I've made a GDB-like ROP debugger to simply finding bugs in ROP hackstrings. Not sure if anybody here needs such tools, but the code is here: https://drive.google...iew?usp=sharing
FX-82/-83GT/-115/-991ES PLUS Hacking
#361
Posted 15 January 2019 - 08:47 PM
#362
Posted 16 January 2019 - 02:15 AM
[...]
It would be easier for you to create a git repo.
For convenience, I keep the changes you made in github branches and sometimes merge them into master.
I also implemented some basic functionality for debugging ROP hackstrings:
https://github.com/u...common.lua#L120
#363
Posted 16 January 2019 - 10:17 AM
See https://community.ca...ge-8#entry61348 .
Then capture a video of the screen, process it to get the ROM.
What's the character '$' stand for (in hackstring)? And how to make some characters like "xor" and "conjg"?
#364
Posted 17 January 2019 - 02:55 AM
What's the character '$' stand for (in hackstring)?
'$' can be any character.
And how to make some characters like "xor" and "conjg"?
Using the "unstable character". See http://www.microsoft...om/p/3114375974
(the translated Chinese is hard to understand)
Edited by user202729, 17 January 2019 - 02:56 AM.
#365
Posted 17 January 2019 - 03:53 PM
Using the "unstable character". See http://www.microsoft...om/p/3114375974
(the translated Chinese is hard to understand)
Yeah, it seems very hard to understand "unstable character" part. Do you know how to do this?
#366
Posted 18 January 2019 - 11:21 AM
Yeah, it seems very hard to understand "unstable character" part. Do you know how to do this?
See also http://casiocalc.wik...ter-unsupported, which should be easier to understand.
#367
Posted 22 January 2019 - 06:04 PM
@user202729, I thought of forking your repository and sending PRs instead of these zips, but your repository has some commits that I'd have to merge. I think that creating a new repository from scratch wouldn't give me any advantages, since I would still have to manually create zips with patches.
Sorry for double-posting, I didn't notice that the 10th page appeared, so I thought that my first post was deleted for some reason.
Edited by sleirsgoevy, 24 January 2019 - 02:07 PM.
#368
Posted 23 January 2019 - 04:52 AM
@user202729, I thought of forking your repository and sending PRs instead of these zips, but your repository has some commits that I'd have to merge. I think that creating a new repository from scratch wouldn't give me any advantages, since I would still have to manually create zips with patches.
Sorry for double-posting, I didn't notice that there are 10th page appeared, so I thought that my first post was deleted for some reason.
If you don't want to resolve merge conflicts, you can just branch off the older commit(s), and somebody interested would merge
them later. Personally I find doing
git fetch
and git mergetool
etc. is easier than downloadinga zip and manually apply the changes.
#369
Posted 09 February 2019 - 04:47 PM
Update: It's done, but I fixed some bits manually and don't know if it's correct.
Edited by user202729, 02 March 2019 - 04:17 AM.
#371
Posted 07 March 2019 - 07:10 PM
#372
Posted 08 March 2019 - 01:21 PM
I'm looking for ways to make it do other things without success.
#373
Posted 09 March 2019 - 04:13 PM
So I managed to get an FX-991es Plus VerE GY455X and also managed to successfully execute the demo-program hackstring with the scrolling text on the screen, so if you want me to try anything on my calculator just ask.
#374
Posted 09 March 2019 - 06:19 PM
I don't really understand this, but is it possible to hack a Casio FX-85 GT PLUS?
#375
Posted 10 March 2019 - 01:03 PM
Sorry, but not as of yet. Unless someone else says otherwise, I am quite sure you cannot yet hack an FX-85 GT PLUS.
- orla likes this
#376
Posted 10 March 2019 - 01:20 PM
Hey guys how do I dump the rom of my 991ES plus to use with the emulator?
Also when I try to use compiler.py I get this:
Traceback (most recent call last): File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\compiler.py", line 6, in <module> from lib_570esp import * File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\lib_570esp.py", line 25, in <module> font = get_font() File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\lib_570esp.py", line 4, in get_font file = open(filename, 'r') FileNotFoundError: [Errno 2] No such file or directory: 'font'
EDIT: i got compiler.py working by creating a Virtual Machine running ubuntu. Still not sure how one dumps a rom though. I understand that you run a hackstring but what i dont get is what one does from there. However, I found the fx-570es plus rom I think so I might be good.
Edited by TheAwesomer, 10 March 2019 - 02:29 PM.
- Unverified likes this
#377
Posted 10 March 2019 - 04:45 PM
...
Currently there's no fully automated way to get a ROM. Also, you only need to do it once.
You can just use the existing 570es+ rom.
/////
That sounds like a lot of work (I never tried running any VM on my machine, and the image is just too large)
just to run the Python file. That having said, I didn't take portability into consideration while writing the scripts so they can
be incompatible with Windows. Some of them are easier to fix than others if you know Python.
Edited by user202729, 10 March 2019 - 04:59 PM.
#378
Posted 10 March 2019 - 07:09 PM
Well I'm perfectly okay with using this method as I have used Ubuntu plenty of times. I've also managed to compile the makefile in casioemu/emulator
Quick question though: how do I use the old_loader hackstring. I type it in and I see a tiny graphical glitch (a couple of pixels on one line) and the calculator hangs. I know there is the new_loader hackstring but that requires you to utilize the unstable byte to enter any character, which I havent quite gotten the hang of completely yet and I would rather just use the old_loader anyway, seeing as it's easier to type out and also quicker. I did compile the hackstring, but it just doesnt seem to want to work. I've managed to get the scrolling text demo hackstring working (and even change the text to something completely different). And no I'm not miss-typing anything, I've checked over it a few times and verified it too.
#379
Posted 11 March 2019 - 06:22 AM
...
Well actually I've never used the loader (programs I write usually fits in 100 bytes) and originally I wrote the loader without the compiler.
The loader assembly files was written by sleirsgoevy (I think so)
#380
Posted 11 March 2019 - 06:32 AM
#381
Posted 11 March 2019 - 10:59 AM
oh do you mean https://github.com/s...305a/loader.txt
What does he mean by stuff like XX, TT, ZZ, etc.? I first thought he meant variables but It only goes A-F and X,Y,M So Im not sure how that works.
Still gonna try it
Unless he means using the unstable byte.
Edited by TheAwesomer, 11 March 2019 - 11:03 AM.
#382
Posted 11 March 2019 - 01:37 PM
inject
function in some Lua file, which takes a hex string (which the compiler outputsif it gets passed the command line flag `-f hex` and modify the input area of the calculator)
That way it's easier, you can be sure that you don't make any misstroke and you can test the method
before doing it on the real calculator.
Edited by user202729, 11 March 2019 - 01:40 PM.
#383
Posted 11 March 2019 - 03:39 PM
Thats a nice feature. But do you know what he means by ZZ and TT for example? I dont see these on the symbol table anywhere
#384
Posted 11 March 2019 - 03:56 PM
(output location, etc.?)
I also don't remember what are the parameters in my methods so take a look.
#385
Posted 11 March 2019 - 07:21 PM
How I hack an fx83-GT PLUS then? Can I use an emulator?
Edited by orla, 11 March 2019 - 07:23 PM.
#386
Posted 12 March 2019 - 11:31 AM
There is no real way (other than memory hacking with cheat engine for example) currently known to hack the GT PLUS series of CASIO Calculators. Sorry.
#387
Posted 12 March 2019 - 02:25 PM
Answering @TheAwesomer about loader.txt.
XX is the address to start writing.
TT is the address of XX, minus 200.
ZZ and YY are addresses passed to strcpy (_start-117, _start-217).
All values are in little endian.
I think it's better to just compile new_loader.asm (it shouldn't require using unstable character).
This program was fully written by @user202729, I just changed its base address.
EDIT: @user202729 probably means this: https://github.com/s...ain/bitcode.asm
Edited by sleirsgoevy, 12 March 2019 - 02:27 PM.
#388
Posted 12 March 2019 - 02:26 PM
Methods in http://tieba.baidu.c...140#50924223140 may work with 85GT PLUS.
There are emulators for both models, however they're not very close to the real calculator and they're not free.
Edited by user202729, 12 March 2019 - 02:28 PM.
#389
Posted 12 March 2019 - 03:47 PM
also when I try the hard 119 hackstring I compiled from the asm file, it just freezes, but doesnt shut itself down and also resets itself
#390
Posted 12 March 2019 - 04:20 PM
also when I try the hard 119 hackstring I compiled from the asm file, it just freezes, but doesnt shut itself down and also resets itself
That's weird.
1. How are you invoking the compiler? What's the output you see?
2. Are you sure that you're using the correct calculator model? Check if the checksum is correct.
#391
Posted 12 March 2019 - 07:58 PM
1. I just typed this in terminal:
../compiler.py < ../asm_ropchain/hard119.asm
I get a hackstring back from it with no errors. I would tell you the output, but I have to go in 6 minutes so I can't boot up my VM. Im not sure if the path is the exact same here but when I compiled it, there was no errors and there was a hackstring generated
2. In diagnostic mode I get:
GY455X VerE SUM 8928 OK Pd- Read OK Press AC
It is an fx-991ES PLUS and is genuine.
EDIT: the hackstring was the same result as what you posted at http://tieba.baidu.com/p/6055959163
Edited by TheAwesomer, 12 March 2019 - 08:06 PM.
#392
Posted 13 March 2019 - 05:50 PM
#393
Posted 13 March 2019 - 06:47 PM
I have casio fx-350ES PLUS wich I think is very simillar to (or even the same as) fx-82ES PLUS. Is there any way to dump ROM and run it on emulator? What is already known about this model?
edit: I have arduino and rpi if it helps with dumping rom
Edited by TheBigBuzz, 13 March 2019 - 07:39 PM.
- TheBigBuzz likes this
#394
Posted 14 March 2019 - 10:50 AM
I don't think theres much you can do with that model at the moment, except maybe
I also don't think people have figured out a non-destructive way of dumping the rom of that model yet. Correct me if I am wrong here.
EDIT: Check this https://community.ca...ge-9#entry61762
Edited by TheAwesomer, 14 March 2019 - 10:53 AM.
#395
Posted 14 March 2019 - 07:11 PM
So there is a destructive way to dump rom?
btw.
Does anybody here know chinese so he can translate some stuff from baidu forum? I've found a lot of things I could do with my calculator if only I knew chinese.
#396
Posted 15 March 2019 - 04:47 AM
Dissolving the chip in acid and take a photograph or something like that might work,So there is a destructive way to dump rom?
but I don't have any information about the hardware.
Just use some automatic translator and spend some effort understanding them.Does anybody here know chinese
Also note that technical contents (unmatched parentheses, etc). may be translated incorrectly or
shuffled around in the translated text, so always cross check with the original Chinese.
Also read the wikidot wiki page, some of the methods/ttechnical terms may already be listed there.
If you are stuck even after spending some effort you can ask me (show the original text, translated text,
how you understand it and what's wrong (in this topic or via PM),
I don't know Chinese but I'm pretty used to reading translated Chinese.
there are some Chinese users on the forum but I think they are not very active recenty..
Edited by user202729, 15 March 2019 - 01:39 PM.
#397
Posted 18 March 2019 - 10:56 AM
MAGIC OF CALC | Noise hackstring?
So many of you may have seen this video:
Well, I may have found a hackstring that causes one of the "Noise" glitches by typing in random stuff.
So the hackstring goes like this:
press log(, then keep repeating these keys until you reach the unstable byte/end of hackstring:
√( √( log( √( log(
When you have done that, press AC and Left as you would normally with a hackstring, and then press equals. The M indicator will light up, but nothing else will seem to happen. Keep pressing AC,Left,= until you get some dots on the bottom of the screen. (This happens after doing it about 10-20 times or so usually.) Do be patient, and when you get the dots, STOP. Now go into MathIO and the glitch looks like it has stopped. it hasn't. This appears to be the same effect as show in the Magic Of Calc video. The video makes it out as if there may be several different variations of this "Noise" glitch, however.
Edited by TheAwesomer, 18 March 2019 - 11:03 AM.
#398
Posted 19 March 2019 - 09:36 PM
Hi everyone.
#399
Posted 20 March 2019 - 03:09 PM
but currently only the ES PLUS calculator models have much discovery on.
Edited by user202729, 20 March 2019 - 03:09 PM.
#400
Posted 25 March 2019 - 08:32 PM
I have been testing some things out on my fx-83GT PLUS, and I have found a few interesting exploits. I'm not exactly sure how they work, but I'll detail the most interesting:
Glitched String: In STAT submode 0, enter 'ᴀᴀ+x̂' (small A (SHIFT 1 5 1), small A, plus, x hat (SHIFT 1 5 4)), then press equals. This should throw a math error. Use the arrow buttons to exit out of the error, then delete the two 'ᴀ's and the plus, and input a number before the x hat (I use 3, but others work - I'm not sure the requirements). It should look like this: '3x̂'. Then press equals. Nothing should appear to happen, but press an arrow button and a glitched string appears!
I think this puts you into a glitched error state, but as I say, I'm not sure.
- siealex likes this
4 user(s) are reading this topic
0 members, 4 guests, 0 anonymous users