Change injection point for bios 2.0 slot 1 so that a card isn't required to be present in slot 2

[xyzz]

This changes the corruption point for bios 2.0 for SCPH-1001 and SCPH-1002.

Bios 55847d8c

Now it's corrupting the argument $t1 in the "toupper" function at address 0x6A38. It is changed from 0x25 to 0x1cd0 so that the calculated address for the function pointer through the 0xA0 table is = 0x200 + 0x1cd0 * 4 = 0x7540. It just so happens that the card_read function stores the buffer pointer (i.e. 0xA000BE48) at that location.

With this implementation, the first "next" field is 0x1B5E, and the second "next" field is read from address 0x80042650, that stores value "01 00" and so the exploit should be 100% reliable:

Bios 9bb87c4b

Similar idea, but now injecting at 0x6AA8 in "strcmp". "next" is pointing to 0x800429d0 which stores "08 00":

Testing

I've tested both on pcsx-redux patched to memset() ram with 0x80 rather than default zeroed out. I've tried both with just card 1 inserted and with both cards inserted, and it's successful every time. However I've not tested on actual hardware yet.

[nicolasnoble]

Confirmed working on both 55847d8c and 9bb87c4b.