP PC at 0xd522+34. So if the formula is at least 34 bytes long the PC will be corrupted.

Note:

  • The SP value is equal to the number of characters before an plus a fixed offset.
  • Before being copied to the undo buffer, depending on the calculator model, the formula may be transformed (÷AB is transformed to ÷(AB). ÷ and ÷R are affected) which changes the formula. Note: Always double-check if any parentheses are added (for example with the emulator), because there's some corner cases where it's not easy to see (for example the formula <FE FE> ÷R 0 ) is transformed into <FE FE> ÷R ( 0 ) ) despite ÷R 0 ) are not usually transformed) Alternatively it's possible to simply fill all of the remaining spaces (total 199 bytes), no parentheses will be added in this case.

Another way to control PC:

  • get an
  • enter 12 numbers (e.g. 9s)
  • the next 2 bytes are gonna be PC in little endian
  • add 4 more numbers
  • press [=]
  • the PC should be the value you entered
  • Note: the PC must me aligned to a 2 bytes boundary or else it will raise an exception and the PC will be 0xfffd

Number format exploit

It's possible to obtain some particular invalid number values (Number format) with variables (see the section above)