SRR0

So I'm something of an ASM aficionado. And one day I was writing a C2 code. And I screwed up, a pointer wasn't loaded correctly, and my C2 code froze the game. Now, a frozen game doesn't have to require a restart. It's possible to unfreeze the game if you ~~use black magic~~ load the right pointer into the register.

So I switched to the disassembly view and edited wrong instructions to be the right instructions, and then I thought...instead of manually adjusting the register to contain the right pointer, what happens if I modify SRR0 to go a few instructions back and let the corrected C2 code try to load the register again?

And it works! But why?

SRR0 = Save and Restore Register 0. When CPU control passes to an interrupt, the current instruction's address is placed into SRR0. So what? Well, breakpoints and stepping both rely on interrupts! Coincidentally, illegal memory accesses (like my earlier example where I FUBARed a pointer) also fire an interrupt. When the interrupt has completed, the PowerPC will start execution at the value in SRR0. So if you modify SRR0, you can actually change what instruction will be executed, like branching without the branch.

This came in handy another time. I was using brkirch's blr technique for embedding data areas into the C2 code, and I messed something up and the processor started trying to execute my data. This caused another interrupt - illegal op code - which caused the game to freeze. Manually changing SRR0 once again brought the game back to life!

So, in summary, some C2 hacking tips: set a breakpoint before your C2 code's hooked instruction and step through it! If you fail to do so and your code locks up, you can make in-place modifications of the code in the disassembly tab, and you can "rewind" the execution of your code by modifying SRR0.