Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (81 sloc) 1.82 KB
.section .start,"ax"
#r12 contains _start abs addr
b begin #at 0x00(r12), jump to our code of course
#this will be filled in the linker file
.long PATCHER_VAL_1 #at 0x04(r12), rom pointer (loader source)
.long PATCHER_VAL_2 #at 0x08(r12), pointer to overwrite with loader entry
.long PATCHER_VAL_3 #at 0x0C(r12), game state that will be used when exiting nes
.long PATCHER_VAL_4 #at 0x10(r12), array that controls what save state we are on
.long PATCHER_VAL_5 #at 0x14(r12), PADSetSpec address to restore pointer
#grab padread return address
mflr %r6
#save padread args
mr %r7, %r3
mr %r8, %r4
mr %r9, %r5
#grab rom pointer
lwz %r3, 4(%r12)
lwz %r3, 0(%r3)
cmplwi %r3, 0
beq exit
#store exploit success for rom
li %r0, 1
stb %r0, 0x10(%r3)
#move to actual loader
addi %r3, %r3, 0x11
#loader destination
lis %r4, 0x8000
ori %r4, %r4, 0x4000
#just copy over 0x1000 bytes for the loader
li %r5, 0x1000
cmpwi %r5, 0
beq cpyend
lbz %r0, 0(%r3)
stb %r0, 0(%r4)
addi %r3, %r3, 1
addi %r4, %r4, 1
subi %r5, %r5, 1
b cpyloop
#pointer we will replace
lwz %r4, 0x8(%r12)
#write in loader entry
lis %r3, 0x8000
ori %r3, %r3, 0x4000
stw %r3, 0(%r4)
#state we will replace
lwz %r4, 0xC(%r12)
#set state to save game
li %r3, 0x22
stw %r3, 0(%r4)
#speed up save progress
lwz %r4, 0x10(%r12)
#get pointer to save function
lwz %r3, 8(%r4)
#execute it immediately
stw %r3, 0(%r4)
#get PADSetSpec address
lwz %r4, 0x14(%r12)
#grab originally set spec
lha %r3, 0x5A(%r4)
#use original spec as arg
lwzx %r3, %r3, %r13
#call PADSetSpec
mtctr %r4
#intended function in r0 thanks
#to PADSetSpec leaving it behind
mr %r12, %r0
mtctr %r12
#restore padread return address
mtlr %r6
#restore padread args
mr %r3, %r7
mr %r4, %r8
mr %r5, %r9
#call intended function
You can’t perform that action at this time.