diff --git a/src/SendCommands.cc b/src/SendCommands.cc
index 7800ff03..aa8767ca 100644
--- a/src/SendCommands.cc
+++ b/src/SendCommands.cc
@@ -854,9 +854,6 @@ static std::shared_ptr<AsyncPromise<C_ExecuteCodeResult_B3>> send_brutal_peeps_h
       return nullptr;
     }
 
-    std::string suffix;
-    suffix.append(vanilla_data, signature_size);
-
     auto append_u32l = +[](std::string& out, uint32_t v) {
       out.push_back(static_cast<char>(v & 0xFF));
       out.push_back(static_cast<char>((v >> 8) & 0xFF));
@@ -864,6 +861,13 @@ static std::shared_ptr<AsyncPromise<C_ExecuteCodeResult_B3>> send_brutal_peeps_h
       out.push_back(static_cast<char>((v >> 24) & 0xFF));
     };
 
+    std::string suffix;
+    append_u32l(suffix, scan_start);
+    append_u32l(suffix, scan_end);
+    append_u32l(suffix, signature_size);
+    append_u32l(suffix, hp_patch_bytes);
+    suffix.append(vanilla_data, signature_size);
+
     for (size_t z = 0; z < 0x60; z++) {
       const auto& hp = table->stats[ultimate_index][z].char_stats.hp;
       uint32_t hp_offset = reinterpret_cast<const char*>(&hp) - target_data.data();
@@ -885,12 +889,7 @@ static std::shared_ptr<AsyncPromise<C_ExecuteCodeResult_B3>> send_brutal_peeps_h
         c->channel,
         c->enabled_flags,
         fn,
-        {
-            {"scan_start", scan_start},
-            {"scan_end", scan_end},
-            {"signature_size", signature_size},
-            {"patch_count", hp_patch_bytes},
-        },
+        {},
         suffix.data(),
         suffix.size());
 
diff --git a/system/client-functions/PsoPeepsBrutalPeepsHPBB.s b/system/client-functions/PsoPeepsBrutalPeepsHPBB.s
index efc462c1..76cc29cc 100644
--- a/system/client-functions/PsoPeepsBrutalPeepsHPBB.s
+++ b/system/client-functions/PsoPeepsBrutalPeepsHPBB.s
@@ -18,13 +18,13 @@ start:
   jmp    get_data_ptr
 
 get_data_ptr_ret:
-  pop    ebx
+  pop    ebx                                  # ebx = suffix payload
 
-  mov    esi, [ebx + scan_start - data]       # candidate ptr
-  mov    edx, [ebx + scan_end - data]         # scan end
-  mov    ecx, [ebx + signature_size - data]   # signature size
+  mov    esi, [ebx]                           # scan_start
+  mov    edx, [ebx + 4]                       # scan_end
+  mov    ecx, [ebx + 8]                       # signature_size
   sub    edx, ecx                             # scan limit = end - sig_size
-  lea    edi, [ebx + payload - data]          # signature ptr
+  lea    edi, [ebx + 16]                      # signature ptr
 
 scan_again:
   cmp    esi, edx
@@ -49,16 +49,17 @@ next_candidate:
 
 found_table:
   # esi = BattleParamEntry_on.dat base
-  mov    ecx, [ebx + patch_count - data]
-  mov    edi, [ebx + signature_size - data]
-  lea    edi, [ebx + payload - data + edi]    # patch entry ptr after signature
+  mov    ecx, [ebx + 12]                      # patch entry count
+  mov    edi, [ebx + 8]                       # signature_size
+  add    edi, ebx
+  add    edi, 16                              # patch entries after header+signature
 
 patch_again:
   test   ecx, ecx
   jz     done
 
-  mov    edx, [edi]       # offset from table base
-  mov    al, [edi + 4]    # byte value
+  mov    edx, [edi]                           # offset from table base
+  mov    al, [edi + 4]                        # byte value
   mov    [esi + edx], al
 
   add    edi, 5
@@ -66,7 +67,7 @@ patch_again:
   jmp    patch_again
 
 done:
-  mov    eax, esi         # return found table base
+  mov    eax, esi                             # return found table base
   jmp    return
 
 not_found:
@@ -82,18 +83,12 @@ return:
 get_data_ptr:
   call   get_data_ptr_ret
 
-data:
-scan_start:
-  .data  0
-scan_end:
-  .data  0
-signature_size:
-  .data  0
-patch_count:
-  .data  0
-payload:
-  # Server suffix:
-  #   signature bytes
-  #   repeated patch entries:
-  #     uint32_t offset
-  #     uint8_t value
+# Server suffix starts here:
+#   uint32_t scan_start
+#   uint32_t scan_end
+#   uint32_t signature_size
+#   uint32_t patch_entry_count
+#   signature bytes
+#   repeated patch entries:
+#     uint32_t offset
+#     uint8_t value