Universal button activator/mapper/spoofer (now with shaking!)

[dcx2]

I believe this code should work for a variety of Wii games, but not all of them.  I've tested it on Wii Play and Super Mario Galaxy, and the function that reads the buttons is identical for both games.  I've attached the dump for SMG.

This code does three five things:

1) it puts a copy of the real buttons into gr10, which can then be used as a button activator by using 28001830 MMMMXXXX

2) it tests the Wiimote and Nunchuck for shaking, and sets unused buttons 0x20 and 0x40.  These can be used for "shake button activators" or just shake activators.  They can be used in combination with other buttons, so a "hold A and shake nunchuck" button activator would be 28001830 00000840

3) it can be used to customize the controller layout by mapping buttons to other buttons, mapping buttons to shakes, or mapping shakes to buttons.  For instance, pressing the Home key can instead press A and B at the same time, with no home menu.  You could also swap the left and right/up and down arrows.  You could press A to shake, or shake to press A (and then use A for something else).  You can make any button into any other button or combination of buttons, pretty much without restriction.  The remapped buttons are available via gr11 = 28001834 MMMMXXXX.

4) it can be used to spoof button presses by writing a button mask to gr12 = 04001838 0000XXXX.  So you could poke 0x00000C00 and this would hold A and B down.

5) it can be used to spoof shakes much like how it spoofs buttons, again by poking gr12 with 0x20 or 0x40 for Wiimote or Nunchuck.

You can use the button activators and spoofing together.  For instance, this is a button activator on CZA that will shake the Wiimote

28001830 00006800
04001838 00000020
E0000000 80008000

---

The vast majority of the code handles mapping the buttons.  A simpler version without mapping could be made.  It can also be made 2 lines shorter by porting it to a particular game, which would get rid of the F6 part.

Here's the standard code template, you'll need to replace each button with the remapped mask.  For instance, to map the Home key to A and B, replace the "HOME" in the code below with "0C00"


F6000001 80048100
2809FFFF 40820008
D200000C 0000001B
9421FFB0 BDC10008
3D808000 48000025
00010002 00040008 # LLLLRRRR DDDDUUUU
00100000 00000080 # ++++WWWW NNNNXXXX
01000200 04000800 # 22221111 BBBBAAAA
10002000 40008000 # ----ZZZZ CCCCHOME
39C00010 39E00001
3A000000 3A200000
7E4802A6 A27F0018
2C133FDA 41800008
51E72EB4 A27F0074
2C133FDA 41800008
51E73672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 828C1838
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
90EC1830 920C1834
7E878378 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000



Here's the source (updated with shaking code)

[spoiler]
# ------------------------------------------
# Initialize a stack frame, data table, etc

.set gr0, 0x1808   # gr0 is 80001808 for Gecko 1.9.1+
.set gr10, gr0+4*10   # original buttons
.set gr11, gr0+4*11   # remapped buttons
.set gr12, gr0+4*12   # spoofed buttons

stwu r1,-80(r1)   # make space for 18 registers
stmw r14,8(r1)   # push r14-r31 onto the stack

lis r12,0x8000   # load r12 with base pointer

# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001   # Left
.short 0x0002   # Right
.short 0x0004   # Down
.short 0x0008   # Up
.short 0x0010   # Plus
.short 0x0000   # Wiimote Shake (unmapped, 0x20)
.short 0x0000   # Nunchuck Shake (unmapped, 0x40)
.short 0x0080   #
.short 0x0100   # 2
.short 0x0200   # 1
.short 0x0400   # B
.short 0x0800   # A
.short 0x1000   # -
.short 0x2000   # Z
.short 0x4000   # C
.short 0x8000   # Home
_SKIP_DATA:

li r14,16   # loop 16 times

li r15,1   # sliding bitmask
li r16,0   # remapped buttons ORed into this
li r17,0   # index into button map table
mflr r18   # data table pointer

# r7 has current buttons
# r19 is a temp variable



# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons

# Wiimote shake
lhz r19,24(31)   # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26   # insert a 1 at 0x20

# Nunchuck shake
0:
lhz r19,116(31)   # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25   # insert a 1 at 0x40



# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15   # is the sliding bit set?  r19 is unused
beq- 1f      # if not, skip to the next bit
lhzx r19,r18,r17   # r19 loads remapped button mask
or r16,r16,r19   # or the table's mask into the remapped buttons
1:
addi r17,r17,2   # increment table index
slwi r15,r15,1   # shift bitmask to the left by 1 bit
subic. r14,r14,1   # decrement counter
bne- 0b      # go back to top of loop if not 0



# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake

lwz r20,gr12(r12)   # load spoof buttons
andi. r19,r20,0x60   # mask off spoof shakes
or r16,r16,r19      # insert any spoofed shakes into remap

# test the spoof-map for shakes
andi. r19,r16,0x0020   # Wiimote shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,16(r31)   # tickle the y Wiimote sensor

0:
andi. r19,r16,0x0040   # nunchuck shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,112(r31)   # tickle the y nunchuck sensor

0:



# ------------------------------------------
# Store the activators, combining spoofs as necessary

andi. r19,r7,0x60   # copy any real shakes back into the spoof-map
or r16,r16,r19      # since they are originally "unmapped"

stw r7,gr10(r12)   # store real activator
stw r16,gr11(r12)   # store remapped activator
or r7,r20,r16   # combine spoof buttons with remapped buttons

# The real buttons are now replaced with the spoof-map

lmw r14,8(r1)   # pop r14-r31 off the stack
addi r1,r1,80   # release the space

andi. r0,r7,40959   # original instruction[/spoiler]

[Nutmeg]

Very interesting.  I never thought there would be a universal line to search for (2809FFFF 40820008).

It's also interesting that you can poke gr10 and it will also write to the actual button in the game.  Does that mean that 2809FFFF 40820008 with an offset of 0xC will always go to the "master button activtor." (Sorry if you don't understand my terminology.  I'm just making up words...)

[dcx2]

Nintendo publishes an SDK to help game developers make games for the Wii.  There's probably a standard "read pad" function in this SDK.  Anyone who builds a game against their SDK will probably have that pad function.  And the line that I look for is pretty unique.

F6000001 80048100
2809FFFF 40820008
D200000C 000000NN

should always find this line

andi.   r0,r7,40959

At this point, r7 will have a valid copy of the buttons.  If you over-write r7 at this point, the game will see that new value as what buttons the player pushed.

I was trying to find a way to map shake to a button, so we could be even lazier.  Unfortunately I'm having trouble finding the right place to inject the "shake" value.

[dcx2]

Updated first post with support for shake activators and shake spoofing

[Panda On Smack]

Brilliant, will try this tomorrow.

Ta

[biolizard89]

Does this work for any player, or just P1?  Is there anything interesting necessary to run this for all 4 players at once?

[Y.S.]

Here's the modified version of the code. Not only does it store all 4 players' pad data, it stores one-shot button activators as well.
Huge thanks for the original code, dcx2 :)

Code Select Expand

F6000001 80048100
2809FFFF 40820008
D200000C 0000001E
9421FFB0 BDC10008
3D808000 618C181C
1E7B000A 7D8C9A14
48000025 00010002
00040008 00100000
00000080 01000200
04000800 10002000
40008000 39C00010
39E00001 3A000000
3A200000 7E4802A6
A2BF0006 A27F0018
2C133FDA 4180000C
51E72EB4 51F52EB4
A27F0074 2C133FDA
4180000C 51E73672
51F53672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 A28C0006
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
B0EC0000 B20C0002
7E878378 B2AC0004
B9C10008 38210050
70E09FFF 00000000
E0000000 80008000

P1 buttons
80001824

P1 buttons (remapped)
80001826

P1 one-shot buttons (remapped)
80001828

P1 button spoofer
8000182A


P2 buttons
8000182C

P2 buttons (remapped)
8000182E

P2 one-shot buttons (remapped)
80001830

P2 button spoofer
80001832


P3 buttons
80001834

P3 buttons (remapped)
80001836

P3 one-shot buttons (remaped)
80001838

P3 button spoofer
8000183A


P4 buttons
8000183C

P4 buttons (remapped)
8000183E

P4 one-shot buttons (remapped)
80001840

P4 button spoofer
80001842


[spoiler]#------------------------------------------------------------

.macro  lwi   reg, value
lis   \reg, \value@h
ori   \reg, \reg, \value@l
.endm


# ------------------------------------------
# Initialize a stack frame, data table, etc


/*
original buttons
remapped buttons
remapped buttons (one shot)
spoofed buttons
*/


stwu r1,-80(r1)   # make space for 18 registers
stmw r14,8(r1)   # push r14-r31 onto the stack

lwi r12,0x80001808+4*7   # load r12 with base pointer
mulli r19,r27,2*4
add r12,r12,r19

# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001   # Left
.short 0x0002   # Right
.short 0x0004   # Down
.short 0x0008   # Up
.short 0x0010   # Plus
.short 0x0000   # Wiimote Shake (unmapped, 0x20)
.short 0x0000   # Nunchuck Shake (unmapped, 0x40)
.short 0x0080   #
.short 0x0100   # 2
.short 0x0200   # 1
.short 0x0400   # B
.short 0x0800   # A
.short 0x1000   # -
.short 0x2000   # Z
.short 0x4000   # C
.short 0x8000   # Home
_SKIP_DATA:

li r14,16   # loop 16 times

li r15,1   # sliding bitmask
li r16,0   # remapped buttons ORed into this
li r17,0   # index into button map table
mflr r18   # data table pointer

# r7 has current buttons
# r19 is a temp variable

# r21 holds one-shot button
lhz r21,6(r31)


# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons

# Wiimote shake
lhz r19,24(31)   # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26   # insert a 1 at 0x20
rlwimi r21,r15,5,26,26   # insert a 1 at 0x20

# Nunchuck shake
0:
lhz r19,116(31)   # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25   # insert a 1 at 0x40
rlwimi r21,r15,6,25,25   # insert a 1 at 0x40


# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15   # is the sliding bit set?  r19 is unused
beq- 1f      # if not, skip to the next bit
lhzx r19,r18,r17   # r19 loads remapped button mask
or r16,r16,r19   # or the table's mask into the remapped buttons
1:
addi r17,r17,2   # increment table index
slwi r15,r15,1   # shift bitmask to the left by 1 bit
subic. r14,r14,1   # decrement counter
bne- 0b      # go back to top of loop if not 0



# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake

lhz r20,6(r12)   # load spoof buttons
andi. r19,r20,0x60   # mask off spoof shakes
or r16,r16,r19      # insert any spoofed shakes into remap

# test the spoof-map for shakes
andi. r19,r16,0x0020   # Wiimote shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,16(r31)   # tickle the y Wiimote sensor

0:
andi. r19,r16,0x0040   # nunchuck shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,112(r31)   # tickle the y nunchuck sensor

0:



# ------------------------------------------
# Store the activators, combining spoofs as necessary

andi. r19,r7,0x60   # copy any real shakes back into the spoof-map
or r16,r16,r19      # since they are originally "unmapped"

sth r7,0(r12)   # store real activator
sth r16,2(r12)   # store remapped activator
or r7,r20,r16   # combine spoof buttons with remapped buttons

sth r21,4(r12)



# The real buttons are now replaced with the spoof-map

lmw r14,8(r1)   # pop r14-r31 off the stack
addi r1,r1,80   # release the space

andi. r0,r7,40959   # original instruction


#-------------------------------------------------------------[/spoiler]

[dcx2]

Nice job Y.S.   ;D  r27 tells us what player we're processing.

biolizard, I have looked at the Wiimote pointer data before.  It's two floats, -1 < x,y < 1.  The center of the screen is 0,0.  It's been this way for all Wii games that I have seen.  The Wiimote pointer data is always stored next to the "real" pad data.  Switch MemView View Mode to "Single" and aim around the screen and it jumps out at you.

I think I could do proof-of-concept.  I could add a tab to Gecko.NET, that's just a big blank box.  When you mouse over this box, it turns the mouse-over coordinates into a Wiimote pointer and spoofs the Wiimote pointer value.  A few more edits, and keyboard keys could spoof buttons.  Bam!  Mouse and keyboard for the Wii.

---

Unfortunately, I don't think this is truly "universal".  Not only has it not worked for VC (expected; the Classic Controller pad func is probably different)...it doesn't work for Super Mario Galaxy 2.  =(  This is unexpected, because it works for SMG1.  I bet Nintendo updated their SDK at some point and completely refactored the pad func.

[biolizard89]

Nice job Y.S.   ;D  r27 tells us what player we're processing.

biolizard, I have looked at the Wiimote pointer data before.  It's two floats, -1 < x,y < 1.  The center of the screen is 0,0.  It's been this way for all Wii games that I have seen.  The Wiimote pointer data is always stored next to the "real" pad data.  Switch MemView View Mode to "Single" and aim around the screen and it jumps out at you.

I think I could do proof-of-concept.  I could add a tab to Gecko.NET, that's just a big blank box.  When you mouse over this box, it turns the mouse-over coordinates into a Wiimote pointer and spoofs the Wiimote pointer value.  A few more edits, and keyboard keys could spoof buttons.  Bam!  Mouse and keyboard for the Wii.

---

Unfortunately, I don't think this is truly "universal".  Not only has it not worked for VC (expected; the Classic Controller pad func is probably different)...it doesn't work for Super Mario Galaxy 2.  =(  This is unexpected, because it works for SMG1.  I bet Nintendo updated their SDK at some point and completely refactored the pad func.

Cool, yeah, the pointer data should be easy to integrate into PadSim.  I'll play around with it once my real-life obligations quiet down a bit (finals coming up soon).

And yeah, Nintendo updates their SDK every now and then... I think GameCube has at least 4 different PadRead revisions.

[Bully@Wiiplaza]

I have an additional idea:
Can you remind of a "rapidfire button/shaking" code?
-> As long as the button is pressed, the game thinks that you push it very fast/slow (changable with a value for instance)
Mdmwii made such a code for MKWii and I know that it´s a breakpoint on the BA Adress ;D

[James0x57]

Just saw this today- freaking awesome hack!!

[toonlink444]

Nice move man.

[Y.S.]

Added turbo buttons  ;)

Code Select Expand

F6000001 80048100
2809FFFF 40820008
D200000C 00000024
9421FFB0 BDC10008
3D808000 618C1810
1E7B000C 7D8C9A14
48000025 00010002
00040008 00100000
00000080 01000200
04000800 10002000
40008000 39C00010
39E00001 3A000000
3A200000 7E4802A6
A2BF0006 8A6C000A
8A8C000B 3A940001
7C13A000 3A730001
9A6C000A 40820014
3A600000 9A6C000A
A26C0008 7CE79878
A27F0018 2C133FDA
4180000C 51E72EB4
51F52EB4 A27F0074
2C133FDA 4180000C
51E73672 51F53672
7CF37839 4182000C
7E728A2E 7E109B78
3A310002 55EF083C
35CEFFFF 40A2FFE4
A28C0006 72930060
7E109B78 72130020
4182000C 3E6042C8
927F0010 72130040
4182000C 3E6042C8
927F0070 70F30060
7E109B78 B0EC0000
B20C0002 7E878378
B2AC0004 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000


P1 buttons 80001818
P1 buttons (remapped) 8000181A
P1 one-shot buttons (remapped) 8000181C
P1 button spoofer 8000181E
P1 turbo buttons 80001820
P1turbo interval 80001823
P2 buttons 80001824
P2 buttons (remapped) 80001826
P2 one-shot buttons (remapped) 80001828
P2 button spoofer 8000182A
P2 turbo buttons 8000182C
P2turbo interval 8000182F
P3 buttons 80001830
P3 buttons (remapped) 80001832
P3 one-shot buttons (remapped) 80001834
P3 button spoofer 80001836
P3 turbo buttons 80001838
P3turbo interval 8000183B
P4 buttons 8000183C
P4 buttons (remapped) 8000183E
P4 one-shot buttons (remapped) 80001840
P4 button spoofer 80001842
P4 turbo buttons 80001844
P4turbo interval 80001847

Source code
[spoiler]#------------------------------------------------------------

.macro  lwi   reg, value
lis   \reg, \value@h
ori   \reg, \reg, \value@l
.endm


# ------------------------------------------
/*
original buttons / remapped buttons
remapped buttons (one shot) / spoofed buttons
turbo buttons / turbo counters
*/

# Initialize a stack frame, data table, etc

stwu r1,-80(r1)   # make space for 18 registers
stmw r14,8(r1)   # push r14-r31 onto the stack

lwi r12,0x80001818   # load r12 with base pointer
mulli r19,r27,2*6
add r12,r12,r19

# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001   # Left
.short 0x0002   # Right
.short 0x0004   # Down
.short 0x0008   # Up
.short 0x0010   # Plus
.short 0x0000   # Wiimote Shake (unmapped, 0x20)
.short 0x0000   # Nunchuck Shake (unmapped, 0x40)
.short 0x0080   #
.short 0x0100   # 2
.short 0x0200   # 1
.short 0x0400   # B
.short 0x0800   # A
.short 0x1000   # -
.short 0x2000   # Z
.short 0x4000   # C
.short 0x8000   # Home
_SKIP_DATA:

li r14,16   # loop 16 times

li r15,1   # sliding bitmask
li r16,0   # remapped buttons ORed into this
li r17,0   # index into button map table
mflr r18   # data table pointer

# r7 has current buttons
# r19 is a temp variable



# r21 holds one-shot button
lhz r21,6(r31)

# load turbo
lbz r19,10(r12)
lbz r20,11(r12)
addi r20,r20,1
cmpw r19,r20
addi r19,r19,1
stb r19,10(r12)
bne- _Skip_turbo

li r19,0
stb r19,10(r12)
lhz r19,8(r12)
andc r7,r7,r19
_Skip_turbo:

# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons

# Wiimote shake
lhz r19,24(31)   # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26   # insert a 1 at 0x20
rlwimi r21,r15,5,26,26   # insert a 1 at 0x20

# Nunchuck shake
0:
lhz r19,116(31)   # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25   # insert a 1 at 0x40
rlwimi r21,r15,6,25,25   # insert a 1 at 0x40


# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15   # is the sliding bit set?  r19 is unused
beq- 1f      # if not, skip to the next bit
lhzx r19,r18,r17   # r19 loads remapped button mask
or r16,r16,r19   # or the table's mask into the remapped buttons
1:
addi r17,r17,2   # increment table index
slwi r15,r15,1   # shift bitmask to the left by 1 bit
subic. r14,r14,1   # decrement counter
bne- 0b      # go back to top of loop if not 0



# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake

# load spoof buttons
lhz r20,6(r12)
andi. r19,r20,0x60   # mask off spoof shakes
or r16,r16,r19      # insert any spoofed shakes into remap

# test the spoof-map for shakes
andi. r19,r16,0x0020   # Wiimote shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,16(r31)   # tickle the y Wiimote sensor

0:
andi. r19,r16,0x0040   # nunchuck shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,112(r31)   # tickle the y nunchuck sensor

0:



# ------------------------------------------
# Store the activators, combining spoofs as necessary

andi. r19,r7,0x60   # copy any real shakes back into the spoof-map
or r16,r16,r19      # since they are originally "unmapped"

sth r7,0(r12)   # store real activator
sth r16,2(r12)   # store remapped activator
or r7,r20,r16   # combine spoof buttons with remapped buttons

sth r21,4(r12)   # store real one-shot activator



# The real buttons are now replaced with the spoof-map

lmw r14,8(r1)   # pop r14-r31 off the stack
addi r1,r1,80   # release the space

andi. r0,r7,40959   # original instruction


#-------------------------------------------------------------[/spoiler]

[GMO]

I believe this code should work for all Wii games.  I've tested it on Wii Play and Super Mario Galaxy, and the function that reads the buttons is identical for both games.  I've attached the dump for SMG.

This code does three five things:

1) it puts a copy of the real buttons into gr10, which can then be used as a button activator by using 28001830 MMMMXXXX

2) it tests the Wiimote and Nunchuck for shaking, and sets unused buttons 0x20 and 0x40.  These can be used for "shake button activators" or just shake activators.  They can be used in combination with other buttons, so a "hold A and shake nunchuck" button activator would be 28001830 00000840

3) it can be used to customize the controller layout by mapping buttons to other buttons, mapping buttons to shakes, or mapping shakes to buttons.  For instance, pressing the Home key can instead press A and B at the same time, with no home menu.  You could also swap the left and right/up and down arrows.  You could press A to shake, or shake to press A (and then use A for something else).  You can make any button into any other button or combination of buttons, pretty much without restriction.  The remapped buttons are available via gr11 = 28001834 MMMMXXXX.

4) it can be used to spoof button presses by writing a button mask to gr12 = 04001838 0000XXXX.  So you could poke 0x00000C00 and this would hold A and B down.

5) it can be used to spoof shakes much like how it spoofs buttons, again by poking gr12 with 0x20 or 0x40 for Wiimote or Nunchuck.

You can use the button activators and spoofing together.  For instance, this is a button activator on CZA that will shake the Wiimote

28001830 00006800
04001838 00000020
E0000000 80008000

---

The vast majority of the code handles mapping the buttons.  A simpler version without mapping could be made.  It can also be made 2 lines shorter by porting it to a particular game, which would get rid of the F6 part.

Here's the standard code template, you'll need to replace each button with the remapped mask.  For instance, to map the Home key to A and B, replace the "HOME" in the code below with "0C00"


F6000001 80048100
2809FFFF 40820008
D200000C 0000001B
9421FFB0 BDC10008
3D808000 48000025
00010002 00040008 # LLLLRRRR DDDDUUUU
00100000 00000080 # ++++WWWW NNNNXXXX
01000200 04000800 # 22221111 BBBBAAAA
10002000 40008000 # ----ZZZZ CCCCHOME
39C00010 39E00001
3A000000 3A200000
7E4802A6 A27F0018
2C133FDA 41800008
51E72EB4 A27F0074
2C133FDA 41800008
51E73672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 828C1838
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
90EC1830 920C1834
7E878378 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000



Here's the source (updated with shaking code)

[spoiler]
# ------------------------------------------
# Initialize a stack frame, data table, etc

.set gr0, 0x1808   # gr0 is 80001808 for Gecko 1.9.1+
.set gr10, gr0+4*10   # original buttons
.set gr11, gr0+4*11   # remapped buttons
.set gr12, gr0+4*12   # spoofed buttons

stwu r1,-80(r1)   # make space for 18 registers
stmw r14,8(r1)   # push r14-r31 onto the stack

lis r12,0x8000   # load r12 with base pointer

# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001   # Left
.short 0x0002   # Right
.short 0x0004   # Down
.short 0x0008   # Up
.short 0x0010   # Plus
.short 0x0000   # Wiimote Shake (unmapped, 0x20)
.short 0x0000   # Nunchuck Shake (unmapped, 0x40)
.short 0x0080   #
.short 0x0100   # 2
.short 0x0200   # 1
.short 0x0400   # B
.short 0x0800   # A
.short 0x1000   # -
.short 0x2000   # Z
.short 0x4000   # C
.short 0x8000   # Home
_SKIP_DATA:

li r14,16   # loop 16 times

li r15,1   # sliding bitmask
li r16,0   # remapped buttons ORed into this
li r17,0   # index into button map table
mflr r18   # data table pointer

# r7 has current buttons
# r19 is a temp variable



# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons

# Wiimote shake
lhz r19,24(31)   # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26   # insert a 1 at 0x20

# Nunchuck shake
0:
lhz r19,116(31)   # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA   # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25   # insert a 1 at 0x40



# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15   # is the sliding bit set?  r19 is unused
beq- 1f      # if not, skip to the next bit
lhzx r19,r18,r17   # r19 loads remapped button mask
or r16,r16,r19   # or the table's mask into the remapped buttons
1:
addi r17,r17,2   # increment table index
slwi r15,r15,1   # shift bitmask to the left by 1 bit
subic. r14,r14,1   # decrement counter
bne- 0b      # go back to top of loop if not 0



# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake

lwz r20,gr12(r12)   # load spoof buttons
andi. r19,r20,0x60   # mask off spoof shakes
or r16,r16,r19      # insert any spoofed shakes into remap

# test the spoof-map for shakes
andi. r19,r16,0x0020   # Wiimote shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,16(r31)   # tickle the y Wiimote sensor

0:
andi. r19,r16,0x0040   # nunchuck shake?
beq- 0f
lis r19,0x42C8   # r19 = 100.0
stw r19,112(r31)   # tickle the y nunchuck sensor

0:



# ------------------------------------------
# Store the activators, combining spoofs as necessary

andi. r19,r7,0x60   # copy any real shakes back into the spoof-map
or r16,r16,r19      # since they are originally "unmapped"

stw r7,gr10(r12)   # store real activator
stw r16,gr11(r12)   # store remapped activator
or r7,r20,r16   # combine spoof buttons with remapped buttons

# The real buttons are now replaced with the spoof-map

lmw r14,8(r1)   # pop r14-r31 off the stack
addi r1,r1,80   # release the space

andi. r0,r7,40959   # original instruction[/spoiler]

Attachments is no longer there. Any chance for a re-up?

[dcx2]

ack wtf?

Yeah I'll try to do it again tonight.