This might work... (btw your example F6 would technically be incorrect, you need to do the search in mem80)
Here's the gist of my idea (man this is really hacky, hopefully somebody can chime in on this issue lol)
We will use a C0 Code to constantly search for that 'unique string', similar to how F6 Codetypes work, but we will use a crude checksumming system for verification instead of doing some odd string comparison.
The C0 code will always keep checking even when the instruction's address has been found, That way updates are always preformed if the address changes. However, this constantly running C0 code might lag your game.
The found (always updated) address will be stored to a unused space in memory (called the EVA). The found address is also sent to what is called the Instruction Address Breakpoint Register (IABR).
---
There will be a 06 Codetype string write injected at 0x80001300. At 0x80001300 is the exception routine for the IABR. Basically if your instruction address gets executed, the CPU will on purposely take this exception. The 06 Code will overwrite part of this Exception with some custom instructions. The custom instructions will basically do this...
Check Instruction of Address of EVA vs what triggered IABR
If they are a match, we can modify the Health. If not, do not modify anything
End exception.
---
What I need from you are two things:
---
Here's a prelim source to give you some technical detail. In before there's something huge that I am missing and this obviously would never work.
C0 source:
06 Source:
Here's the gist of my idea (man this is really hacky, hopefully somebody can chime in on this issue lol)
We will use a C0 Code to constantly search for that 'unique string', similar to how F6 Codetypes work, but we will use a crude checksumming system for verification instead of doing some odd string comparison.
The C0 code will always keep checking even when the instruction's address has been found, That way updates are always preformed if the address changes. However, this constantly running C0 code might lag your game.
The found (always updated) address will be stored to a unused space in memory (called the EVA). The found address is also sent to what is called the Instruction Address Breakpoint Register (IABR).
---
There will be a 06 Codetype string write injected at 0x80001300. At 0x80001300 is the exception routine for the IABR. Basically if your instruction address gets executed, the CPU will on purposely take this exception. The 06 Code will overwrite part of this Exception with some custom instructions. The custom instructions will basically do this...
Check Instruction of Address of EVA vs what triggered IABR
If they are a match, we can modify the Health. If not, do not modify anything
End exception.
---
What I need from you are two things:
- The address start and end parameters (what range of addresses the search will be preformed in). Try to get this range small to reduce the chance of game lag.
- A unique hex string that includes the default instruction. Try to keep it word aligned (string byte size divisible by 4).
---
Here's a prelim source to give you some technical detail. In before there's something huge that I am missing and this obviously would never work.
C0 source:
Code:
#IABR compiler statement
.set IABR, 1010
#Set First Loop Load Address (minus 4)
lis r3, 0x80E9
#Set amount of times to search
li r0, 0x7FFF
mtctr r0
#Set the crude checksum
lis r5, 0xXXXX
ori r5, r5, 0xXXXX
#Backup a few GVR's
stmw r29, -0xC (sp)
#Loop
loop:
lmw r29, 0x4 (r3)
xor r10, r29, r30 #Crude checksumming, idk what im doing tbh
xor r10, r10, r31
cmpw r5, r10 #Verify checksums
beq- found
#not yet found, keep trying
addi r3, r3, 4
bdnz+ loop
#found
found:
lmw r29, -0xC (sp) #Restore GVRs
lis r5, 0x8000
stw r3, 0x1500 (r5)
#Flip bits of 30 and 31 high, this is needed for IABR (BE and TE)
ori r3, r3, 0x0003
mtspr IABR, r0
blr06 Source:
Code:
#IABR #String Write at 0x80001300
#NOTE ABOUT IABR: The Instruction that triggered the IABR is not invoked til after the exception itself has completed operation
#I've never messed with the IABR before, so please don't laugh :(
#Load Current Found Instruction Address; r0 treated as literal zero. FYI we are in physical memory
lwz r12, 0x1500 (r0)
#Load Last Executed Instruction Address
mfspr r11, srr0 #Broadway manual says address that triggered IABR is placed into srr0 when exception occurred
#Compare Them; if not equal, the Instruction's Address has changed! Don't mess with the health
cmpw r11, r12
bne- end_exception
#We are a GO! Set the Health. Default Instruction will be carried at on its own after exception has ended
li r3, 0xC8
#End IABR Exception
#Store the Health (physically)
#Update srr0 by 4 or else the IABR will insta trigger right after we end the exception, thus we end up in an infinite loop
end_exception:
clrlwi r12, r29, 1
stw r3, 0x0014 (r12)
addi r11, r11, 4
mtsrr0 r11
rfi