------------------------------------------------------------------------------- | How to Make Gameboy Game Genie Codes with a Debugger | Version 1.0 (Friday, May 6, 2005) | by John Ratliff | Copyright (C) 2005 emuWorks (http://games.technoplaza.net/) | Licensed under the Free Documentation License | See http://www.gnu.org/licenses/fdl.html for more information. ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- | Table of Contents ------------------------------------------------------------------------------- 1.0 Introduction 2.0 Tools 3.0 Making Codes with the Debugger 3.1 Common Debugger Questions 3.2 The Process 3.3 Finding the RAM Address using a Gameshark Code 3.4 Finding the RAM Address using the Cheat Searcher 3.5 Using the RAM Address with the Debugger 3.6 Problems & Solutions 4.0 Common / Useful Opcodes 5.0 Conclusions ------------------------------------------------------------------------------- | 1.0 Introduction ------------------------------------------------------------------------------- Welcome to the not so exciting world of making game genie codes for Gameboy and possibly Gameboy Color. In this guide, you'll learn how to use free tools to create game genie codes to impress your friends and score with chicks. Having never done either of those things, I'm still confident this guide will help you do that, unless you don't want to, in which case it won't. Let's start with some of the most basic questions you might have. Q: Why would anyone want to make game genie codes? A: I don't know. I do it because I'm bored as hell and have nothing better to do. Your reasons may be more or less impressive. Q: Who are you, and what are you doing here? A: I'm some loser who was inspired by a game genie god named Tony Hedstrom to make codes. I started out by modifying codes other people had made, making nearly a hundred based on codes by Tony Hedstrom whom I later came to worship as a deity. Tony wrote some guides describing the use of debuggers for creating game genie codes for the NES, which is also largely applicable to the SNES and applicable (but not as largely) to other systems. Using the techniques he described, I was able to make many game genie codes for varying games on the Nintendo, Super Nintendo, and even the Gameboy. I'm here to teach you what I've learned as it applies to the gameboy. Q: Do you need a Gameboy or Gameboy Color to make game genie codes? A: I don't know. I've never owned a Gameboy game genie. So I have no idea if anything I'm doing works on a real Gameboy. That being said, my techniques work remarkably well on emulators, so I'm going to assume that they work on the real thing, too. Q: Wait a minute. The game genie didn't work on the Gameboy Color. A: I have no idea if the game genie worked on the real Gameboy Color, having never owned an actual game genie. I've heard stories that it works, doesn't work, that it works for some games but not others, or that it can work if you do certain tricks. The important thing is, who has a real gameboy anymore? Not counting GB Advance or DS. So, all my work is geared strictly towards emulation. If it doesn't work on the real thing, well, sorry. Q: Why are you writing this? A: As a tribute to my mentor, Tony Hedstrom. Without him I would never have been able to write this or make cool codes and waste hours finding them. I was also inspired to write some programs based on our conversations. Second, and probably just as important, I'm still bored as hell. Q: Does the game genie work on the Gameboy Advance or DS? A: As far as I know, no. Remember, never owned one. They have no support in the GB Advance emulators I've used. Q: If Tony Hedstrom wrote a guide about using debuggers to find game genie codes, what's the point of this one? A: His guide is geared towards the NES. It covers the NES tools, the example is for an NES game, and the opcodes are for the NES (65c02). It works pretty well for the SNES, and if you're smart, just fine for Gameboy or any other system with the right kind of debugging emulator. This guide is geared towards the Gameboy (and Gameboy Color, maybe). It will help with more specific Gameboy information than the guide written by Tony Hedstrom. ------------------------------------------------------------------------------- | 2.0 Tools ------------------------------------------------------------------------------- To make game genie codes with a debugger, you will need several things. 1) A Gameboy emulator with a debugger 2) A Gameboy ROM (no, I won't help you find them -- don't ask) 3) Paper You might not need that last thing, but I find it useful. I have tons of paper with scribblings all over it. Since I won't help you find the second thing, and I'll assume you have the third one, let's focus on the first one. There are a number of Gameboy emulators. They all have one thing in common: they all suck. I don't know why, but every single one seems to be crappy for one reason or another. But let's not dwell on that. Let's just focus on one we can use for our purposes: BGB. I don't know what it stands for, but it's the only one I've found that is usable for our purposes. Why BGB? It's the only one I've found with a memory access breakpoint debugger, or MABD (okay, no one uses that acronym, but I like acronyms). And this is the most important tool in our trade. It also has a cheat searcher that I'm less impressed with, but anyways... You can download the latest version of BGB from http://bgb.bircd.org. It should also be available on http://www.zophar.net. Be aware it only runs on Windows. Now that you have your tools, it's time to use them to make some codes. ------------------------------------------------------------------------------- | 3.0 Making Codes with the Debugger ------------------------------------------------------------------------------- Okay, we've covered the basics, and now we're ready to do what I said you would learn here. Let's answer some questions about the debugger and game genie codes. ------------------------------------------------------------------------------- | 3.1 Common Debugger Questions ------------------------------------------------------------------------------- Q: What is a debugger? A: Well, it's a program that allows us to inspect other programs while they're running. In our case, it will allow us to look at the program for a Gameboy game while it's running. Q: Why is this useful for making game genie codes? A: Well, because what game genie codes actually do is change the Gameboy game program. But, to know what to change, we will need to examine the program. Q: Can't we do that with a hex editor? A: Yes, but there are many problems with using a hex editor. First, it can be incredibly difficult to know what the code is doing when you can't see it run. The code will be in machine language, and will all run together. Numbers may represent code, arguments to functions, or data, and they are practically indistinguishable from each other. In addition, Gameboy games are bank switched. Simply put, this means different parts of the program are used at different times, and others cannot be seen by the Gameboy. The consequence of this is that one address may be used for many different pieces of code. Without a good understanding of how the ROM is put together, it is very difficult to know which address you are changing. The debugger solves (or helps) with both of these problems. You will be able to see the code in the debugger as assembly, as well as machine code, and it won't be all run together. Each instruction will be on it's own line, and you will be able to see the result of the instruction as it affects the registers and flags. In addition, since the program will be running, you will know with absolute certainty which code corresponds with what address. ------------------------------------------------------------------------------- | 3.2 The Process ------------------------------------------------------------------------------- Okay, now that we have most of the questions answered, let's go over the technique. Start up BGB and load your ROM. For this example, I'm going to use the Crystalis ROM which was a remake of Crystalis for Color Gameboy. We're going to make an infinite HP code. ------------------------------------------------------------------------------- | 3.3 Finding the RAM Address using a Gameshark Code ------------------------------------------------------------------------------- Now, to use the debugger, we need to have a RAM address that corresponds to the hero's HP. There are a couple of ways to get an address. One way that works pretty well is to find a Gameshark code. We can extract the address from the Gameshark code. You can find Gameshark codes for Gameboy at http://www.gscentral.com/. There is an infinite HP Gameshark code for Crystalis: 01FFC8C2. Gameshark codes have 8 hex digits. The last four are the address in little endian configuration. This means you need to put the last two numbers first. So, we just take C8C2 and make it C2C8. And this is our address. ------------------------------------------------------------------------------- | 3.4 Finding the RAM Address Using the Cheat Searcher ------------------------------------------------------------------------------- Another way to find the address is to use a cheat searcher. BGB's cheat searcher is one of the things that makes it suck. However, it does work, so I'll show you how to use it now. Right click the menu, select Other, then cheat searcher. This will bring up a dialog. If your value is between 0 and 255, click 8 bits and Start. For values between 256 and 65,535, click 16 bits, then Start. We can't use BGB's cheat searcher for numbers larger than this. After pressing start and waiting a few seconds, it will display a bunch of addresses. This is our pool of addresses. Now we can start searching. Let's say the hero's current HP is 48. Click "this value", and enter 30. Why 30? Well, because BGB only searches hex values in the same little endian order as the processor uses. 30 hex = 48 decimal. If you don't know how to convert, use the Windows calculator. Now click search. The number of addresses displayed above should decrease. Keep changing the number you're searching for (i.e. for HP, go get hit and search for the new value) until you only have one address left. Sometimes, you can only get down to two or three. That's okay, you can always try one at a time until you find the right one. In this case, we find the address C2C8, which is the same as the Gameshark address we had earlier. Note that if you're searching for a 16-bit value, you need to reverse the bytes. So, if you were searching for 28,038 for instance, which is 6D86 hex, then you should search for 866D with the cheat searcher. ------------------------------------------------------------------------------- | 3.5 Using the RAM Address with the Debugger ------------------------------------------------------------------------------- Now that we have an address, we can start using the debugger. In BGB, right click to open the menu, select other, then debugger. Another dialog will show up. Click the debug menu, and choose access breakpoints. Where it says "addr range", put your address (and no, it doesn't have to be backwards this time). Then click add. This will setup a write breakpoint on this address. In other words, the program will stop anytime something is written to this address and the debugger will come up. Now that we have a breakpoint, click back on the game window and go get hit. When you do, the debugger should come back up highlighting the current instruction which is about to write to our address. In this case, we get RO7E:49F0 EA C8 C2 ld (c2c8),a There is also a lot of other information. Here is one opportunity to make an infinite HP code. This instruction says, load the value of the a register into the address C2C8. Since we know the address C2C8 corresponds to our hero's HP, we know that the hero's HP will become whatever value is in the a register after this instruction is run. Since we don't want the hero's HP to change, here is an opportunity to change the program and make a game genie code. One way we might change this is that instead of loading the a register into the address C2C8, we might load the value of address C2C8 into the a register. To do that, we need to change the machine opcode. The opcode is the first (and often only) of those numbers following the ROxx:aaaa. I will use ROxx to refer to the first four letters there. The xx can be many things, and it tells us which ROM bank is currently loaded. This is generally useless information to us. The number after the colon, the aaaa is the address of the program. This is different from our hero's HP address. This is the address of the code we are going to change. Our address here is 49F0. The next number, EA is the machine opcode. This is the opcode for ld (aaaa),a. The final two numbers are what tell the machine that aaaa should be the address C2C8 (note that it's backwards because that's how the machine uses numbers). If instead of loading a into C2C8, we want to load C2C8 into a, we can change EA to FA. How did I get this? Well, I just happen to know that one, but we'll cover some useful changes in a minute. Now to use our information to make a code. Here's the important stuff. We need the address (49F0), the opcode we are replacing it with (FA), and the opcode it currently uses (EA). Now we can make a code. Right click to open the menu, and select Cheat. Choose Add, and fill in the values. Address if 49F0. New value is FA. Old value is EA. You can add a comment if you want, but leave code blank. Now click okay. At the top of the cheat list is your new code, which BGB has already converted to a Game Genie code for you. The new game genie code is FA9-FOB-4C1. If you click on the code and push the enable button, you can see if it works. If you can walk into monsters and not get hurt, then you have a good code. ------------------------------------------------------------------------------- | 3.6 Problems & Solutions ------------------------------------------------------------------------------- But there is a small problem with this code. It doesn't prevent you from dying. Everything is fine if the hit from the monster wouldn't have killed you anyway, but if it would have, you still die. Maybe we can make a better code. Disable the code in the cheat dialog if you have it enabled and let's go get hit again. The debugger comes back up to RO7E:49F0 EA C8 C2 ld (c2c8),a But instead of looking at this instruction, we are going to look back at some of the instructions that preceeded it. R07E:49E6 FA C8 C2 ld a,(c2c8) RO7E:49E9 90 sub b RO7E:49EA DA B9 2F jp c,2fb9 RO7E:49ED CA B9 2F jp z,2fb9 RO7E:49F0 EA C8 C2 ld (c2c8),a If you have a little knowledge of z80 assembly (or are willing to learn), we can see some very useful code here. 1. First, it loads the value of C2C8 (the hero's current HP) into the a register. [ld a, (c2c8)] 2. It subtracts the value of the b register from the a register. [sub b] 3. If the carry bit is set, the program jumps to address 2FB9. [jp c,2fb9] 4. If the zero bit is set, the program jumps to address 2FB9. [jp z,2fb9] 5. Load the a register's value into C2C8. [ld (c2c8),a] 1, 2, and 5 are easy to understand. 3 and 4 are more complicated, but only at first. Simply put, if the carry bit is set, it means the result of the subtraction was negative. In other words, the hit caused more damage than the hero's HP. The hero should die here. If the zero bit is set, then the hit caused exactly as much damage as the hero's HP. The hero should die here also. Since we want to prevent the hero from dying, why not stop the subtraction? We can do that by replacing address 49E9, which currently has opcode 90, with opcode 00. Opcode 00 is called a NOP (no operation). In other words, the machine will just do nothing. If there wasn't a subtraction, then neither the zero flag nor the carry flag will be set, and we won't take the hit from the monster, and thus we won't die. So our new code uses address 49E9, new value 00, and old value 90. The game genie code is 009-E9B-A28. When we try this code out, we see that now even strong monsters hits can't kill us. ------------------------------------------------------------------------------- | 4.0 Common / Useful Opcodes ------------------------------------------------------------------------------- So, now you have seen a couple of examples of using the debugger to find codes. You know how to find an address to search for, and you know how to use the debugger to help locate that address during writes. Will they always be just like the examples? No, but there are some simple rules you can try. Most z80 opcodes are one byte. In other words, instead of FA C8 C2 = ld a,(c2c8), we usually have just one byte. This was the case with when we replaced the subtraction, which was simply opcode 90. Often times, you can simply replace opcodes with a NOP (00) to get the results you want. Sometimes you need more than one code, especially if the value you are changing is 16 bits (or more). Gold codes often fall into this range. Remember that addresses are sequential, so if you have an address that is 16-bits, and that address is C2EC, you might also need to search for writes to C2ED. Another useful, but more difficult opcode is the RET (C9) opcode. RET means return from subroutine. Often times, the code you are looking at is contained in a subroutine which the program CALLed. If nothing important happens before the subroutine was going to use RET anyway, we might be able to call it earlier and skip a bunch of code. This can be handy for turning multiple game genie codes into a single game genie code. I used this to make an infinite gold code for Dragon Warrior III (Gameboy Color). C98-76E-2AF This is much harder to create rules for, though, so it's probably better if you have some assembly knowledge if you want to try using RET codes. If you use a Z80 programming reference to help you with the assembly, keep in mind that the Gameboy did not use an actual Z80, but rather a Z80 clone which has some minor (but important) differences. The list of changed opcodes can be found at http://fms.komkon.org/GameBoy/Tech/Software.html. ------------------------------------------------------------------------------- | 5.0 Conclusions ------------------------------------------------------------------------------- This is what I know about making Gameboy Game Genie codes. I hope it has been useful for you. If you have questions or comments, please contact me at webmaster [AT] technoplaza.net. I also have an online feedback form at http://www.technoplaza.net/feedback.php If you are using another Gameboy emulator with memory access breakpoints and you need a Game Genie encoder, I have written one in Java at emuWorks. http://games.technoplaza.net/