For example, on Lion 10.7.3 AICPUPM flAked's patcher will give you:
Searching for wrmsr #0: a11a
Searching for wrmsr #1: a1e2
Searching for wrmsr #2: a260
Searching for wrmsr #3: a2a9
Searching for wrmsr #4: ab64
Searching for wrmsr #5: ac16
a11a, a1e2 .. are addresses that are patched.
You can open AICPUPM.kext/Contents/MacOS/AICPUPM in MAchOView and then select
Fat Binary/Kernel Extension (X86_64)/Section64 (__TEXT,__text)/Assembly
and check what's in there.
Open the original one and patched one in the same way and compare them at addresses that are patched. Make sure RAW option is checked - MachOView will give you positions/offsets of instructions inside the file.
You are looking for something like:
B9E2000000 movl $0x000000e2, %ecx
(possible instructions in between)
You can also open each file in some hex editor and check each patch address in there in parallel with MachOView.
That's good to do to get the feeling of what flAked is doing.
For patching, MachOView will not be enough. Saving and searching disassembled code does not work. But you can use otool:
otool -tV -arch x86_64 AICPUPM.kext/Contents/MacOS/AICPUPM > tmp.asm
and then search through tmp.asm in text editor.
One note: addresses here are, hm ... do not know how to say it simply and still be correct ... maybe it's easiest to compare them with MachOView offsets - so just add some constant to them (in above example for 10.7.3 it is hex 0x1000) to get positions of each instruction in the file.
Once you know what wrmsr you want to patch, you just need to open the file in hex editor and replace your 0F30 (wrmsr) with 9090 (2 nops).
But before patching, it would probably be good to go through all above with some other version of AIPCUPM (getting addresses from flAked's patcher, comparing original with patched AICPUMP on each address).
And, probably, double check every wrmsr (around 50 of them) if %ecx register is set to 0xe2 (just 10 of them in 10.7.3).
This saved me a lot of time researching. I can easily see now each of the places that need to be patched and verified against the 10.7.3 patched version. Shouldn't be too difficult to manually do this when a new version is released. However, coming up with a dynamic method is a different story.