Advanced Game Genie code making tips for Sega Genesis... Written by: Tony Hedstrom t_hedstrom@yahoo.com http://www.angelfire.com/games2/codehut/ Version 0.4 January 6, 2005 What's new for version 0.4 --- -added info on new RAM searching program: Gens v2.10-mk1 -added section 8 -updated/corrected several odds and ends. I'm working on a new guide that has lots of new info. Here's some of the stuff that's covered in it: How to make codes when other methods fail How to make master codes How to make regional lockout bypass codes How to find controller cheats in the ROM Common 68000 opcodes (and their hex numbers) I'll upload it to my web site as soon as it's finished. ===================================================== Index ===================================================== Section 1: Introduction (the basics) Section 2: How to make "Start with more" type codes Section 3: How to make "Infinite" type codes (method 1) Section 4: How to make "Infinite" type codes (method 2) Section 5: How to make "Pick-ups are worth more" codes Section 6: How to use existing codes to make new codes Section 7: How to make "Start on any level" type codes Section 8: If all else fails Last section: Message board post ===================================================== Section 1: Introduction (the basics) ===================================================== Although this doc deals with M68k assembly language, you really don't need to know about it to make Game Genie codes. M68k is the computer language that the Sega Genesis understands. If you want to learn more about Sega Genesis assembly language, then you should read the official Motorola 68000 reference manual. It's HUGE (650 pages). To get it, just do a Google search for 68kpm.zip. Most of the info below also applies to Sega 32x games. 32x Game Genie codes won't work on a real 32x console, but they work fine with Gens ver. 2.10 (emulator). Information on making Sega Genesis Game Genie codes is almost non-existent, therefore I'm having to learn most of this on my own. So keep in mind that while I'm doing my best to make sure the info below is correct, some of it may be wrong. If you can add any info that will help, please email it to me. You will be given full credit. I recommend going to my web site (the address is above) and read "How to make Genesis Game Genie codes Advanced" as it will explain how to turn a ROM address into a Game Genie code, as well as other useful info. Here is a quick example of how to turn a ROM address into a Game Genie code. (Read my doc (mentioned above) for more detailed info.) It's usually pretty simple, just take the ROM address you want to make a Game Genie code for (it MUST be an EVEN address), and enter it into the GG to hex conversion program (you can download the GG to hex conversion program from my web site). Then enter the new value (2 bytes) and the program will give you your Game Genie code. Here's an example: Lets say that at ROM address 3126, I want to change the instruction there from 5338 to 6004. This is how I would enter it into the GG to hex conversion program: 003126:6004. I added 2 zeros in front of the ROM address (003126) because it must be 6 digits long. Here is the Game Genie code that the program gives us: AT2T-AA3G. Easy enough. As I mentioned before, read my "How to make Genesis Game Genie codes (Advanced)" doc for more detailed information. You MUST convert .smd ROMs into .bin ROMs before searching them with a hex editor. To find out how to convert .smd ROMs, go to my web site and read "How to hack GG codes into a Genesis ROM", or "How to make Genesis Game Genie codes (Advanced)". In this doc, I mention RAM addresses, here's how to find them... You can use existing PAR codes (that begin with FF) by removing the "FF" from the beginning of the code to get the RAM address. For example, the PAR code for infinite rings on Sonic the Hedgehog is FFFE20:00C8, so by removing the FF at the beginning of the code, we know that the RAM address for rings is FE20. One good place to find existing PAR codes is here: www.GSCentral.com. You can also use a search program like tsearch to find RAM addresses, but I haven't tried those much yet. Another program you can use for finding PAR codes (RAM addresses) is called SuGAR. SuGAR is made specifically for finding PAR codes using Genecyst or DGen. If you can't find an existing PAR code, then this program is a good choice if you want to make the PAR code yourself. Directions are included with the program. If you have a slow computer (like me), SuGAR may take a long time to find codes if DGen or Genecyst is running in the background. I got around this problem by making all of my RAM dumps, and writing down what was in each RAM dump, then shutting down DGen (or Genecyst) and starting up SuGAR and searching each dump. SuGAR was then able to search the dumps very quickly. Make sure you rename each dump before you make a new one, or else it will get overwritten. You can download SuGAR from www.GSCentral.com (I think it's in the "Hacking" section. UPDATE: There is now a program available that is better than SuGAR for finding RAM addresses (PAR codes). It's built into Gens v2.10-mk1. Here's one place you can get it: http://shedevr.org.ru/utils/Files/Gens210-mk1-bin.zip I'll probably add it to my web site in the near future. Also, if your PAR code has an odd numbered address, and you don't find any good matches in the ROM, try subtracting 1 from it and search again (eg. if F421 doesn't get any good matches, try F420). IMPORTANT: Remember, you can NOT convert a PAR code that begins with "FF" into a working Game Genie code. You can only use a PAR code to help you find the right ROM address, which can then be turned into a Game Genie code. NOTE: If you're having trouble getting Genecyst to run on your PC (Win XP?), there are lots of other emulators and utilities that can do RAM dumps or convert .smd ROMs into .bin ROMs. One good place to find them is at www.zophar.net. (DGen can do RAM dumps.) Below, when I say "search ROM", use a hex editor and DON'T include any spaces. I've included spaces to make it easier to read. Also, when you're searching a ROM, keep in mind that an instruction (opcode) will always start at an EVEN address. There are many different ways to program games, so the code making methods described below may not work for your particular game. If I get enough feedback on this doc, I'll add to it in the future. One last item before we continue the tutorial... Below, I use a game called "Hard Wired" in a couple of examples. Hard Wired is a public domain ROM, which means it's OK to download it and have it on your PC. As far as I know, there were never any Game Genie codes made for it, so I thought it would be a good game to make codes for. You can get the ROM from here: www.zophar.net ====================================================== Section 2: How to make "Start with more" type codes ====================================================== To make a "start with more lives" code (or any type of start with more code), find the RAM address for lives (or whatever), then search ROM for: 11FC 00 nn aaaa. nn = number you start with of whatever (usually in hex). aaaa = RAM address. Example: Sonic 1 (or Sonic 3)... You start with 3 lives, and the RAM address for lives is FE12, so ROM search would be: 11FC 0003 FE12. Change the "03" to a higher value to start with more lives. This method seems to work with many games. If it doesn't work, try searching ROM for: 00 nn aaaa or: FC 00 nn aaaa. The number of items (ammo, etc) in the ROM is usually in hex, but not always. So if you don't get any matches using hex, try using decimal. Also note that this method probably won't work with some RPG type games, because they use a different way to load info into RAM. "11FC" is a MOVE instruction (1 byte), so it probably only works on items that can have 255 or less. ------------------------------------------------------ If the item you want to make a code for can have 256 or more, then search for: 33FC nnnn 00FF aaaa. nnnn = number you start with of whatever (usually hex). aaaa = RAM address. Example... Hard Wired: (you can get this ROM from www.zophar.net) You start with 9999 cannon bullets, and RAM address for bullets is 01A4. (9999 = 270F in hex.) So ROM search would be: 33FC 270F 00FF 01A4. Change "270F" to a higher or lower number to let you start with more or less bullets. 33FC is a MOVE instruction (2 bytes), so it is used on items that have amounts from 0 to 65,535. Some games (ie. Desert Strike) will use the 33FC instruction on items that have very low numbers. In the Desert Strike ROM, the coding that loads the number of lives (03) looks like this: 33FC 0003 00FF 100E. So keep that in mind if you can't find a match using the "11FC" method above. This method seems to work with many games. If it doesn't work, try searching ROM for: FC nnnn 00FF aaaa. ----------------------------------------------------- If the amount of the item can be over 65,535 then try this method: search ROM for: 23FC nnnn nnnn 00FF aaaa. nnnn nnnn = number of item you start with. aaaa = RAM address. ----------------------------------------------------- If you don't know the RAM address (or PAR code), you can try a search for: 11FC 00 nn, where nn is the number you start with of that item. Or if the amount can be over 255, then search for 33FC nnnn 00FF, where nnnn is the amount of the item you start with (usually in hex). You'll usually need to change the number of lives, bullets, etc into hex numbers for your search, but not always. If you don't get any matches with hex, try using decimal instead. And don't forget to remove any spaces when you enter in your search string into the hex editor. For example, above I said to search the ROM for this: 33FC 270F 00FF 01A4, but you would actually type it into the hex editor like this: 33FC270F00FF01A4. I add spaces to make it easier to read. ======================================================= Section 3: How to make "Infinite" type codes (method 1) ======================================================= Infinite Lives, or things that are subtracted by one at a time (inf ammo, etc). For things that are subtracted by MORE than one at a time (energy, gold, etc), see section 4 below. Find the RAM address for lives (or whatever), then search ROM for: 5338 aaaa. aaaa = RAM address. Then change the 5338 to 60xx for infinite amount. UPDATE.... 60xx is a branch instruction (opcode). Which branch instruction you use for your Game Genie code depends on how the game is programmed. Branch opcodes are one of the most common replacement instructions used in Game Genie codes, so it's a good idea to get familiar with them. Here's some more info on branch instructions: Simply put, a branch instruction makes the program skip ahead a little. The amount it skips ahead is determined by the 2nd byte of the branch instruction. So if the branch instruction is 6002, it will skip ahead 2 bytes, if it's 6004, it will skip ahead 4 bytes, and so on. NOTE: This is one part of this doc that would be much easier to explain using a disassembler, but one purpose of this doc is to show you how to make Game Genie codes WITHOUT using a disassembler, so I'll explain this the best I can. The branch instruction you use for your Game Genie code must skip ahead to the right place, or else it may cause the game to crash. In the sample below, this is part of the game program: 53 79 00 FF 01 A4. When you use the Game Genie code I made it looks like this: 60 04 00 FF 01 A4. The 6004 makes the game skip ahead 4 bytes, which would be right after the "A4". This will give you infinite ammo because instead of subtracting from you ammo (which is what the original 5379 instruction did), the game will just skip past that part. The "00 FF 01 A4" is the RAM address, and it is 4 bytes long, so that's why I tried 6004 as my replacement instruction for my Game Genie code. 6004 makes the game skip to the END of the RAM address. Other branch instructions may work, but you shouldn't use one that "splits up" a RAM address or goes to the beginning of a RAM address, because the game won't know what to do once it gets there. In other words, you should have your branch instruction skip ahead to another instruction. As I said before, a disassembler would help you figure out where the next instruction is, so if you want to use one, go ahead. To find a Genesis disassembler, just do a Google search for: Sega-asm.zip. If all of this stuff seems like too much trouble, just start out by using 6002. If that doesn't work, try 6004 and so on until you get a code that works. You'll find that 6002 or 6004 are the most common branch opcodes used in Game Genie codes. Branch opcodes will always be an even number. If you use Genecyst when you test your codes and the game crashes, just press the space bar and it will tell you why the game stopped. You can use this info to help you find the right branch instruction. If it says "invalid op code ???? PC = xxxxx", xxxxx is the ROM address where the problem occured, and ???? is the op code that it didn't understand. Example: Batman Returns... RAM address for lives is FE32, So ROM search would be 5338 FE32. Change the 5338 to 600A. Hex code is 00AA82:600A Game Genie code is BLZA-AA6C = infinite lives. (I made this code.) Another example: Infinite lives for Sonic 1... RAM address for lives is FE12. So ROM search would be: 5338 FE12. Change the 5338 to 6032 for inf lives. 5338 is a SUB (subtract) instruction. 60?? is a BRA (branch) instruction. ------------------------------------------------------- If the amount of the item you want an infinite code for can be over 255, then try this... Search ROM for: 5379 00FF aaaa. aaaa = RAM address. Change the 5379 to 60xx. Example... Hard Wired: (you can get this ROM from www.zophar.net) RAM address for cannon ammo is 01A4, so ROM search would be: 5379 00FF 01A4. I changed the "5379" to 6004 and got infinite ammo! Here's the hex code and Game Genie code: 046BA4:6004 = AVZT-JA7E Infinite cannon ammo. (I made this code.) Also try this method if the "5338" method doesn't work. ======================================================= Section 4: How to make "Infinite" type codes (method 2) ======================================================= This section applies to things that are subtracted by one, or MORE than one at a time (ie. energy, gold, etc). For things that are subtracted by one at a time (lives, ammo, etc), see section 3 above. Also, read the "UPDATE" in section 3 above to help you figure out which branch instruction to use in your Game Genie code. And read the "message board post" towards the end of this doc for more info. There are so many different ways for games to be programmed to subtract from your energy (or gold, or whatever), that this section may not work for your particular game. I will try and add to this section in the future. Use this method if the amount of whatever you're trying to make a code for is 255 or less. Usually, most infinite energy type codes use this method. Find the RAM address for whatever you're trying to make the code for (energy, gold, etc). Then search ROM for: 9138 aaaa aaaa = RAM address Then change "9138" to 60xx for infinite amount. (see section 3 for info on picking the right 60xx). Example: Batman Returns... RAM address for energy is FE31, so ROM search would be: 9138 FE31. Change the "9138" to 600A for infinite energy. ------------------------------------------------------ Use this method if the amount of whatever you're trying to make the code for can be over 255 (from 0 to 65,535). Usually, most infinite gold (or don't get charged in shops) type codes use this method. Find the RAM address for whatever you're trying to make the code for (energy, gold, etc). Then search ROM for: 9179 00FF aaaa aaaa = RAM address Then change "9179" to 60xx for infinite amount. (see section 3 for info on picking the right 60xx). Example: Land Stalker... I wanted to make a "don't get charged in shops" type code. RAM address for gold is 120E So ROM search would be: 9179 00FF 120E I searched the ROM for 00FF 120E, and on the 8th match I found this: 9179 00FF 120E. I changed the "9179" to 6004 (a branch instruction) and the code worked! Here's the Game Genie code I made for Land Stalker: 0177D6:6004 = AV5T-CA80 Items in shops are free! (as long as you have enough gold.) Also works at Inns. I've only tested it in a few shops so far. ------------------------------------------------------- If those methods don't work, try searching ROM for: 9xxx ?? ?? aaaa ?? ?? = 00 FF (may or may not be there) aaaa = RAM address Basically, start searching the ROM for the RAM address, and everytime you get a match, see if there is a 9xxx, or 9xxx 00FF right before it. As I said before, I will try and add to this section in the future, because there are many methods that I didn't cover here. ======================================================= Section 5: How to make "Pick-ups are worth more" codes ======================================================= Things are worth more on pick-up... On Sonic 1, the codes that make rings worth more look like this in the ROM... (RAM address for rings is FE20) without code: 5278 FE20 (rings worth 1) with code: 5478 FE20 (rings worth 2) with code: 5678 FE20 (rings worth 3) with code: 5078 FE20 (rings worth 8) (ie. GG (hex) code for rings worth 3 = xxxxxx:5678) So if item is worth 1 on pick-up, ROM search would be: 5278 aaaa. aaaa = RAM address. Then change the "5278" to xx78 (see above) to get more of that item on pick-up. ======================================================= Section 6: How to use existing codes to make new codes ======================================================= This section kinda shows you how you can use existing codes (PAR or Game Genie) to make new codes. I have a "Game Master" book (by Jeff Rovin) that had an interesting PAR code in it for Sonic the Hedgehog: FFFFFA:0001 which lets you access the games "Debugger". I decided to try and make a Game Genie code that did the same thing. The RAM address is FFFA, so I used my hex editor, and searched the ROM for FFFA. On the 11th match, this is what I found: 11FC 0000 FFFA. What this is doing, is it's telling the game to have the "Debugger" OFF. By changing the 0000 to 0001, you are telling the game to turn the Debugger ON. Here's the Game Genie code I made for Sonic 1: (hex code and Game Genie code)... 00310A:0001 = AE2T-AAAL Enable Debugger! Press the A, B, or C buttons for all kinds of cool effects! You can design your own level by placing items anywhere on the screen. While the code is on, you will have infinite time, and be invincible! You can combine the "Enable Debugger" code above with the "Start on level" codes I made below to let you use the Debugger on any level you want. Instructions for how I made these "start on any level" codes are in section 7 (below). AA2A-ACC8 Start on level 2 (Labyrinth Zone). AE2A-ACC8 Start on level 2, Act 2 (Labyrinth Zone, Act 2). AA2A-AEC8 Start on level 3 (Marble Zone). AA2A-AGC8 Start on level 4 (Star Light Zone). If you're going to try these codes, don't forget to use the master code (ATBT-AA32). NOTE: I know that there are "controller button" type codes for the Sonic games that let you access the level select screen, and the debugger, but I wanted to include these codes in my tutorial so that you could see how to achieve the same thing with Game Genie codes. ------------------------------------------------------- I used the exact same method described above to make a "Enable Debugger" Game Genie code for Sonic 3. I searched the ROM for 11FC 0000 FFFA. There was only one match. Sonic the Hedgehog 3 (hex code and Game Genie code)... 00362A:0001 = AE5A-AABL Enable debugger. (If you're using an emulator, "reset" the game after you enter the GG code.) NOTE: I haven't tried this method on Sonic 2 yet, but I'm pretty sure it will work. ------------------------------------------------------- Galoob code for Sonic 1: Don't lose rings when hit AWRT-AA5W = 009D72:6004 This is what it looks like in the ROM: 31FC 0000 FE20. FE20 is the RAM address for rings. The Galoob code changes the 31FC to 6004, thus preventing the game from setting your rings to 0000 when you're hit. By making a Game Genie code to change the "0000", you can get as many rings as you want after getting hit (see example code I made below). In short, the code above does this: 31FC loads 0000 into RAM address FE20 (rings you have) when you're hit. Here's a sample code I made for Sonic 1... GLRT-AADY = 009D74:0032 Ring count goes to 50 after getting hit. Change the 32 in the hex code to whatever number of rings you want after you get hit. ======================================================= Section 7: How to make "Start on any level" type codes ======================================================= Making a "start on any level" code can be surprisingly easy. To make the Game Genie code, you first need to find the RAM address for the level you're on. If you can find a PAR code, great, but if not, you'll have to make one. To make a PAR code (which will tell you the RAM address), start on level 1, then do a RAM dump. Get to level 2 and do another RAM dump. Get to level 3 and do another RAM dump, ect... Then use a program like SuGAR (from www.GSCentral.com) to search the RAM dumps. Make sure you rename each RAM dump before you do the next one, or else it will get overwritten. Try searching the first dump for 1, search the second dump for 2, ect. If that doesn't work, try searching the first dump for 0, search the second dump for 1, etc. If none of those work, try searching for "greater than" or "not equal to". Once you have your RAM address for levels, search ROM for: FC xxxx aaaa. xxxx = level you start the game on aaaa = RAM address Usually, xxxx will be either 0000, or 0001, so try searching for FC 0000 aaaa, or FC 0001 aaaa. Change 0000 (or 0001) to whatever level you want to start on. But remember that some games don't always start on level 00, or 01. For example, Sonic & Knuckles starts on "Mushroom Hill Zone" which is actually level 07, so in that case you would search for: FC 0007 FE10. (FE10 is the RAM address for levels). Some games (like Sonic 1, 2, 3, and Sonic & Knuckles) use both bytes for deciding which level (and act) to start with. Example: Sonic 1... RAM address for level is: FE10 So ROM search would be: FC 0000 FE10. By changing the 0000, you can start on any level (or any act) you want. Here are some codes I made for Sonic the Hedgehog... AA2A-ACC8 Start on level 2 (Labyrinth Zone). AE2A-ACC8 Start on level 2, Act 2 (Labyrinth Zone, Act 2). AA2A-AEC8 Start on level 3 (Marble Zone). AA2A-AGC8 Start on level 4 (Star Light Zone). NOTE: You can modify the codes above to start on any level (or any act) you want. If you want to change the level you start on, alter the 6th digit. If you want to change the act you start at (ie. level 2, act 2) then alter the 2nd digit. If you're going to try these codes, don't forget to use the master code (ATBT-AA32). ======================================================= Section 8: If all else fails ======================================================= If you can't find any good ROM matches using the methods above, try searching the ROM for the RAM address by itself. Look carefully at each match and see if any of them resemble any of the methods described above. ======================================================= Last section: Message board post ======================================================= This is a post I made at the GSCentral.com message boards. It has to do with the Sega Genesis game: Batman Returns. I'm including it in this doc because there's some good info in it. Tony Hedstrom wrote: Doc, when you get the ROM, you'll need to convert it into a different format (from .smd to .bin) before you make Game Genie codes with it. For instructions on how to do that (it's very simple) read my doc called "How to make Sega Genesis Game Genie codes (advanced)" or "How to hack Game Genie codes into a Sega Genesis ROM". You can get those from here at GSCentral.com (in the "Hacking" section) or from my web site. Here is a very quick explanation of how the BLYT-AA4R invincibility Galoob code is made, and how it works. This may help you figure out how to make the code you're looking for. Just as with NES and SNES, we can use a PAR code to help us find a Game Genie code. Remember that a Genesis PAR code that begins with "FF" is modifying a RAM address, but a Game Genie can only modify ROM addresses. In an earlier post, Phil the Hammer posted some PAR codes. Here's the one for infinite energy: FFFE31002C> Infinite Energy By looking at this PAR code, we know that the RAM address for Batmans energy is: FE31. Some games will stretch that out to 00FFFE31 when addressing it in the ROM, but not in this case. So all we need to do to make a Game Genie code for infinite energy is find the part of the ROM that subtracts from Batmans energy when he's hit. If there was a debugger for a Genesis emulator, this would be fairly easy, but no one has made one yet, so we have to find it the old fashioned way, with a hex editor and a little Motorola 68000 (M68K) assembly knowledge. If you'd like, you can use a disassembler instead of a hex editor. Either way will work. If you open up your converted Batman Returns ROM with a hex editor, then do a search for FE31 (the RAM address for Batman's energy) we know that one of the matches is the right area of the ROM to make our code from. The only problem is that there are LOTS of matches. Here's how to narrow down the number of matches... We know that the game subtracts from the value in RAM (FE31) whenever Batman is hit, so we should look in the ROM for SUB (subtract) instructions right before the RAM address. The type of SUB (subtract) instruction we're looking for is 4 digits (2 bytes) long, and it begins with 9. So we would search the ROM for this: 9??? FE31. If you look at the 11th match of FE31, at address $00A950, the 2 bytes right before it are: 9138. 9138 is a SUB (subtract) instruction, so this may be it. All we need to do now is make a Game Genie code to prevent the game from subracting from FE31 (Batmans energy). There is more than one way to do that, but in the Galoob code, they replaced the 9138 instruction with a 600A instruction (which is a BRA (branch) instruction). In short, this prevents the subtraction from taking place, thus giving you infinite energy. Here's a litte trick you can use if you think you've found the right address, but you're not sure which M68K instruction to use for the Game Genie code... use 4E71 as the replacement instruction. 4E71 simply tells the game to do nothing (NOP). The code may work with this instruction, or the game may do something weird when the code should be working (ie. crashing, etc), but at least you'll know you probably have the right address. Then it's just a matter of figuring out the right instruction. If the code does absolutely nothing when using 4E71, then you probably have the wrong address. This trick doesn't always work, but it's worth a try. Well, I'm hoping that will help you to figure out how to make your code. As I mentioned before, I'm still learning this stuff, so if anyone out there knows about Genesis asm (M68K), and can add to this (or point out any mistakes I may have made), please do so. Information on this subject (and how it's used with the Game Genie) is almost non existent. I'm having to learn this stuff mostly by trial and error. Tony Hedstrom. ======================================================= Well, that's it for now. If you have any questions, you can email me at: Tony Hedstrom t_hedstrom@yahoo.com My web site has LOTS of codes, and LOTS of info on how to make them. Here's the address: http://www.angelfire.com/games2/codehut/ To be continued??... I'm working on a huge addition to this quide. It'll be a seperate doc. Here are a few of the items covered: How to make codes when other methods fail How to make Master codes How to make regional lockout bypass codes How to find controller cheats in the ROM Common 68000 opcodes (and their hex numbers)