$path = "D:\Wherever\PS3\dev_hdd0\game\NPUA80490\USRDIR\EBOOT.BIN"



$ba = [System.IO.File]::ReadAllBytes($path)
#----------------------------------------------------------------------------------
Function RUInt32
{   
	Param (
        $addr
    )
	[bitconverter]::ToUInt32($ba,$addr)
}
#----------------------------------------------------------------------------------
Function WBytes
{
	Param (
		$addr,
		$wb
	)
	[System.Buffer]::BlockCopy($wb, 0, $ba, $addr, $wb.Length)
}
#----------------------------------------------------------------------------------


[byte[]] $hookjump = 0x48, 0x4b, 0xc8, 0x02
[byte[]] $newcode = 0x3e, 0x00, 0x00, 0x54, 0x62, 0x10, 0xce, 0x2c, 0x82, 0x10, 0x00, 0x00, 0x2f, 0x90, 0x00, 0x00, 0x41, 0x9e, 0x00, 0x90, 0x3e, 0x20, 0x00, 0x54, 0x62, 0x31, 0xce, 0x28, 0x3d, 0xc0, 0x00, 0x6e, 0x61, 0xce, 0x34, 0xd2, 0x89, 0xce, 0x00, 0x00, 0x71, 0xcf, 0x00, 0x04, 0x2f, 0x8f, 0x00, 0x04, 0x41, 0x9e, 0x00, 0x28, 0x71, 0xcf, 0x00, 0x02, 0x2f, 0x8f, 0x00, 0x02, 0x41, 0x9e, 0x00, 0x44, 0x89, 0xf1, 0x00, 0x00, 0x2f, 0x8f, 0x00, 0x00, 0x41, 0x9e, 0x00, 0x58, 0x39, 0xe0, 0x00, 0x00, 0x99, 0xf1, 0x00, 0x00, 0x48, 0x00, 0x00, 0x4c, 0x89, 0xf1, 0x00, 0x00, 0x2f, 0x8f, 0x00, 0x01, 0x41, 0x9e, 0x00, 0x40, 0x39, 0xe0, 0x00, 0x01, 0x99, 0xf1, 0x00, 0x00, 0x89, 0xf0, 0x00, 0x05, 0x71, 0xef, 0x00, 0x01, 0x69, 0xef, 0x00, 0x01, 0x99, 0xf0, 0x00, 0x05, 0x48, 0x00, 0x00, 0x24, 0x89, 0xf1, 0x00, 0x00, 0x2f, 0x8f, 0x00, 0x01, 0x41, 0x9e, 0x00, 0x18, 0x39, 0xe0, 0x00, 0x01, 0x99, 0xf1, 0x00, 0x00, 0x89, 0xf0, 0x00, 0x03, 0x69, 0xef, 0x00, 0x01, 0x99, 0xf0, 0x00, 0x03, 0x39, 0xc0, 0x00, 0x00, 0x39, 0xe0, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x3a, 0x20, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20

cls

if ((RUInt32 0) -ne 0x00454353) {
	"No match, BIN still encrypted?"
} else {
	"First 4 bytes match"
	
	if ((RUint32 (0x0a6e58 - 0xF700)) -eq 0x2000804e) {
		"Hook location found"
		WBytes (0x0a6e58 -0xF700) $hookjump
		WBytes (0x4bc800 -0xF700) $newcode
		[System.IO.File]::WriteAllBytes($path, $ba)
		"Bytes written successfully"
		""
		pause
	} else {
		""
		"Hook location not as expected.  Wrong version, or already patched?"
		""
		pause
	}	
}



<# Assembly for newcode, usable with https://shell-storm.org/online/Online-Assembler-and-Disassembler/

start:
lis 16,0x0054
ori 16,16,0xce2c
lwz 16,0x0(16)
cmpwi cr7,16,0x0
beq cr7,cleanup

camnull:
lis 17,0x0054
ori 17,17,0xce28
lis 14,0x006e
ori 14,14,0x34d2
lbz 14,0x0(14)
andi. 15,14,0x4
cmpwi cr7,15,0x4
beq cr7, rpress

rnopress:
andi. 15,14,0x2
cmpwi cr7,15,0x2
beq cr7, lpress

rlnopress:
lbz 15,0x0(17)
cmpwi cr7,15,0x0
beq cr7, cleanup

rlnopressprevone:
li 15,0x0
stb 15,0x0(17)
b cleanup

rpress:
lbz 15,0x0(17)
cmpwi cr7,15,0x1
beq cr7, cleanup

li 15,0x1
stb 15,0x0(17)
lbz 15,0x5(16)
andi. 15,15,0x1
xori 15,15,0x1
stb 15,0x5(16)
b cleanup

lpress:
lbz 15,0x0(17)
cmpwi cr7,15,0x1
beq cr7, cleanup

li 15,0x1
stb 15,0x0(17)
lbz 15,0x3(16)
xori 15,15,0x1 
stb 15,0x3(16)

cleanup:
li 14, 0
li 15, 0
li 16, 0
li 17, 0
blr

#>