#MIT License #Copyright (c) 2010-2017 Nuke, brkirch, Y.S, Kenobi, gamemasterplc #Permission is hereby granted, free of charge, to any person obtaining a copy #of this software and associated documentation files (the "Software"), to deal #in the Software without restriction, including without limitation the rights #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell #copies of the Software, and to permit persons to whom the Software is #furnished to do so, subject to the following conditions: #The above copyright notice and this permission notice shall be included in all #copies or substantial portions of the Software. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE #SOFTWARE. # Based off of codehandleronly.s from Gecko OS source code. # Example command to build: # powerpc-elf-gcc -mpowerpc -mpaired -mbig codehandler.s -nostartfiles -nodefaultlibs -nostdlib -T codehandler.ld -o codehandler.bin .text #Register Defines .set r0,0; .set r1,1; .set r2,2; .set r3,3; .set r4,4 .set r5,5; .set r6,6; .set r7,7; .set r8,8; .set r9,9 .set r10,10; .set r11,11; .set r12,12; .set r13,13; .set r14,14 .set r15,15; .set r16,16; .set r17,17; .set r18,18; .set r19,19 .set r20,20; .set r21,21; .set r22,22; .set r23,23; .set r24,24 .set r25,25; .set r26,26; .set r27,27; .set r28,28; .set r29,29 .set r30,30; .set r31,31; .set f0,0; .set f2,2; .set f3,3 .globl _start gameid: .long 0,0 cheatdata: .long frozenvalue .space 39*4 # Warning, _strip_and_align expects cheat codes to start on 0x0 or 0x8. # Properly compiling it will add a nop if needed. _start: stwu r1,-172(r1) # stores sp stw r0,8(r1) # stores r0 mflr r0 stw r0,176(r1) # stores lr mfcr r0 stw r0,12(r1) # stores cr mfctr r0 stw r0,16(r1) # stores ctr mfxer r0 stw r0,20(r1) # stores xer stmw r3,24(r1) # saves r3-r31 mfmsr r25 stw r25,168(r1) # save msr ori r26,r25,0x2000 #enable floating point ? andi. r26,r26,0xF9FF mtmsr r26 stfd f2,152(r1) # stores f2 stfd f3,160(r1) # stores f3 lis r31,cheatdata@h #0x8000 lis r20, 0xCC00 lhz r28, 0x4010(r20) ori r21, r28, 0xFF sth r21, 0x4010(r20) # disable MP3 memory protection lis r15, codelist@h ori r15, r15, codelist@l ori r7, r31, cheatdata@l # set pointer for storing data (before the codelist) lis r6,0x8000 # default base address = 0x80000000 (code handler) mr r16,r6 # default pointer =0x80000000 (code handler) li r8,0 # code execution status set to true (code handler) lis r3,0x00D0 ori r3,r3,0xC0DE lwz r4,0(r15) cmpw r3,r4 bne- _exitcodehandler lwz r4,4(r15) cmpw r3,r4 bne- _exitcodehandler # lf no code list skip code handler addi r15,r15,8 b _readcodes _exitcodehandler: sth r28,0x4010(r20) # restore memory protection value lfd f2,152(r1) # loads f2 lfd f3,160(r1) # loads f3 lwz r25,168(r1) mtmsr r25 lwz r0,176(r1) mtlr r0 # restores lr lwz r0,12(r1) mtcr r0 # restores cr lwz r0,16(r1) mtctr r0 # restores ctr lwz r0,20(r1) mtxer r0 # restores xer lmw r3,24(r1) # restores r3-r31 lwz r0,8(r1) # loads r0 addi r1,r1,172 isync blr # return back to game _readcodes: lwz r3,0(r15) #load code address lwz r4,4(r15) #load code value addi r15,r15,8 #r15 points to next code andi. r9,r8,1 cmpwi cr7,r9,0 #check code execution status in cr7. eq = true, ne = false li r9,0 #Clears r9 rlwinm r10,r3,3,29,31 #r10 = extract code type, 3 bits rlwinm r5,r3,7,29,31 #r5 = extract sub code type 3 bits andis. r11,r3,0x1000 #test pointer rlwinm r3,r3,0,7,31 #r3 = extract address in r3 (code type 0/1/2) #0x01FFFFFF bne +12 #jump lf the pointer is used rlwinm r12,r6,0,0,6 #lf pointer is not used, address = base address b +8 mr r12,r16 #lf pointer is used, address = pointer cmpwi cr4,r5,0 #compares sub code type with 0 in cr4 cmpwi r10,1 blt+ _write #code type 0 : write beq+ _conditional #code type 1 : conditional cmpwi r10,3 blt+ _ba_pointer #Code type 2 : base address operation beq- _repeat_goto #Code type 3 : Repeat & goto cmpwi r10,5 blt- _operation_rN #Code type 4 : rN Operation beq+ _compare16_NM_counter #Code type 5 : compare [rN] with [rM] cmpwi r10,7 blt+ _hook_execute #Code type 6 : hook, execute code b _terminator_onoff_ #code type 7 : End of code list _Write_32: lwz r18, 0(r12) #Load data from registry that will be written to cmpw r18, r5 #Is data to be written equal to the data in memory beq+ +72 #Skip if yes stw r5, 0(r12) #store opcode li r9, 0 #safe, check r9 if more write_32's are linked. b +48 _Write_08x: lbzx r18, r9, r12 rlwinm r0, r4, 0, 24,31 #Clears any other data with r4's byte, for compare cmpw r0, r18 beq+ +44 stbx r4,r9,r12 b +24 _Write_16x: lhzx r18, r9, r12 rlwinm r0, r4, 0, 16,31 #Makes sure r4 is just a halfword for compare cmpw r0, r18 beq+ +20 sthx r4,r9,r12 icbi r9, r12 #branch target. Clears cache. Need dcbf? sync isync blr #CT0============================================================================= #write 8bits (0): 00XXXXXX YYYY00ZZ #write 16bits (1): 02XXXXXX YYYYZZZZ #write 32bits (2): 04XXXXXX ZZZZZZZZ #string code (3): 06XXXXXX YYYYYYYY, d1d1d1d1 d2d2d2d2, d3d3d3d3 .... #Serial Code (4): 08XXXXXX YYYYYYYY TNNNZZZZ VVVVVVVV _write: add r12,r12,r3 #address = (ba/po)+(XXXXXX) cmpwi r5,3 beq- _write_string #r5 == 3, goto string code bgt- _write_serial #r5 >= 4, goto serial code bne- cr7,_readcodes #lf code execution set to false skip code cmpwi cr4,r5,1 #compares sub code type and 1 in cr4 bgt- cr4,_write32 #lf sub code type == 2, goto write32 #lf sub code type = 0 or 1 (8/16bits) rlwinm r10,r4,16,16,31 #r10 = extract number of times to write (16bits value) _write816: beq cr4,+16 #lf r5 = 1 then 16 bits write bl _Write_08x addi r9,r9,1 b +12 bl _Write_16x addi r9, r9, 2 subic. r10,r10,1 #number of times to write -1 bge- _write816 b _readcodes _write32: rlwinm r12,r12,0,0,29 #32bits align adress mr r5, r4 bl _Write_32 b _readcodes _write_string: #endianess ? mr r9,r4 mr r22, r4 bne- cr7,_skip_and_align #lf code execution is false, skip string code data _stb: subic. r9,r9,1 #r9 -= 1 (and compares r9 with 0) blt- _skip_and_align #lf r9 < 0 then exit lbzx r5,r9,r15 mr r4, r5 bl _Write_08x #loop until all the data has been written mr r4, r22 b _stb _write_serial: addi r15,r15,8 #r15 points to the code after the serial code bne- cr7,_readcodes #lf code execution is false, skip serial code lwz r5,-8(r15) #load TNNNZZZZ lwz r11,-4(r15) #r11 = load VVVVVVVV rlwinm r17,r5,0,16,31 #r17 = ZZZZ rlwinm r10,r5,16,20,31 #r10 = NNN (# of times to write -1) rlwinm r5,r5,4,28,31 #r5 = T (0:8bits/1:16bits/2:32bits) _loop_serial: cmpwi cr5,r5,1 beq- cr5,+16 #lf 16bits bgt+ cr5,+20 #lf 32bits bl _Write_08x b +40 bl _Write_16x #write serial halfword (CT04,T=1) b +32 lwzx r18, r9, r12 cmpw r4, r18 beq+ +20 stwx r4,r9,r12 #write serial word (CT04,T>=2) icbi r9, r12 #Invalidate Icache around real memory offset sync isync add r4,r4,r11 #value +=VVVVVVVV add r9,r9,r17 #address +=ZZZZ subic. r10,r10,1 bge+ _loop_serial #loop until all the data has been written b _readcodes #CT1============================================================================= #32bits conditional (0,1,2,3): 20XXXXXX YYYYYYYY #16bits conditional (4,5,6,7): 28XXXXXX ZZZZYYYY #PS : 31 bit of address = endlf. _conditional: rlwinm. r9,r3,0,31,31 #r10 = (bit31 & 1) (endlf enabled?) beq +16 #jump lf endlf is not enabled rlwinm r8,r8,31,1,31 #Endlf (r8>>1) andi. r9,r8,1 #r9=code execution status cmpwi cr7,r9,0 #check code execution status in cr7 cmpwi cr5,r5,4 #compares sub code type and 4 in cr5 cmpwi cr3,r10,5 #compares code type and 5 in cr3 rlwimi r8,r8,1,0,30 #r8<<1 and current execution status = old execution status bne- cr7,_true_end #lf code execution is set to false -> exit bgt cr3,_addresscheck2 #lf code type==6 -> address check add r12,r12,r3 #address = (ba/po)+(XXXXXX) blt cr3,+12 #jump lf code type <5 (==1) blt cr5,_condition_sub #compare [rN][rM] b _conditional16_2 #counter compare bge cr5,_conditional16 #lf sub code type>=4 -> 16 bits conditional _conditional32: rlwinm r12,r12,0,0,29 #32bits align lwz r11,0(r12) b _condition_sub _conditional16: rlwinm r12,r12,0,0,30 #16bits align lhz r11,0(r12) _conditional16_2: nor r9,r4,r4 rlwinm r9,r9,16,16,31 #r9 = extract mask and r11,r11,r9 #r11 &= r9 rlwinm r4,r4,0,16,31 #r4 = extract data to check against _condition_sub: cmpl cr6,r11,r4 #Unsigned compare. r11=data at address, r4=YYYYYYYY andi. r9,r5,3 beq _skip_NE #lf sub code (type & 3) == 0 cmpwi r9,2 beq _skip_LE #lf sub code (type & 3) == 2 bgt _skip_GE #lf sub code (type & 3) == 3 _skip_EQ:#1 bne- cr6,_true_end #CT21, CT25, CT29 or CT2D (lf !=) b _skip _skip_NE:#0 beq- cr6,_true_end #CT20, CT24, CT28 or CT2C (lf==) b _skip _skip_LE:#2 bgt- cr6,_true_end #CT22, CT26, CT2A or CT2E (lf r4>[]) b _skip _skip_GE:#3 blt- cr6,_true_end #CT23, CT27, CT2B or CT2F (lf r4<r4) _skip: ori r8,r8,1 #r8|=1 (execution status set to false) _true_end: bne+ cr3,_readcodes #lf code type <> 5 blt cr5,_readcodes lwz r11,-8(r15) #load counter bne cr7,_clearcounter #lf previous code execution false clear counter andi. r12,r3,0x8 #else lf clear counter bit not set increase counter beq _increase_counter andi. r12,r8,0x1 #else lf.. code result true clear counter beq _clearcounter _increase_counter: addi r12,r11,0x10 #else increase the counter rlwimi r11,r12,0,12,27 #update counter b _savecounter _clearcounter: rlwinm r11,r11,0,28,11 #clear the counter _savecounter: stw r11,-8(r15) #save counter b _readcodes #CT2============================================================================ #load base address (0): 40TYZ00N XXXXXXXX = (load/add:T) ba from [(ba/po:Y)+XXXXXXXX(+rN:Z)] #set base address (1): 42TYZ00N XXXXXXXX = (set/add:T) ba to (ba/po:Y)+XXXXXXXX(+rN:Z) #store base address (2): 440Y0000 XXXXXXXX = store base address to [(ba/po)+XXXXXXXX] #set base address to (3): 4600XXXX 00000000 = set base address to code address+XXXXXXXX #load pointer (4): 48TYZ00N XXXXXXXX = (load/add:T) po from [(ba/po:Y)+XXXXXXXX(+rN:Z)] #set pointer (5): 4ATYZ00N XXXXXXXX = (set/add:T) po to (ba/po:Y)+XXXXXXXX(+rN:Y) #store pointer (6): 4C0Y0000 XXXXXXXX = store pointer to [(ba/po)+XXXXXXXX] #set pointer to (7): 4E00XXXX 00000000 = set pointer to code address+XXXXXXXX _ba_pointer: bne- cr7,_readcodes rlwinm r9,r3,2,26,29 #r9 = extract N, makes N*4 rlwinm r14,r3,16,31,31 #r3 = add ba/po flag bit (Y) cmpwi cr3,r14,0 cmpwi cr4,r5,4 #cr4 = compare sub code type with 4 (ba/po) andi. r14,r5,3 #r14 = sub code type and 3 cmpwi cr5,r14,2 #compares sub code type and 2 blt- cr5,_p01 beq- cr5,_p2 #sub code type 2 _p3: extsh r4,r3 add r4,r4,r15 #r4=XXXXXXXX+r15 (code location in memory) b _pend _p01: rlwinm. r5,r3,20,31,31 #r3 = rN use bit (Z) beq +12 #flag is not set(=0), address = XXXXXXXX lwzx r9,r7,r9 #r9 = load register N add r4,r4,r9 #flag is set (=1), address = XXXXXXXX+rN beq cr3,+8 #(Y) flag is not set(=0), address = XXXXXXXX (+rN) add r4,r12,r4 #address = XXXXXXXX (+rN) + (ba/po) cmpwi cr5,r14,1 beq cr5,+8 #address = (ba/po)+XXXXXXXX(+rN) lwz r4,0(r4) #address = [(ba/po)+XXXXXXXX(+rN)] rlwinm. r3,r3,12,31,31 #r5 = add/replace flag (T) beq _pend #flag is not set (=0), (ba/po)= XXXXXXXX (+rN) + (ba/po) bge cr4,+12 add r4,r4,r6 #ba += XXXXXXXX (+rN) + (ba/po) b _pend add r4,r4,r16 #po += XXXXXXXX (+rN) + (ba/po) b _pend _p2: rlwinm. r5,r3,20,31,31 #r3 = rN use bit (Z) beq +12 #flag is not set(=0), address = XXXXXXXX lwzx r9,r7,r9 #r9 = load register N add r4,r4,r9 #flag is set (=1), address = XXXXXXXX+rN bge cr4,+12 stwx r6,r12,r4 #[(ba/po)+XXXXXXXX] = base address b _readcodes stwx r16,r12,r4 #[(ba/po)+XXXXXXXX] = pointer b _readcodes _pend: bge cr4,+12 mr r6,r4 #store result to base address b _readcodes mr r16,r4 #store result to pointer b _readcodes #CT3============================================================================ #set repeat (0): 6000ZZZZ 0000000P = set repeat #execute repeat (1): 62000000 0000000P = execute repeat #return (2): 64S00000 0000000P = return (lf true/false/always) #goto (3): 66S0XXXX 00000000 = goto (lf true/false/always) #gosub (4): 68S0XXXX 0000000P = gosub (lf true/false/always) _repeat_goto: rlwinm r9,r4,3,25,28 #r9 = extract P, makes P*8 addi r9,r9,0x40 #offset that points to block P's cmpwi r5,2 #compares sub code type with 2 blt- _repeat rlwinm. r11,r3,10,0,1 #extract (S&3) beq +20 #S=0, skip lf true, don't skip lf false bgt +8 b _b_bl_blr_nocheck #S=2/3, always skip (code exec status turned to true) beq- cr7,_readcodes #S=1, skip lf false, don't skip lf true b _b_bl_blr_nocheck _b_bl_blr: bne- cr7,_readcodes #lf code execution set to false skip code _b_bl_blr_nocheck: cmpwi r5,3 bgt- _bl #sub code type >=4, bl beq+ _b #sub code type ==3, b _blr: lwzx r15,r7,r9 #loads the next code address b _readcodes _bl: stwx r15,r7,r9 #stores the next code address in block P's address _b: extsh r4,r3 #XXXX becomes signed rlwinm r4,r4,3,9,28 add r15,r15,r4 #next code address +/-=line XXXX b _readcodes _repeat: bne- cr7,_readcodes #lf code execution set to false skip code add r5,r7,r9 #r5 points to P address bne- cr4,_execute_repeat #branch lf sub code type == 1 _set_repeat: rlwinm r4,r3,0,16,31 #r4 = extract NNNNN stw r15,0(r5) #store current code address to [bP's address] stw r4,4(r5) #store NNNN to [bP's address+4] b _readcodes _execute_repeat: lwz r9,4(r5) #load NNNN from [M+4] cmpwi r9,0 beq- _readcodes subi r9,r9,1 stw r9,4(r5) #saves (NNNN-1) to [bP's address+4] lwz r15,0(r5) #load next code address from [bP's address] b _readcodes #CT4============================================================================ #set/add to rN(0) : 80SY000N XXXXXXXX = rN = (ba/po) + XXXXXXXX #load rN (1) : 82UY000N XXXXXXXX = rN = [XXXXXXXX] (offset support) (U:8/16/32) #store rN (2) : 84UYZZZN XXXXXXXX = store rN in [XXXXXXXX] (offset support) (8/16/32) #operation 1 (3) : 86TY000N XXXXXXXX = operation rN?XXXXXXXX ([rN]?XXXXXXXX) #operation 2 (4) : 88TY000N 0000000M = operation rN?rM ([rN]?rM, rN?[rM], [rN]?[rM]) #copy1 (5) : 8AYYYYNM XXXXXXXX = copy YYYY bytes from [rN] to ([rM]+)XXXXXXXX #copy2 (6) : 8CYYYYNM XXXXXXXX = copy YYYY bytes from ([rN]+)XXXXXX to [rM] #for copy1/copy2, lf register == 0xF, base address is used. #of course, sub codes types 0/1, 2/3 and 4/5 can be put together lf we need more subtypes. _operation_rN: bne- cr7,_readcodes rlwinm r11,r3,2,26,29 #r11 = extract N, makes N*4 add r26,r7,r11 #1st value address = rN's address lwz r9,0(r26) #r9 = rN rlwinm r14,r3,12,30,31 #extracts S, U, T (3bits) beq- cr4,_op0 #lf sub code type = 0 cmpwi cr4,r5,5 bge- cr4,_op56 #lf sub code type = 5/6 cmpwi cr4,r5,3 bge- cr4,_op34 #lf sub code type = 3/4 cmpwi cr4,r5,1 _op12: #load/store rlwinm. r5,r3,16,31,31 #+(ba/po) flag : Y beq +8 #address = XXXXXXXX add r4,r12,r4 cmpwi cr6,r14,1 bne- cr4,_store _load: bgt+ cr6,+24 beq- cr6,+12 lbz r4,0(r4) #load byte at address b _store_reg lhz r4,0(r4) #load halfword at address b _store_reg lwz r4,0(r4) #load word at address b _store_reg _store: rlwinm r19,r3,28,20,31 #r9=r3 ror 12 (N84UYZZZ) mr r12, r4 mr r4, r9 mr r5, r9 li r9, 0 _storeloop: bgt+ cr6,+32 beq- cr6,+16 bl _Write_08x #store byte at address addi r12,r12,1 b _storeloopend bl _Write_16x #store byte at address addi r12,r12,2 b _storeloopend bl _Write_32 addi r12,r12,4 _storeloopend: subic. r19,r19,1 bge _storeloop b _readcodes _op0: rlwinm. r5,r3,16,31,31 #+(ba/po) flag : Y beq +8 #value = XXXXXXXX add r4,r4,r12 #value = XXXXXXXX+(ba/po) andi. r5,r14,1 #add flag : S beq _store_reg #add flag not set (=0), rN=value add r4,r4,r9 #add flag set (=1), rN=rN+value b _store_reg _op34: #operation 1 & 2 rlwinm r10,r3,16,30,31 #extracts Y rlwinm r14,r4,2,26,29 #r14 = extract M (in r4), makes M*=4 add r19,r7,r14 #2nd value address = rM's address bne cr4,+8 subi r19,r15,4 #lf CT3, 2nd value address = XXXXXXXX's address lwz r4,0(r26) #1st value = rN lwz r9,0(r19) #2nd value = rM/XXXXXXXX andi. r11,r10,1 #lf [] for 1st value beq +8 mr r26,r4 andi. r11,r10,2 #lf [] for 2nd value beq +16 mr r19,r9 bne+ cr4,+8 add r19,r12,r19 #lf CT3, 2nd value address = XXXXXXXX+(ba/op) rlwinm. r5,r3,12,28,31 #operation # flag : T cmpwi r5,9 bge _op_float _operation_bl: bl _operation_bl_return _op450: add r4,r9,r4 #N + M b _store_reg _op451: mullw r4,r9,r4 #N * M b _store_reg _op452: or r4,r9,r4 #N | M b _store_reg _op453: and r4,r9,r4 #N & M b _store_reg _op454: xor r4,r9,r4 #N ^ M b _store_reg _op455: slw r4,r9,r4 #N << M b _store_reg _op456: srw r4,r9,r4 #N >> M b _store_reg _op457: rlwnm r4,r9,r4,0,31 #N rol M b _store_reg _op458: sraw r4,r9,r4 #N asr M _store_reg: stw r4,0(r26) #Store result in rN/[rN] b _readcodes _op_float: cmpwi r5,0xA bgt _readcodes lfs f2,0(r26) #f2 = load 1st value lfs f3,0(r19) #f3 = load 2nd value beq- _op45A _op459: fadds f2,f3,f2 #N = N + M (float) b _store_float _op45A: fmuls f2,f3,f2 #N = N * M (float) _store_float: stfs f2,0(r26) #Store result in rN/[rN] b _readcodes _operation_bl_return: mflr r10 rlwinm r5,r5,3,25,28 #r5 = T*8 add r10,r10,r5 #jumps to _op5: + r5 lwz r4,0(r26) #load [rN] lwz r9,0(r19) #2nd value address = rM/XXXXXXXX mtlr r10 blr #copy1 (5) : 8AYYYYNM XXXXXXXX = copy YYYY bytes from [rN] to ([rM]+)XXXXXXXX #copy2 (6) : 8CYYYYNM XXXXXXXX = copy YYYY bytes from ([rN]+)XXXXXX to [rM] _op56: bne- cr7,_readcodes #lf code execution set to false skip code rlwinm r9,r3,24,0,31 #r9=r3 ror 8 (NM8AYYYY, NM8CYYYY) mr r14,r12 #r14=(ba/po) bl _load_NM beq- cr4,+12 add r17,r17,r4 #lf sub code type==0 then source+=XXXXXXXX b +8 add r9,r9,r4 #lf sub code type==1 then destination+=XXXXXXXX rlwinm. r4,r3,24,16,31 #Extracts YYYY, compares it with 0 li r5,0 _copy_loop: beq _readcodes #Loop until all bytes have been copied. lbzx r10,r5,r17 stbx r10,r5,r9 addi r5,r5,1 cmpw r5,r4 b _copy_loop #=============================================================================== #This is a routine called by _memory_copy and _compare_NM_16 _load_NM: cmpwi cr5,r10,4 #compare code type and 4(rn Operations) in cr5 rlwinm r17,r9,6,26,29 #Extracts N*4 cmpwi r17,0x3C lwzx r17,r7,r17 #Loads rN value in r17 bne +8 mr r17,r14 #lf N==0xF then source address=(ba/po)(+XXXXXXXX, CT5) beq cr5,+8 lhz r17,0(r17) #...and lf CT5 then N = 16 bits at [XXXXXX+base address] rlwinm r9,r9,10,26,29 #Extracts M*4 cmpwi r9,0x3C lwzx r9,r7,r9 #Loads rM value in r9 bne +8 mr r9,r14 #lf M==0xF then dest address=(ba/po)(+XXXXXXXX, CT5) beq cr5,+8 lhz r9,0(r9) #...and lf CT5 then M = 16 bits at [XXXXXX+base address] blr #CT5============================================================================ #16bits conditional (0,1,2,3): A0XXXXXX NM00YYYY (unknown values) #16bits conditional (4,5,6,7): A8XXXXXX ZZZZYYYY (counter) #sub codes types 0,1,2,3 compare [rN] with [rM] (both 16bits values) #lf register == 0xF, the value at [base address+XXXXXXXX] is used. _compare16_NM_counter: cmpwi r5,4 bge _compare16_counter _compare16_NM: mr r9,r4 #r9=NM00YYYY add r14,r3,r12 #r14 = XXXXXXXX+(ba/po) rlwinm r14,r14,0,0,30 #16bits align (base address+XXXXXXXX) bl _load_NM #r17 = N's value, r9 = M's value nor r4,r4,r4 #r4=!r4 rlwinm r4,r4,0,16,31 #Extracts !YYYY and r11,r9,r4 #r3 = (M AND !YYYY) and r4,r17,r4 #r4 = (N AND !YYYY) b _conditional _compare16_counter: rlwinm r11,r3,28,16,31 #extract counter value from r3 in r11 b _conditional #=============================================================================== #execute (0) : C0000000 NNNNNNNN = execute. End with 4E800020 00000000. #hook1 (2) : C4XXXXXX NNNNNNNN = insert instructions at XXXXXX. Same as C2. #hook2 (3) : C6XXXXXX YYYYYYYY = branch from XXXXXX to YYYYYY #on/off (6) : CC000000 00000000 = on/off switch #range check (7) : CE000000 XXXXYYYY = is ba/po in XXXX0000-YYYY0000 _hook_execute: mr r26,r4 #r26 = 0YYYYYYY rlwinm r4,r4,3,0,28 #r4 = NNNNNNNN*8 = number of lines (and not number of bytes) bne- cr4,_hook_addresscheck #lf sub code type != 0 bne- cr7,_skip_and_align _execute: mtlr r15 blrl _skip_and_align: add r15,r4,r15 addi r15,r15,7 rlwinm r15,r15,0,0,28 #align 64-bit b _readcodes _hook_addresscheck: cmpwi cr4,r5,3 bgt- cr4,_addresscheck1 #lf sub code type ==6 or 7 lis r5,0x4800 add r12,r3,r12 rlwinm r12,r12,0,0,29 #align address bne- cr4,_hook1 #lf sub code type ==2 _hook2: bne- cr7,_readcodes rlwinm r4,r26,0,0,29 #address &=0x01FFFFFC sub r4,r4,r12 #r4 = to-from rlwimi r5,r4,0,6,29 #r5 = (r4 AND 0x03FFFFFC) OR 0x48000000 rlwimi r5,r3,0,31,31 #restore lr bit bl _Write_32 b _readcodes _hook1: bne- cr7,_skip_and_align sub r9,r15,r12 #r9 = to-from rlwimi r5,r9,0,6,29 #r5 = (r9 AND 0x03FFFFFC) OR 0x48000000 bl _Write_32 addi r12,r12,4 add r11,r15,r4 subi r11,r11,4 #r11 = address of the last word of the hook1 code sub r9,r12,r11 rlwimi r5,r9,0,6,29 #r5 = (r9 AND 0x03FFFFFC) OR 0x48000000 mr r12, r11 bl _Write_32 b _skip_and_align _addresscheck1: cmpwi cr4,r5,6 beq cr4,_onoff b _conditional _addresscheck2: rlwinm r12,r12,16,16,31 rlwinm r4,r26,16,16,31 rlwinm r26,r26,0,16,31 cmpw r12,r4 blt _skip cmpw r12,r26 bge _skip b _readcodes _onoff: rlwinm r5,r26,31,31,31 #extracts old exec status (x b a) xori r5,r5,1 andi. r3,r8,1 #extracts current exec status cmpw r5,r3 beq _onoff_end rlwimi r26,r8,1,30,30 xori r26,r26,2 rlwinm. r5,r26,31,31,31 #extracts b beq +8 xori r26,r26,1 stw r26,-4(r15) #updates the code value in the code list _onoff_end: rlwimi r8,r26,0,31,31 #current execution status = a b _readcodes #=============================================================================== #Full terminator (0) = E0000000 XXXXXXXX = full terminator #Endlfs/Else (1) = E2T000VV XXXXXXXX = endlfs (+else) #End code handler = F0000000 00000000 _terminator_onoff_: cmpwi r11,0 #lf code type = 0xF beq _notTerminator cmpwi r5,1 beq _asmTypeba cmpwi r5,2 beq _asmTypepo cmpwi r5,3 beq _patchType b _exitcodehandler _asmTypeba: rlwinm r12,r6,0,0,6 # use base address _asmTypepo: rlwinm r23,r4,8,24,31 # extract number of half words to XOR rlwinm r24,r4,24,16,31 # extract XOR checksum rlwinm r4,r4,0,24,31 # set code value to number of ASM lines only bne cr7,_goBackToHandler #skip code if code execution is set to false rlwinm. r25,r23,0,24,24 # check for negative number of half words mr r26,r12 # copy ba/po address add r26,r3,r26 # add code offset to ba/po code address rlwinm r26,r26,0,0,29 # clear last two bits to align address to 32-bit beq _positiveOffset # if number of half words is negative, extra setup needs to be done extsb r23,r23 neg r23,r23 mulli r25,r23,2 addi r25,r25,4 subf r26,r25,r26 _positiveOffset: cmpwi r23,0 beq _endXORLoop li r25,0 mtctr r23 _XORLoop: lhz r27,4(r26) xor r25,r27,r25 addi r26,r26,2 bdnz _XORLoop _endXORLoop: cmpw r24,r25 bne _goBackToHandler b _hook_execute _patchType: rlwimi r8,r8,1,0,30 #r8<<1 and current execution status = old execution status bne cr7,_exitpatch #lf code execution is set to false -> exit rlwinm. r23,r3,22,0,1 bgt _patchfail blt _copytopo _runpatch: rlwinm r30,r3,0,24,31 mulli r30,r30,2 rlwinm r23,r4,0,0,15 xoris r24,r23,0x8000 cmpwi r24,0 bne- _notincodehandler ori r23,r23,0x3000 _notincodehandler: rlwinm r24,r4,16,0,15 mulli r25,r30,4 subf r24,r25,r24 _patchloop: li r25,0 _patchloopnext: mulli r26,r25,4 lwzx r27,r15,r26 lwzx r26,r23,r26 addi r25,r25,1 cmplw r23,r24 bgt _failpatchloop cmpw r25,r30 bgt _foundaddress cmpw r26,r27 beq _patchloopnext addi r23,r23,4 b _patchloop _foundaddress: lwz r3,-8(r15) ori r3,r3,0x300 stw r3,-8(r15) stw r23,-4(r15) mr r16,r23 b _exitpatch _failpatchloop: lwz r3,-8(r15) ori r3,r3,0x100 stw r3,-8(r15) _patchfail: ori r8,r8,1 #r8|=1 (execution status set to false) b _exitpatch _copytopo: mr r16,r4 _exitpatch: rlwinm r4,r3,0,24,31 # set code to number of lines only _goBackToHandler: mulli r4,r4,8 add r15,r4,r15 # skip the lines of the code b _readcodes _notTerminator: _terminator: bne cr4,+12 #check lf sub code type == 0 li r8,0 #clear whole code execution status lf T=0 b +20 rlwinm. r9,r3,0,27,31 #extract VV # bne +8 #lf VV!=0 # bne- cr7,+16 rlwinm r5,r3,12,31,31 #extract "else" bit srw r8,r8,r9 #r8>>VV, meaning endlf VV lfs rlwinm. r23,r8,31,31,31 bne +8 # execution is false if code execution >>, so don't invert code status xor r8,r8,r5 #lf 'else' is set then invert current code status _load_baseaddress: rlwinm. r5,r4,0,0,15 beq +8 mr r6,r5 #base address = r4 rlwinm. r5,r4,16,0,15 beq +8 mr r16,r5 #pointer = r4 b _readcodes #=============================================================================== frozenvalue: #frozen value, then LR .long 0,0 dwordbuffer: .long 0,0 rem: .long 0 bpbuffer: .long 0 #int address to bp on .long 0 #data address to bp on .long 0 #alignement check .long 0 #counter for alignement regbuffer: .space 72*4 .align 3 codelist: .space 2*4 .end