My understanding of the Function Copier.
Somethings you should know:
In this tut im using digits as numbers and letters.
Please dont pm or post asking about anything in this tut.
I'am providing as much info as I know so this is everything I know about the copier.
If you post things asking about this tut. I will more then likely update it, rather then reply.
Also, somethings may not be explain the right way I may have mixed some stuff up so give me a break, so if someone sees something wrong let me know.
I'm explaining things as simplified as I can so people can understand.
**Important tip the EE emulator in ps2dis will help you greatly on this.**
Commands you might want to understand (since hardly anybody really understands them):
Lui-
Lui loads the first four digits to any register and zeros the last four digits of the register.
Example: If you have an address and its value is 0x3f800000 then you would just use Lui t0, $3f80.
What this does is it loads a value of 3f800000 into the t0 register. It overwrites the last four digits with zeros.
Thats why an lui is before an ori or addiu. So if you had a value of 3f800001 and put the lui after an ori or addiu
it would zero out the 0001
Setup:
Lui is setup as follows, Lui would be the command, the t0 is telling in what register to load it to.
Ori-
Ori loads the last four digits to any register and doesn't mess with the first four. 7fff rule doesn't apply to this.
Example: Say you have an lui t0, $03e0 into it and you want to load more so you would do this ori t0, t0 $0008
What this does is load 00000008 into t0 making it 03e00008.
Setup:
Ori is setup as follows, Ori would be the command, the first to t0 is refering where to load it to, while the second t0
gets the first 4 digits of the register (in this case 03e0) and adds only the value once no matter how many times its processed.
Branch Commands-
Branch commands compare to registers and branch to the address specified depending on which branch you use.
BEQ- Branch on eqaul Meaning:Branch if one register matches the other ex: beq t0, t1 $[address] //this brances to the specifed address is register t0 is the same as t1.
BNE- Branch on Not equale Meaning: Branch if one register dosn't match the other. ex:bne t0, t1 $[address] //this branches to the specified address if t0, doesn't equal to t1.
There are more branch commands, but I wont get into that for now.
Addiu-
Addiu loads and adds the last four digits to any register. 7fff rule applies to this
Exaplantion: addiu is just like ori but instead of just adding it once no matter how many times its processed it add continusly as long as its processed.
Example: say you have an lui t0, $0001 and you use addiu t0, t0 $0004 well it will increase the register that many times as longs as its processed. So if you just have this
lui t0, $0001
addiu t0, t0 $0004
jr ra
it would only increase it once since it ends and restarts over, but if you looped it like this
lui t0, $0001
addiu t0, t0 $0004
[some commands]
branch zero, zero $[to addiu t0, t0]
nop
jr ra
it will continue to add that amount as long as the routine is running.
Setup is just like ori.
Sw & Lw
Some people seem to get this confused, so Im going to explain it. The 7fff rule applies to this.
Lw- loads the full 8 digits (value) of an address to a register.
Sw- Saves the full 8 digits (value) of a register to an address.
Examples:
Lw t0, $[last four digits of address] (t0)
this loads the value of the address in to t0.
Setup: Lw is the command, t0 is what register to load the value to (register),
Sw t0, $[last four digits of address] (t0)
Setup: Sw is the command, t0 is what register to save the value from, and the second t0 is where to save the value to (address).
Well, thats it for the commands, but I may have missed or didn't explain the right way so check back later on for updates.
Function Copier:
Things:
I modded this copier so you can change the address to where it copies its not much changed other then that.
/(#) = if you want to change, you can,
/* = you dont need to worry about changing.
#Copier
0x00000098 0x0a200400 /1Hook Jumps to 08801000
0x00001000 0x3c0f03e0 /*Loads a value of 0x03e00000 to t7
0x00001004 0x35ef0008 /*Adds 0x----0008 to 0x03e00000 and makes t7 have the value of 0x03e00008 or a jr ra
0x00001008 0x3c0a099f /2Loads 0x099f0000 to t2
0x0000100c 0x3c090880 /3Loads 0x08800000 t0 t1
0x00001010 0x25291090 /4Loads 0x000001090 to t1 making it have 0x08801090 in t1 <<That is the real addressing the fake address is 0x00001090 which is the start of the stack.
0x00001014 0x354afd94 /5Loads 0x0000fd94 to t2 making it have 0x099ffd94 in t2 <<That is the real addressing the fake address is 0x011ffd94 which is where we're copying the functions to.
0x00001018 0x8d2d0000 /*This loads the value of t1 into t5, since t1 is the start of the stack it loads the address of the start of the function you want to copy.
0x0000101c 0x8dae0000 /*This loads the value of the address of t5 in t6, or loads the value of the start of the address of the function you want to copy.
0x00001020 0x11cf0006 /*This brances to 0x08801040 if it loads a jr ra
0x00001028 0xad4e0000 /*This saves the value of t5 into the address in t2
0x0000102c 0x254a0004 /*This increases the address of the copy region.(by 1 address)
0x00001030 0x25ad0004 /*This increases the address of the function your copying.(by 1 address)
0x00001034 0x1000fff9 /*Branches back up to 0x0880101c, which the command there loads the value of the address of the second line in the functions after the second it loads the third line and so and so forth.
0x00001040 0xad4e0000 /*Before it branches here it loads the value of the jr ra and after it branches it saves the jr ra
0x00001044 0x254a0004 /*Increases the address of the copy region.(by 1 address)
0x00001048 0x25ad0004 /*Increases the address of the function your copying.(by 1 address)
0x0000104c 0x8dae0000 /*Loads the value of the address after the jr ra
0x00001050 0xad4e0000 /*Saves the value of the address after the jr ra and saves to the copied region.
0x00001054 0x25290004 /*Increases the address of the stack.(by 1 address)
0x00001058 0x8d380000 /*Loads the value of the of the second line in the stack into t8
0x0000105c 0x1700ffee /*branches back to 0x08801018
0x00001060 0x254a0004 /*This increases the address of the copy region before it branches. So it can start after the last copied function
0x00001064 0x3c18099f /*Loads 0x099f0000 into t8 (dont really know if its needed.)
0x00001068 0x03e00008 /*Ends the routine
Ok, that explains the copier onto the activation and other things, but for now I'm going to explain the lines you can change.
/1 - Is the hook can change it to whatever hook works best for you. Just remember some hooks are jump or jump and link.
/2 - Is the first part of the copy region (address) So change it to the first numbers of the area you want your code's copied to.
/3 - The first part of the stack you don't really have to change it, but you can if you want.
/4 - The Second part of the stack
/5 - Is the second part of the copy region (address) change to correspond with the first part. Remember the 7fff rule doesn't apply to this.
How to fix up ps2dis and the stack:
Some things to know:
When putting address in the stack they have to be in real addressing so remember add 08800000 to it.
When making the stack keep track of the fuctions you have. (write them down or type em down.)
This is where the EE emulator will come in handy. First thing you have to do is load the ram dump leave load from:00000000 and make address from: 08800000 and press ok.
Once that is done, invoke the dump, and go to the address that the copier is at and copy all the values right. This is setup for use later on.
Ok, how to start making a function safe. First, get the code you want safe and trace it back to a pointer. To trace it get the address of the code and add 08800000 to it and goto that address. Then hit ctrl+up, which will take you to the first line of the function.
Once your there find all the refers ,jal's or jumps are the most common one's, for this I'm going to use uncensored text for ftb1.
So, the address for it is 0010f47c adding 08800000 makes it 0890f47c. Then I got to the address hit ctrl+up and get all the refers for it. For uncensored text it should have two refers.
089106d8 -first refer
08910b58 -second refer
To test them I have to do something that has something to do with the original code. So first I nop both codes and add them to my archive, I then go online and turn on one at a time and try to text, one of them should have an effect on text which should be.
08910b58 -second refer
Now you do the same thing with this function, but this one dosn't have any refers. So, what you do now is in ps2dis hit ctrl+f and check the box As hex string, and just like porting you enter the address backwards like this 58 0b 91 08 = 08910b58. Hit enter and you should get this pointer.
08c31720 -Pointer for spam chat and uncensored text.
So now you do this, you get the original address that the pointer is going to which is
0x00001090 0x08910b50 ((this is the line in that would be put in the stack)) add it to the stack (in ps2dis) and get the address that the second refer is going to (Uncensored text function) and add that on the second line of the copier.
So far the stack would look like this
;Stack
0x00001090 0x08910b50
0x00001094 0x0890f2ec
so once that is added to the stack in ps2dis goto ee emulator (Ctrl+Shift+R) and goto the top line of the function copier (not the hook) and hit run wait for it to copy.
Now, goto the copy region which in this case it's 099ffd94, and you'll see a lot of black lines that say word in it will dont worry about that just hold the U button until you hit the bottom of it and you'll see a mirror image of the function in your area.
How to get the Activation (Poor you, you may actually have to think here):
Now for the activation your simply redirecting the pointer and functions.
To redirect the pointers you just have to change the address that is in it, to the new area.
Ok the first line of the first copied function is the address you have to change the pointer to which would be.
099ffd94
So the activation is
#Activation
0x00431720 0x099ffd94
Now you can edit the first function with out worrying about being banned, but the second function won't do anything so. Heres what you have to do.
First the second refer is a jal that goes to the second function you have to find that line is in the copied area and change it to go to the function under the first one.
example
First function (made up function)
0x011ffd94 0x27bdffd0
0x011ffd98 0x3c100880
0x011ffd9c 0x0e243cbb //real value of the refer which is what we need to redirect the function to the copied one.
0x011ffda0 0x00000000
0x011ffda4 0x03e00008
0x011ffda8 0x27bdff20
Second function follows the first (also made up)
0x011ffdac 0x27bdff20
[other stuff follows]
So what you have to do is change it
0x011ffd9c 0x0e23ff6b //goes to 0x011ffdac and that line would be in your copier.
So the activation to make both copied functions safe is like this.
#Activation
0x00431720 0x099ffd94
0x011ffd9c 0x0e23ff6b //fake line, but you get the concept
Now finding the codes:
So spam chat and uncensored text use the same pointer, its two birds with one stone. to find the codes is basiclly like porting you just find the same value in an exact same area and use it.
No more need to explain it. All you have to do now is get the address of the codes copy'em and copy the stack, activation
That pretty much ends it for this tut So good bye and leave me alone about it, cause now you know as much as me if your not confused.
I may still update it to make it more easier, but dont get your hopes up.
Reply With Quote
![My Understanding of the Function Copier. [Part1]](https://www.consolediscussions.com/forum/staff/Coder.png)
!![My Understanding of the Function Copier. [Part1]](https://www.consolediscussions.com/forum/staff/Member.png)
Originally Posted by 1st-Hokage
Bookmarks