Editing ROM Instructions/ Creating Game Genie Codes?

Are you new to 6502, NES, or even programming in general? Post any of your questions here. Remember - the only dumb question is the question that remains unasked.

Moderator: Moderators

User avatar
Spindaboy
Posts: 9
Joined: Sat Jul 14, 2018 5:34 pm
Location: Lexington, KY

Re: How to find RAM addresses/ How to make Game Genie Codes?

Post by Spindaboy » Sat Jul 14, 2018 7:52 pm

dougeff wrote:But, to answer your question...
(I used to make game genie codes as a hobby.)

Basically, when the CPU reads a byte from a specific location in the ROM, instead of getting that byte, you can force it to see another byte.

like if the game code says...
Load the #5 and store it at the "lives left" RAM address, you can tell it to load a 6, or 7, or whatever.

So, step 1 is to figure out which RAM address you want to change, then to locate some code which modifies that RAM address. For me, I like to use a debugger, and set a breakpoint for writes to that address.

Then use a game genie encoder (FCEUX has one), and write a new value to be loaded to that address.

Other things you can do, are changing "conditional branches" to always skip some code, or always do some code.

You could change code to $ea to erase it. ea means NOP, no operation (ie, do nothing).

Lots of options.
Yes! I think this is more what I'm looking for. If you don't mind, could you link a good tutorial for using a debugger in FCEUX/ how to use breakpoints?

User avatar
dougeff
Posts: 2826
Joined: Fri May 08, 2015 7:17 pm
Location: DIGDUG
Contact:

Re: How to find RAM addresses/ How to make Game Genie Codes?

Post by dougeff » Sat Jul 14, 2018 8:04 pm

I discussed it in this video

https://youtu.be/d2XkJQFs0OQ

between 14 and 19 minutes. And I make a game genie code, but I don't explain how the code works, or how I know it will work. Sorry.
nesdoug.com -- blog/tutorial on programming for the NES

User avatar
tokumaru
Posts: 12003
Joined: Sat Feb 12, 2005 9:43 pm
Location: Rio de Janeiro - Brazil

Re: How to find RAM addresses/ How to make Game Genie Codes?

Post by tokumaru » Sat Jul 14, 2018 8:45 pm

Just to make it clear: nothing permanently overwrites the ROM, the ROM will only appear different to the console as long as the Game Genie sits between the console and the cartridge and the codes are active.

Every time the CPU needs to read from the cartridge (which is hundreds of thousands of times per second), it tells the cartridge which address it needs to read, and the cartridge responds with the value. When the Game Genie is between the console and the cartridge, every time it received and address, it checks whether there are any cheat codes enabled for that address, and then decides whether to let the original value go through or respond with the value specified in the cheat code.

User avatar
Spindaboy
Posts: 9
Joined: Sat Jul 14, 2018 5:34 pm
Location: Lexington, KY

Re: How to find RAM addresses/ How to make Game Genie Codes?

Post by Spindaboy » Sat Jul 14, 2018 9:46 pm

So after doing a bit of messing around in the debugger and I've found some offsets and values that I'm looking for, but that's about the extent to which I can use the debugger right now. I still don't understand how to use breakpoints, the (assembly?) code in the following column, or pretty much anything else in the debug menu. But based on what people have been saying I can edit any ROM address which writes to that RAM offset and still get my desired result? I just really need a thorough explanation of how to find the offsets for the instructions I need to edit ><

For example, in FF II Firion starts the game with 10 Strength. Thanks to this guide I know that the RAM address for this value is at 6120. So I open up the debugger, go to that address, and sure enough the value there is 0A in hex which is of course 10 in decimal. But now I'm at in-pass because I don't know which instructions right to that value. In this example if I knew where the code was which told the game to start Firion with 10 Strength then I could modify it to my desired value and translate it into a Game Genie code.

Thank you for the help so far though! I'm sure this process will become a lot easier once I learn more about it.

User avatar
MottZilla
Posts: 2835
Joined: Wed Dec 06, 2006 8:18 pm

Re: Editing ROM Instructions/ Creating Game Genie Codes?

Post by MottZilla » Mon Jul 30, 2018 12:37 pm

Put a write breakpoint on the address you say is $6120. Start your new game and watch for $0A to be written to the address. The breakpoint will stop execution whenever $6120 is written which it might be written to more than just once. You'll want to see when it has the value you want to replace being written. Then you'll need to scroll up in the disassembly window to see where it go your $0A value from. It's either in an instruction or data fetched from ROM. Once you find where the value came from you can create a Game Genie code to replace that value with whatever you choose.

I ran the Japanese rom and it reads and then writes here:

00:9C71:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
>00:9C74:9D 00 61 STA $6100,X @ $6120 = #$00

Which is part of a bigger sort of copying of data from ROM to PRG-RAM:

00:9C6F:A2 3F LDX #$3F
00:9C71:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
>00:9C74:9D 00 61 STA $6100,X @ $6120 = #$0A
00:9C77:BD 00 90 LDA $9000,X @ $9020 = #$05
00:9C7A:9D 40 61 STA $6140,X @ $6160 = #$05
00:9C7D:BD 80 90 LDA $9080,X @ $90A0 = #$0F
00:9C80:9D 80 61 STA $6180,X @ $61A0 = #$0F
00:9C83:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
00:9C86:9D C0 61 STA $61C0,X @ $61E0 = #$0A
00:9C89:BD C0 8F LDA $8FC0,X @ $8FE0 = #$00
00:9C8C:9D 00 62 STA $6200,X @ $6220 = #$00
00:9C8F:BD 40 90 LDA $9040,X @ $9060 = #$00
00:9C92:9D 40 62 STA $6240,X @ $6260 = #$00
00:9C95:BD C0 90 LDA $90C0,X @ $90E0 = #$00
00:9C98:9D 80 62 STA $6280,X @ $62A0 = #$00
00:9C9B:BD C0 8F LDA $8FC0,X @ $8FE0 = #$00
00:9C9E:9D C0 62 STA $62C0,X @ $62E0 = #$00
00:9CA1:CA DEX
00:9CA2:10 CD BPL $9C71

However modifying that $0A seems to get replaced by something that happens in the first battle. I think it comes from $6110. Which comes from $8F90 in ROM. So you need to use a Game Genie code like: AKOAENZA [ 0F90 40 0A ]

I hope this helps. In theory you should be able to alter any starting game stat in ROM.

User avatar
Spindaboy
Posts: 9
Joined: Sat Jul 14, 2018 5:34 pm
Location: Lexington, KY

Re: Editing ROM Instructions/ Creating Game Genie Codes?

Post by Spindaboy » Tue Jul 31, 2018 12:38 am

MottZilla wrote: I ran the Japanese rom and it reads and then writes here:

00:9C71:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
>00:9C74:9D 00 61 STA $6100,X @ $6120 = #$00

Which is part of a bigger sort of copying of data from ROM to PRG-RAM:

00:9C6F:A2 3F LDX #$3F
00:9C71:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
>00:9C74:9D 00 61 STA $6100,X @ $6120 = #$0A
00:9C77:BD 00 90 LDA $9000,X @ $9020 = #$05
00:9C7A:9D 40 61 STA $6140,X @ $6160 = #$05
00:9C7D:BD 80 90 LDA $9080,X @ $90A0 = #$0F
00:9C80:9D 80 61 STA $6180,X @ $61A0 = #$0F
00:9C83:BD 80 8F LDA $8F80,X @ $8FA0 = #$0A
00:9C86:9D C0 61 STA $61C0,X @ $61E0 = #$0A
00:9C89:BD C0 8F LDA $8FC0,X @ $8FE0 = #$00
00:9C8C:9D 00 62 STA $6200,X @ $6220 = #$00
00:9C8F:BD 40 90 LDA $9040,X @ $9060 = #$00
00:9C92:9D 40 62 STA $6240,X @ $6260 = #$00
00:9C95:BD C0 90 LDA $90C0,X @ $90E0 = #$00
00:9C98:9D 80 62 STA $6280,X @ $62A0 = #$00
00:9C9B:BD C0 8F LDA $8FC0,X @ $8FE0 = #$00
00:9C9E:9D C0 62 STA $62C0,X @ $62E0 = #$00
00:9CA1:CA DEX
00:9CA2:10 CD BPL $9C71

However modifying that $0A seems to get replaced by something that happens in the first battle. I think it comes from $6110. Which comes from $8F90 in ROM. So you need to use a Game Genie code like: AKOAENZA [ 0F90 40 0A ]

I hope this helps. In theory you should be able to alter any starting game stat in ROM.
Thank you for taking the time to write all this out! :D

I think I have a good grasp on how to use breakpoints now, but I don't understand any of the 6502 instructions. For example you said that the game reads and writes to >00:9C74:9D 00 61 STA $6100,X @ $6120 = #$00 but I can only give an educated guess as to what all that means. When I tested this myself I also noticed the value is written to again when the first battle starts. You said it (the value?) comes from $6110 (the instruction?) which comes from $8F90, how do you know this?

Also did you mean for the Game Genie code to write to address $0F90 or was that a typo? The list you provided definitely seems to load all Firion's starting stats and weapon levels, but I'm not sure how you knew those were all part of the same list. If I want to use a code to change each and every single stat at the start of the game will the GG even be able to deal with that many codes at once? Finally, for values that I don't know the offsets for (that have yet to be documented), how can I locate them on my own?

I apologize in advance for asking so many questions ^^,

User avatar
MottZilla
Posts: 2835
Joined: Wed Dec 06, 2006 8:18 pm

Re: Editing ROM Instructions/ Creating Game Genie Codes?

Post by MottZilla » Tue Jul 31, 2018 1:20 pm

LDA is the instruction Load Accumulator. It is the primary register on the 6502 cpu family. STA is Store Accumulator.

X and Y are Index registers which can be used to access a memory location plus the value of the index. This way you can access a string or array of values by adding the index to the start of the data. That's why it is doing LDA $8F80,X.

The big block of addresses and instructions is just copied from FCEUX. So it tells you the ROM bank, Address, instruction bytes, the disassembled instruction, and then the effective address and what value is located there.

So the reason I knew where that value came from is I assigned an execution breakpoint further up in code execution so I could see where the value that was being written came from. So When it trips the write breakpoint for $6120 during the first battle I just scrolled up to see where I should put my code execution breakpoint so I could watch what was happening. By doing so you can see that the value eventually written to $6120 came from $6110.

If you look at the big block I posted you can clearly see where it's loading values from in ROM and where it is writing them into RAM. That's how you can use Game Genie to alter the values.

The address having a 0 in the first section was due to the online Game Genie code encoder I used. I did not test the code but merely provided it for you to try. The address as you know is supposed to be 8F90, with 40 being a replacement value, and 0A being the "compare" value. The Game Genie code letters should be correct for this. Hopefully you can learn from this. Maybe try making some codes for other games to learn more. Basic assembly code knowledge will help a great deal. You don't have to know very much for basic cheats.

Post Reply