When a hackstring is executed, the stack is overwritten with the hackstring, which allows for return-oriented programming.
However, to write return-oriented programming chains, it's necessary to know the addresses of functions, which involves reading the calculator ROM.
I have the ROM of the emulator, and its disassembly, however the position of the code is likely to be different from the position of the code in the real calculator.
The render function on the emulator is at
0x8A8C. I think on the real calculator it's around
0x8700 - 0x8A00 (which corresponds to
RanInt#, PGCD, PPCM, Arond), so the hackstring would be 100 pairs of
B should be one of above (most significant byte in the word) while
A should be divisible by 4. (example:
8 x × ⌟)
I put most of my work on this in a github repository, named
fxesplus (but the repository contains some possibly copyrighted content, such as some calculator or emulator ROM, so I won't link it here)