Creating The Defiance PC Trainer
Ben has said many times that it would be almost impossible for any of the debug menu codes he had created to converted for PC and until this July I had agreed with him.
The PS2 codes are created using a programming language called MIPS. Although complicated, MIPS is still relatively simple compared to the assembly language used by the PC versions of the games, called x86. I considered looking into the idea of learning x86 and had found no way of learning it without taking a course and spending years learning it. There were a lot of details I thought I had to understand before having a clue where to start. After reading all the complaints about Defiance's camera from PC players and after trying out Ben's PS2 camera code I decided to have another look so that I could show the PC players exactly what he meant when he said the SR2 camera made Defiance unplayable.
Finally, I found someone who could help me. A user on Nosgothic Realm called Wumpchild (AKA CubanRaul) had written a less buggy version XP patch for BO1, so I convinced him to help me search for the Defiance camera code.
The first thing I needed to do was show him where to look. I had to find a program that could understand what the code meant and display it in a way that I could search through it and make comments to I could keep track of my progress and show him what I meant. Eventually I found a device called the Borg disassembler that could do what I needed.
As there were no labels in the coding for PC version of the game I had to use a string to locate the function. There is a string "Cameraunit" referred to in a function near to the one I needed. From there I was able to count the number of calls away from the string and say something like "If the function I need is the third one used after 'Cameraunit' gets used in the PS2 version, then it might also be the third one used after 'Cameraunit' in the PC version a well."
It turned out that it was similar to that example, and after CubanRaul explained what some of the commands in the function meant and I'd looked at the numbers used, I was soon able to point out which part of the function read the camera mode and I got it to write to the camera mode instead. Since that had overwritten the part that checks whether to skip some other code, I had to make it act like it had read it as the SR2 camera mode. Once I'd made the change it was going to be in SR2 mode and wouldn't need to do the check anyway.
I only had the one file that was needed to find the codes and not the ones needed to actually play the game, so I had to ask CubanRaul to change the exe file in a hex editor to test out the code. (If you want to try that yourself, for goodness sake back up the file!) This was another problem because we didn't know how to convert the commands we changed into hex. Hex is a number system that computers often show binary code as, so that means we had to figure out what numbers represent the commands we used. That involved a lot of searching for examples and testing them out with a calculator.
At the time we hadn't discovered the use of trainer programs so we couldn't write to the address for the camera mode itself so we had to alter the code that reads/writes to it. CubanRaul used his patch making program to create the Defiance camera patch and then we were able to distribute it to the LOK community. We found out that it didn't work for version 1.1, so we followed the same procedures as the 1.0 version and CubanRaul was able to include that in the camera patch.
At roughly the same time we had been looking into using trainer programs. I didn't know what they were before then but I did know that they were mentioned a lot when I had looked up cheating in PC games. What I didn't know was how powerful they were or what implications they held for this project. Trainer programs are small programs (Daemons, how apt for LOK :D) that run along side the games program and can "poke" stored values onto specific memory locations in the games memory. Not only that, but they can do it at the touch of a button and even listen for certain keys being pressed while the trainer is minimised and the game is being played. This adds controls for the cheats into the game.
We eventually found something called Trainer Maker Kit. (I can't remember where, but I found a better one since so I'll post the link later.) After a frustrating evening of trying to figure out how to use it when I didn't actually have the game, I then showed CubanRaul what I'd found out and he managed to figure out anything that I hadn't his self and create a trainer so that the camera could be more easily controlled and switched between the Defiance cinematic camera and SR2 type camera.
Once we had discovered the trainer maker then the real fun could begin! I had been wondering if we could do what had until then been considered impossible: Convert the Defiance debug menu for PC. This was possibly the most difficult of both the debug menus to activate as the controls for it had been almost completely dismantled.
One weird thing that happened was that the cursor seemed to scroll randomly through the menus. The fix later seemed to be very similar to what was done on the PS2 cheat device code but the bugs caused beforehand just seemed strangely different. If you've seen Ben's original PS2 version, there's a frightening 30+ lines in total and CMX's shorter version required a huge about of knowledge about the games code since he'd used all his specialised hardware to get it as short as he did [ CMX's code is also shorter because he modified the menu logic to move the cursor downwards one option no matter which button you press on the D-Pad. Part of the reason my original code is so long is that I wrote routines in MIPS assembly that restore the full up/down functionality. -Ben ].
I had to completely map every single function the code came into contact with. That was a huge task. So I'd already found the reference to "Cameraunit" and that was close to a lot of references to debug menu functions but at that point I had little to go on to recognise which ones were the ones I needed. So what I did then is I found the array used to generate the menus. The debug options are a structure that goes something like this:
Each menu option has something one of those structures to it. For example the Give Health Up option in Defiance version 1.1 goes like this:
|0054C230||06000000||00000006||The 06 means it's going to use a function|
|0054C234||00000000||00000000||The zeros do nothing|
|0054C238||00000000||00000000||Same again, they do nothing|
|0054C23C||381f5400||00541F38||If you go to address 00541F38 you'll find the words Give Health Up are actually stored there|
|0054C240||70bE4100||0041bE70||If you go to address 0041bE70 you'll find the function that fills up the health meter|
I don't know why the values are stored backwards like that but the debuggers I use fix that.
Another example, the Health Level (number of upgrades) option goes like this:
|0054BA08||01000000||00000001||The 01 means it's a numeric value|
|0054BA0C||00000000||00000000||The zeros do nothing|
|0054BA10||04000000||00000004||The 04 is the maximum value it will allow|
|0054BA14||B01A5400||00541AB0||If you go to address 00541AB0 you'll find the words Give Health Up are actually stored there.|
|0054BA18||A0B15400||0054B1A0||The address 0054B1A0 stores the health level|
|0054BA1C||E0BC4100||0041BCE0||If you go to address 0041BCE0 you'll find the function that lets the rest of the game know about the update|
What I've found out so far about the types of options that can be created for the debug menus is:
All of the structures like this are all in one big list and there is one for every menu option so it would make sense that the functions that draw the debug menu have references to this.
A lot of this info I had to work out by studying the PS2 version. The option type was of particular use because understanding that lead me to many of the functions the PS2 codes were used to modify. There's a function for each type of menu option and there's yet another list of those functions. The list just so happened to be, "the best song in the woorrrld!" (Not really, I just wrote that so many times that the song popped into my head. LOL) It happened to be right near some of the variables used by the option list. The option type simply specifies the position of the function in the list of the ones that decide how to handle the other stuff in a menu option and has a lot to do with the controls that needed fixing.
I had seen the debug menu functions on PS2 version, but I had no idea what they would look like in the PC version. However the data structures I have described work almost exactly the same way on the PC version as the PC version, so they were easy to locate. After I found them I just ran a search for references to the option list and that found me the functions I needed. My knowledge of x86 was improving by then and it turned out that the functions were doing a lot of the same things that the PS2 ones were doing, so then I could recognise them, name them and use them to find others nearby.
It also happened to be that one of the functions referred to in the debug menu was right next to one of the ones I needed to activate it. After that I just used the same methods as I used to find the camera code. I tried to work out how to do it with Blinc's original code but it turned out that the adjustments in CMX's version was still a lot simpler to find. Even though he needed to use special hardware get it that short it was still easier to do it that way because it meant less searching for all the different functions. It was really lucky that the changes that CMX had made were still applicable in the PC version because there I don't think there would have been any other way I could have reattached all the controls that had been altered/removed before the game was released.
I worked on version 1.0 of Defiance while CubanRaul tested everything out, followed my steps for version 1.1 and worked out some difficulties we had with the trainer makers. Anyway after weeks of searching and bashing my head against the screen we had accomplished the impossible and brought the Defiance Debug Menu to the PC.
One other thing I did before releasing the trainer was I added in a little bonus that I thought would be cool. I used my knowledge of the menu options to add in a function to let you shift to the spectral realm as Kain. There was an option that didn't do anything (it used to bring up a blank menu) so I just replaced that with the shift function and gave it an appropriate name. The option is in the Raziel Menu and it's called PlaneShift or something obvious like that. I'll have to get around to checking on my old codes. (Yes that does mean there's more. **Does impression of that guy from Scream** zjeazgmoar!!)
There are plenty other things the debug menu can do as well. My favourite has to be the option on one of the menus that lets you switch between Kain and Raziel at any time. Apart from the Tube Reaver and Toon characters it can give you any cheat that was allowed in version 1.1 even if you only have version 1.0. I'm planning on adding those in as well as soon as I get chance. The "Give Health Up" option on the main menu is used to restore your health, the "Give All Slams" means you get all the available moves and the "Give All Ups" option should give you all telekinesis upgrades and possibly all health upgrades, I can't remember. If it doesn't, there's a Health System menu that can be reached from the Raziel Menu. Go into that and you can set the number of upgrades Kain/Raziel has.
There's other stuff like hurting Raziel or Kain that can also be done from there. There's also stuff for Raziel in his menu such as the "Toggle TKAquire Ability" which is the gift he gets from Turel that lets him lift enemies with his telekinesis and a "Shift Any Time" option that makes him not need a corpse or a body to shift.
The debug menu lets you use any Reaver at any point in the game but a minor but is that having Kain's Spirit Reaver causes all doors to be locked so you'll have to switch to a different one from the menu. To select a Reaver, go to the Raziel menu and then to the Switch Reaver menu from there. Don't try to use the other characters Reaver's cause that causes the game to crash. For Kain you can't charge up the Blood Reaver or change to a different one until you've found the 1st piece of the Balance Emblem or you have used the "Toggle Charge Move Ability" option in the Raziel menu.
I don't know why they still call it the "Raziel Menu" because all of Kain's stuff is in there as well. CD/Eidos probably didn't spend too much time perfecting the menu since we weren't supposed to be able to use it anyway. Part of the reason for this is that Defiance was built by reusing much of the code made for SR2 then adding in the new levels and abilities and stuff. Just like SR2 reused much of SR1s code.
Thanks again to CubanRaul for the all the help I mentioned above, thanks to Ben for hosting these articles on this awesome site and for making the original PS2 code, to CMX for improving said code and to everyone who even made those codes possible. I could go on but this is starting to sound like an Oscar speech so I'll get on with showing the screenshots and the links.
**Note**: There has been some confusion with getting this to work, so I'll explain here:
More to come,
Andrew (aka Vampmaster)