Rez Hacking

Welcome back.

Figured out a few things last month, specifically how mute numbers work (they determine which audio tracks are played at each layer), how to build a custom soundbank that the game can read, and thanks to Pyrite from youtube, what fpb files are for. Will write up more notes on custom mpb soundbanks once i get my test midi to work properly.

Mpb files can be created using the DLS2TB.exe file from the Dreamcast SDK. This converts DLS Level 1 soundbanks to the mpb format. The converted mpb file will need a byte in its header changed from 01 to 02 in order to function properly.

Midi files contain the music sequence data and meta event data, as well as the mute number data.
Mpb files contain the audio samples.
Fpb files are responsible for telling the game what audio effects to use on each midi channel.

Pasting my notes on mute numbers, using Area 1 from the final game (M01.MID).

------------------
Each midi file used in the game has a KMD0 section within them, at the end of the midi data. If the KMD0 section is missing, the game will activate Every midi track and you won't be able to turn them off from the sound debug menu.

This section MUST start as soon as the midi file ends. If KMD0 starts misaligned (ie not on a 1st, 5th, 9th or 13th byte), pad with FF AFTER the section size in the header, so the 00's after the FF's are aligned. If you do not align the KMD0 section data, the game will read incorrect bytes for the mute numbers.

KMD0 header=
<KMD0 (4 bytes)> + <Section size (4 bytes)> + <FF bytes if misaligned>

6 bytes of unknown data follows the header.

Mute Numbers=
Each one is 12 bytes.
eg <01 00 00 00 00 00 00 00 0f 51 04 00>

First byte decides whether to restart the midi on a layer change.
00 Continue playing.
01 Restart and play.

Last four bytes determine which tracks to play.

Area 1-
00... 80 00 00 00 = 7.
00... 86 00 00 00 = 1, 2, 7.
00... 86 00 40 00 = 1, 2, 7, 22.
00... 8e 00 40 00 = 1, 2, 3, 7, 22.
01... 00 03 00 00 = 8, 9.
00... 1e 03 00 00 = 1, 2, 3, 4, 8, 9.
00... 1e 28 40 00 = 1, 2, 3, 4, 11, 13, 22.
00... 1f 2c 40 00 = 0, 1, 2, 3, 4, 10, 11, 13, 22.
01... 08 11 04 00 = 3, 8, 12, 18.
01... 0f 51 04 00 = 0, 1, 2, 3, 8, 12, 14, 18.
00... 0f 55 04 00 = 0, 1, 2, 3, 8, 10, 12, 14, 18.

The tracks activated are determined based on the reversed binary values of the last 4 hex bytes. Each byte is responsible for controlling 8 tracks, with a limit of 32 in total. Tracks in game start on 0 instead of 1.

e.g
1f 2c 40 00
00011111 00101100 01000000 00000000
1st= 0 1 2 3 4 ON, 5 6 7 OFF.
2nd= 10 11 13 ON, 8 9 12 14 15 OFF.
3rd= 22 ON, 16 17 18 19 20 21 23 OFF.
4th= 24 25 26 27 28 29 30 31 OFF.

Following from this, the boss sections (If the level has a boss) are defined in the same way. These mute numbers aren't accessible from the sound debug menu however.

All KMD0 sections end with
FF FF FF FF 00 00 00 00 00 00 00 00.
This IS supposed to be included in the KMD0 section size.
------------------

I hope this makes sense, feel free to ask questions if you're confused and i'll try to help to the best of my ability.

As far as custom music goes, I managed to get a custom kick drum sample into the game, but now I have to figure out why the game is playing the custom midi file too fast despite having the (supposedly) correct meta events set up.

 

Rez Infinite was released on steam the other day. Would post about its build info but the data seems to be stored in encrypted dat files. it has a version file that just says 1.5. The game of course has anti-debugging measures in place and quits when it detects a debugger, so ill have to continue learning to get around those.

 

Tried poking at the .bnk files from Rez Infinite's steam release, but I couldn't seem to find the right way to do so.

Area X is a separate executable from the rest of the game; judging from the directories, it's the only part of R:I made in Unreal Engine.

 

Yeah, Area X uses the unreal engine, but classic rez runs on a port of the original engine.

The rez.dat file has listings for all the game data i'd expect from the originals inside it, but they've all got the .zip extension. i'd assume they're like the loose .zip files in the credits and howto folders, which don't seem to be standard zip files. the game uses crypt32.dll, potentially for these files. would have to continue looking through the exes in dissassemblers to try find any encryption related stuff.

Edit: According to Wunk on steam:

-----------------------------

Also, welcome!

Custom music is at a bit of a standstill right now. despite being able to build correct midi files (fixed the timing issue) and mostly correct soundbanks. if you include multiple instrument banks (which you have to do for complex songs because the dls level 1 standard only allows so many per bank) the game won't use the correct soundbank for the song.

I tried for ages to work around this but it seems whatever tool they used to generate mpb files was probably newer and different in functionality. the tool i use from the Dreamcast r11 SDK is from 1999, and doesn't make mpb files with the header flag 02, only 01. the structure of the header section is different too, and can only be made to work in game by editing that flag to 02 if there is only one instrument bank it seems. this is despite the tool recognising and correctly assigning program numbers to multiple instrument banks.

So ill keep trying, but worst case scenario is it would require a custom tool to convert dls files to proper mpb files.

 

can you help me to undersatnd some stuff about rez? i want to try and help this project

 

hex path for enable debug mode

Code:

find
e8 90 0b 8c a0 34 0d 8c 00 00 01 00
replace
e8 90 0b 8c a0 34 0d 8c 00 C0 01 00

 

I'll try to the best of my ability, though i'll be better tomorrow when i can access my notes and stuff. Feel free to message me or post here if there's something specific you're wondering about.

If you want to explore the debug functions properly you'll need a japanese dreamcast keyboard, or watch the memory address for port 4 input when that's set to a keyboard in demul since demul doesn't emulate all the keys, but you can force them by trying their ids with the console menu open. Use a dreamcast mouse in port 2, or a controller which will work as a mouse.

I have a cheat table for beta 836 for cheat engine and demul which has the keyboard ids mapped in the notes, and some info on the modules which get loaded into memory after a certain address and can be manipulated quite easily. The names of these modules can be exposed in the console menu by messing with the module header too. These include the modules accessible from the modules header of the left click menu, but also several that are only loaded during gameplay like the map manager and "yuki_tool.c" (the yuki debug mode you can toggle from the left click menu).

I can upload this tomorrow if it would help.

On the subject of modules, something i wondered about for years was why the game becomes unstable when you press delete in (i think) the yuki debug mode. This clears all level geometry, and rarely happens without the game immediately crashing. It turns out pressing delete actually clears the yuki module from memory and i think the map manager too. I don't know why this is an available function though.

 

Ok, I've attached my current cheat table for Rez beta 836 (Vibes). While the other beta and the final will have similar values in their memory, the locations will not be exactly the same. Modules might get loaded into the same area of memory however. This is made to work with Cheat Engine v6.7 and Demul v0.7. Set a keyboard to port 4 and a controller to ports 1 and 2.

Currently it includes addresses for enabling the debug info overlay without needing to press the keyboard key which Demul doesn't emulate, and lists addresses for several modules such as MapManager, AreaChoose, SegaLogo, Options, GameFlow, Player, etc. Some of these modules have addresses of various functions documented but I haven't looked into all of the modules yet. Any stage specific ones in this cheat table should work in Area 1, though they might change location in memory when in other stages, but they should still be somewhere in the region of the addresses I added. You can edit the "HEAP" text and the console window should throw lots of errors exposing which module you edited the heap header of, which is useful for documenting other modules and checking which one you're looking at.

I haven't added the test module or score rankings, gameover, and ending to the cheat table yet but they should get loaded into one of the two module sections I've identified when you select them from the left click modules menu in game. I'd appreciate help documenting what each module can do if anyone is available to poke around in them.

I don't currently know how to get the game to load specific modules beyond the ones available in the modules menu and by playing the game, and I still don't know how to enable the Pass Editor if it is still possible (This would enable level editing). To access the MainFlow Editor (Enemy layouts, BPM changes, camera changes, etc.), press F3 in a level, and use the debug info overlay to see what the keys do there. Any saved MainFlow edits will be loaded instead of the files from the disc, but they can be deleted from the bios menu.

Click the table extras button on the bottom of Cheat Engine to see my attached notes which include the keyboard key values I know of so far if you need them. Press P to make all levels available from the level select menu (Or edit the max number of available levels in the AreaChoose Module).

If this isn't working for you feel free to post about it.

Edit: cheat table removed since I added a new one below.

 

It's not as helpful as I thought to think of the modules as being in more than one section, because it turns out it is just one section. I got confused by how much space was taken up with a play log module that stores the entire katana flash in memory. The module area begins at 0x8C900000. I found the area in memory where the console window stores its input, so you can get around not being able to use an underscore by typing your command in memory. The command heap_map displays every module currently loaded into memory, and their locations. If a module I've been documenting is not where it was when I documented it, you should be able to run this command and find its new location. I haven't gone through and added possible locations for the boss modules yet.

I still have no idea if the PassEditor or the other boss selection menu (Not the VarEdit one) is accessible, the text strings for those exist in 1ST_READ... So surely they were to be run in-game somehow. It would probably require disassembling the game and looking for the required inputs or something, if they even still have any, but there were some level related changes made between beta 836 and 899 so...

Anyway, here's a new cheat table with more of the modules added. You can do some interesting things by messing with modules like Sound Beat or System1 and 2, and killing the module tasks can lead to some interesting game instability.

Also, the byte to switch between Gindows and Nindows is documented here, but this byte does not exist in beta 899 and the final. Nindows seems more or less useless in its implementation here.