About Classwiz hacks

EDIT: Classwiz is very rare.
Can you help me make ascii and characters table by emulator?

Emulator crack method
000de170:
00 84 c0 74 2c 68 d0 12 00 -> 00 84 c0 90 90 68 d0 12 00
cheat table
https://cheatengine.org/tables/moreinfo.php?tid=2179

@jyx8151 If first byte is F0 - FF then compound for both ASCII and character. Only EF-01+1 + (FF-F0+1)(FF-01+1)=10DF characters. Most are garbled.
Variable length ASCII.
"it supports few East Asian Character" - which?
FE A5 = 尺→m also on 570EX. So 570EX have some Chinese characters.

Can you try this and say if that works
Choose linear input mode
X=Sigma(X,1,1x10^9
[Calc] [=] [ac] [left] [del] [del] [calc] [=] [left]
(usual method for basic overflow)
Enter 210 character, press [left] 207 times, [del] 5 times
Now there should be more than 200 characters on calculator screen. Press [=] may cause an error (character spill)

字符表 991ex
text: pastebin.com/hmzzcxnM

** If you copy those contents to other places you should copy the text. I had enough pain OCR Chinese. **
Text: pastebin.com/KM15i0hz

Quick way to get bold F (emulator):
1. Get an empty box (character 19) on the screen
2. When cursor in box,
memory ---------- press
(|) 19 00 00 ----- [Right]
19 00 (|) 00 00 ----- [Shift] [7] [3] [x^-1] (or "C")
19 00 FD 3F (|) 00 ----- [Left]
19 00 (|) FD 3F 00 ----- [1]
19 00 31 (|) 3F 00 ----- [Left]
19 00 (I) 31 3F 00 ----- [Del]
19 (|) 31 3F 00
3. Delete remaining

I have some questions:
What is "比号"? Is that the colon " : "?
In the "6.线性伪拼字，拼图" (link below) what is the option name (or corresponding option in 570EX) of the "1.在普通计算模式下，shif,菜单，1，3,shift,两次下，4,2" ?


Edit f/21 post above:
FB prefix -> FD prefix
Ran# = FD 18 (constant prefix)
Is the above table all characters that can be get by normal method? (the calculator support)


Some older posts about Classwiz hack:
https://tieba.baidu.com/p/3738423022
https://tieba.baidu.com/p/3810670052


The bar "imp <>≤≠≥M+M", which is called "A-type converter", have FE prefix (I don't know what is the second byte yet we can discover that)
You mentioned a method that convert one character converter to two corresponding character:
FE FE (I) .......... [1]
FE FE 31 (I) ..... [Left]
FE (I) FE 31 ..... [1]
FE 31 (I) FE 31
Now you have two compound characters on the screen, so all "character converter" are compound charcter of two F? bytes. In the above example, start from FE FE you have FE 31 FE 31, which later you can determine the original converter. Can you find out the original code of all types of character converter (You said that there are 4 types of character converter ABCD, which convert one (the same) character to different characters)?
FE 31 = l.y.⏵m
FD 31 = m_n (constant)
FA 31 = 町⏵反
FB 21 = MatB


"Not all characters can be converted" They are the compound characters, and the character converter can be used to extract the second byte, in fact.

It seems that each constant character (FD prefix) links to a procedure to determine that. So the Sigma x^2, Sigma x, Ran#, ... also have FD prefix. I will post full FD prefix table later.

Note: Translators are often irreversible. I use the words "brush", "unstable character", "basic overflow", "abnormality", ... because the translator translate it that way, but when those words are translated back to Chinese it may not have original meaning.


The source of the linearize (stack overflow?) bug


You all know that, when enter wes.casio.com/math/index.php?q=I-234B+U-000000000000+M-C10000AD00+S-001410100000100E1010B000BB10+R-0100000000000000010000000000000000000000+E-31A931606031741A741A741A741A741A741A741A741A741A741A741A741A311B1B1B1B1B1B1B1B1B1B1B1B
and then press [CALC] the display becomes linearized. However that is not all, some other overflow characters also appear after the first Null.
Explanation:
31 A9 31 60 60 31 .... 1B 1B 1B 00 07 00 00 07 00 00 07 00 00 ...
where:
31 A9 31 60 60 31 .... 1B 1B 1B is the formula 1÷(1((1√(√(√(√(√(...√(1)...)))))
00 is the first null
07 00 00 07 00 00 ... is the overflow part, that I want to say.


In method 7 in https://tieba.baidu.com/p/3810670052, without using any compound character, that compound character appear. So, it must be of this overflow part. If we know exactly what will be generated in what condition, we may get access to "impossible bytes" (that we cannot type directly in calculator) without unstable character.


Casio fx-570VN PLUS also have that bug.


Because I can't be sure if that is different between calculator and emulator (if that is overflow from the stack only), so I must find some way to read those characters on real calculator.


On ES PLUS series that is simpler, but on Classwiz calculators it is very difficult, because of compound characters and some special characters that can't be displayed.


Note: If someone can debug the disassembled (that is, the reverse of assemble, as in "x86 assembly") code of those calculators and work out the method (for example, which procedure write those characters, and where does those characters from), we will done.

Perfect emulator crack method:
0DE11B : 0F 84 C0 00 00 00 -> 90 90 90 90 90 90
0DE136: 0F 84 A5 00 00 00 -> 90 90 90 90 90 90
0DE160: 74 3F -> EB 13
No activation dialog. Can run multiple emulators at once.

The Classwiz calculators have 4 segments of program/code memory, double that of ES PLUS series. The model string of fx 991ex emulator is "CY-234B S9". (Most) large-font character of the calculator is 12 pixels high and 10 pixels wide. (which you may already knew, but is hard to determine on emulator)

I currently can only find position of 5x7 font on calculator. It is at address 16A in segment 0, takes 3D4 bytes. You can use my program to view the content of the font.
The font:
www.mediafire.com/file/b83a9ybs3566x12/Casio_Classwiz_fx_991ex_NOTE.txt
Those are download link for calculator "program/code memory" (technical term for nX/U8-100 microcontroller) (4 segments) and the corresponding disassembled code.
www.mediafire.com/file/weoplv9o9k04rdj/fx-570EX_991EX_Emulator_ROM_pieces.DMP
www.mediafire.com/file/fpz620xclyndd8d/disas_fx_570EX.txt
Note that not all part of the disassembled code is actually code, code often start with "PUSH LR" and end with "POP PC", and that I don't have code analyzer to find what is code and what is data.

It is surprising that the calculator can calculate unsupported functions like GCD, LCM, Int, Intg, RndFix, etc. (991ex does not support those right?)
https://tieba.baidu.com/p/4996790572
FE (conversion) prefix
1:Length
01 02 03 04 05 06 07 08 09 0A 11 12
2:Area
0B 0C
3:Volume
0D 0E 0F 10
4:Mass
15 16 17 18
1:Velocity
14 13
2:Pressure
19 1A 1B 1C 1F 20 23 24
3:Energy
21 22 28 27
4:Power
1D 1E
1:Temperature
26 25
It seems that weird linearize overflow need to be used in that case. Have to find the source of the bug.

1. I remember having seen a post that says about stack manipulation in ES PLUS series. Is that detailed enough to predict content of the stack just by looking at the expression? For example 1+√5̅.
2. It seems that, and I hope that, Classwiz calculators are equivalent (one calculator can be hacked into others). I also notice that fx 991EX have PreAns (4A) working.
3. You have succeed to find out how to get an invalid variable right? (The variable M such that M⁰+√□̅ = ERROR even if the later part should be Syntax ERROR) So you can get internal representation of an expression by:
a. Enter M⁰+expression
b. Press [=], [Shift], [QR]
c. Scan the QR code by anything
d. Look at the URL. The hexadecimal values after the "+E-" in the URL is the internal representation of the expression.
Using that you can verify my character table above (if you feel that is necessary) and find out internal representations of other things such as "imp <>≤≠≥M+M" (I think that is FE FE)
4. Did you notice the "Q", "R", "white down arrow", "minute", "second" in the FB prefix part? On ES PLUS series, the character table for display result is different from that of input (so "r=1,θ=90" becomes "r=1,ɸ₀=0", note the θ and ɸ₀. On Classwiz they are identical. That is the reason why there must be those new characters, they are all appear in display result. That leads to a funny part in calculator: M⁰, instead of ERROR, becomes Dd/dx(d/dx(@d/dx(.

F3 00 00 00 00 00 00 00 00 00 is displayed correctly as ERROR in Table mode.
FB prefix (continue)
01 -> 09: Σx² Σx n Σy² Σy Σxy Σx³ Σx²y Σx⁴
0A -> 0F: min(x) max(x) min(y) max(y) x̅ y̅
10 -> 19: a b c r σx sx σy sy Ran# Q1
1A -> 1F: Q3 med σ²x s²x σ²y s²y
20 -> 21: an n
22 -> 2E: @
2F: AtWt (sadly AtWt does not work, it returns the input value)
The character "F? 00" can be used as a fake null value, allow seeing contents of basic overflow. Its usage is quite limited unfortunately.

The next part is unstable character, as it is called. It is #209 - #210 on ES PLUS series, and it is #409 - #410 on EX series.
You have been correct on saying that because 409 > 256 there is no way to make the cursor go that far, even with basic overflow. However there is another way to brush unstable character, without move the cursor there.
Details in next post.


The variables lies right next to unstable character so the method can also change (invalidate) content of variables.

ERROR value found.
-- Method --
M : M = ∫( 1 , x10 8 5 - x10 9 9 , 9 x10 9 9
[CALC] [=] [=]
Screen show Syntax ERROR. The "x10" is one character.
Trying CMPLX overflow.

Is it possible to predict content of the stack just by looking at the input expression?




--- Linearize overflow ---
(on 570vn plus. On Classwiz this should be similar)
1. Both when you press [Calc] or [=] the content of the input is copied from the stack, but at different location. When you press [Calc] address [81A5] get value from [8D33] while when you press [=] that address get value from [8D61].
Note that (hex) 8D61 - 81A5 = (dec) 68 - 22.
2. Apart from about 3 to 5 bytes whose contents is repeatedly updated (to the same value), the contents copied to the screen is unchanged. In other word, it is quite deep inside the stack.
3. When you press (most) button on the calculator (left, right, up, number, operand, etc.) those values are changed.
4. Comparing between real calculator and emulator, most of the bytes are identical, except some. When you press [=] there are more identical bytes. I note the byte at #65 and #66 which is C3FA on real calculator and CD5C on emulator, their difference is 962 suggests that they are content of LR register being pushed on the stack.

@461065836
Because the emulator's cursor can't get past position 204, I can't get the unstable character on the emulator. On real calculator the cursor can get to position 255.
So the basic principle is:
(I am talking about where that can't be displayed on the screen, but the normal input also have those properties)
1. If you place the cursor before a number, and the character before the cursor is +, -, :, or similar characters, and press [shift] [fraction], the number after the cursor will be moved to the denominator of the mixed fraction.
The basic overflow position also have this property so you can use this to push characters towards the right, without the need to move the cursor to position 408, to get unstable character.
However that only work if the resulting mixed fraction's size does not exceed 199 bytes.
Apart from mixed fraction, fraction, square root or n-th root also have this property - push characters forward.
2. You can take advantage of cache area which is at character 201 to 400.
If you can't understand perhaps I will make a video.
------------
Can anyone explain post 11 of https://tieba.baidu.com/p/5016044715 the part "M bright up"?

It seems that Cheat Engine official site no longer keep CT files.


fx-570EX_991EX Emulator.CT: pastebin.com/DGfi5h6U
Casio fx570vn plus.CT: pastebin.com/1PnX6in3

Probably Classwiz calculator can execute arbitrary code in assembly! Segment 4 is editable.
But first you try to get "basic overflow": Press [=] when there are at least 200 characters on the screen. Most of the time the calculator should freeze (just like basic overflow on ES PLUS series)

Although unrelated to the calculator, modifying the key mapping of the keyboard to the emulator will help trying some hacks on the emulator faster, which is what I'm doing now. Have anyone done this before?


Also, what do you think about creating a perfect emulator for 991ES PLUS, that is, using the exact same ROM? It is quite difficult, but (at least) does not involve reading every byte from real calculator (we can use information of emulator's ROM), and if we success, we would be able to know the cause of each error, from that we can reproduce them in a stable way.


For example what is the cause of the first "abnormal mode" on 991es plus (6楼 https://tieba.baidu.com/p/1949542063)? I guess it is Fix/Sci/Norm flag, or something like that. Also notice that press Σ about 6 times (MthIO mode) clear calculation history so the stack is out of place.


I have extracted some information from 570vn+ rom, which is the reason why I could find the bugs on that series. (see community.casiocalc.org/topic/7583-fx-82-83gt-115-991es-hacking/page-6 , #219 for the information I extracted)