Interesting that the article claims they encrypted the codes for legal reasons.
I don't really buy it, though. Listing a numeric offset can't possibly be any kind of legal risk, and anyone with a brain would understand that's how the device worked anyway. And especially, Nintendo could easily disassemble the BIOS and see the grade-school level cipher being used. Plus, Pro Action Replay used raw address:value pairs and never had any issues.
I always figured the point was to make it hard for normal people to tweak the codes, and to bloat out their code lists. You can have "Start with 3 lives; 5 lives; 9 lives", but if the last value is 03,05,09 ... then there's not much point in offering three codes.
I got tired of the shady websites full of ads giving you Game Genie codes for the wrong regions, so I worked with another person (mightymo) who made a list of all known codes. Then I decoded all of them to raw address:value pairs, and I ship all of those codes in a database with my emulator. The downside of this is you can't input your own codes in the weird Game Genie encode format. But so far, no one has complained.
Now moving onto the GBA era, and the devices just got disgusting. Each game would have a "master code" you had to enter first. That was actually an RNG seed value for all subsequent codes. So many people must have wasted so much time hand-keying in those things for zero added value. I'm almost completely certain the purpose of those was for the manufacturers to protect their codes from being stolen by competitors with similar hardware devices.
> Listing a numeric offset can't possibly be any kind of legal risk
Theoretically, if the code also for some reason needed to contain the original byte-value of the address at that offset, you could be sued for copyright-infringing reproduction ("you published one byte of the game ROM!") Encryption would prevent this being a clear reproduction.
One could then argue, given that, that when it's trivial to deduce what the original value would have been given what the code does, you still have published a reproduction. E.g., if a code XXXXXX:YY means "give a player 0xYY lives at the start of the game", and the game regularly starts with 0x05 lives, then it's clear that byte $XXXXXX of the ROM must be 0x05.
> Theoretically, if the code also for some reason needed to contain the original byte-value of the address at that offset
The NES and Game Boy devices usually needed this. Without it, bank-switching would result in one code changing several actual ROM bytes, when you only wanted to change one. The SNES almost never used bank switching so it wasn't necessary there.
Still, it's not a one-way hash function here. If you were sufficiently bored, it would be very easy to deduce the encoding for at least the :value portion of the codes, just by comparing the codes in the book. I actually did something similar as a kid. If a phrase (as in a sentence of text) were illegal, using rot13 on it wouldn't make it legal. And Nintendo were chomping at the bit to ban/outlaw/block Game Genie devices (Nintendo has a sad history of being fiercely litigious against everyone), so I'm certain they would have gone for this had they thought they stood a chance at winning.
That would be one hell of a jury trial, though. "They clearly reproduced the number 5, which was in our original game! It's obviously an illegal reproduction of our copyrighted game code!"
Nintendo did sue Galoob/Codemasters, but they lost. I have to wonder if the same trial was held today if the outcome would be the same. Copyright lawyers have really gotten quite good at convincing juries about the necessity of Copyright maximalism.
He also implemented a much faster delta patch creation algorithm (polynomial time instead of quadratic), so it's definitely the superior option at present.
Because applying rot13 to copyrighted data won't suddenly make it legal. It'll just make it slightly more annoying to read. This move couldn't possibly offer any kind of legal defense.
"With the Addams Family game for example, Fred just couldn't locate where the game stores the lives or any useful value - the only thing he managed to do was lock the jump button on, so your character was permanently and uselessly leaping about the level. We submitted this to Codemasters QA as 'unlock pogo stick mode', and they accepted it."
I have fond memories of a tool for Acorn RISC OS computers called "The Hacker", later "Desktop Hacker", the website for which astonishingly still exists: http://www.doggysoft.co.uk/cheat.html
It worked very much like the examples given in the linked article, except you had to find the memory locations yourself, in most cases. So for example, if you wanted to find a cheat for extra lives, you'd start the game, drop out into the "Hacker" tool, search memory for "3", then lose a life, then search the results for "2", and test anything that was left by modifying it. Fun stuff.
That was an amazingly capable bit of software, sold as a games cheat but the best debugger for RISC OS. I learned so much ARM assembler with it, and also how floppy disc copy protection worked :) It was like having the whole OS in a a virtual machine.
Not only does the website still exist, so does RISC OS. And it's free.
That's right, if you've got a Raspberry Pi or other RISC computer on your hands, you can re-live the 90's once again, and emulate the 80's from within it.
Yeah I've tinkered with it. RISC OS has some huge limitations in the 21st century, most notably, no multithreading, so you can never use more than a single core. On top of that 32-bit only (and 26-bit software from the 90s crashes), no IPv6, tiny fixed-size icons... sadly, the OS is dating rapidly.
There's an app call scanmem (in Ubuntu repos) that does this. I used it to win at CandyCrush a few years back. Doing an `apt search` I see there's a GUI for it too. Seemingly works just as you describe.
Cheat Engine is an extremely capable tool too, has lots of reverse engineering features, including a debugger and pointer searching tools, a blue-pill style hypervizor to modify memory undetectably and a very powerful assembly level patcher. Oh, and it's all open source. Seriously nice stuff.
Thank you for this. That program is so nice I think I might even abandon more traditional tools like OllyDbg, since this seems more targeted towards what I usually do with them, anyway.
Later versions of the game genie did this too -- they had enough internal memory to make a full copy of the console's memory to do the diffing against.
The Game genie gameboy code "encryption", if anyone cares:
each letter is one hex digit.
GG CODE: ghi-jkl-mno
Address = lijk XOR 0xF000
Data = gh
Compare = mo ROTATED right by 2, and the result XOR by 0xBA
Mystery value = n
Codes can be 6 or 9 digits long, 6 digits if the compare value feature is not used.
The game genie can only modify addresses in the 0000-7fff range, meaning it cannot modify on-cart ram banked in the a000-bfff area (the later datel action replay, however, can modify this and other ram areas, using a periodic interrupt and swapping out the interrupt vectors for its own)
Mystery value has a min of 0, never greater than 7? this was apparently, from what I remember from the usenet leak, intended to thwart games which would checksum their roms before starting, but seems to me to have little practical use, and I'm not even sure how it worked if it worked at all, it may have restored the original value if it saw an access to rom 'mystery value' bytes away from the value being changed by the code within a certain number of cycles, or something like that.
The compare value is so that the game genie can selectively patch values in banked rom gameboy games which have multiple rom pages appear at certain addresses due to mapper chips, in which case it will only replace the value at said address if the compare value matches.
The one cartridge I want to know more about (that I never owned myself, but was a huge influence on me) is ISEPIC for the C64 (I always pronounced it "I-Sep-Ick" which obviously is wrong). From what I can put together myself after the fact, it dumped the loaded game from memory to disk and included a fastloader to read that dump back into RAM. I had hundreds of games on floppies that my cousins mailed to me monthly. In particular, I remember Beach Head II - the dumped game ran fine, but when I tried to duplicate the floppy it was on, I ended up with a long message about how pirating games was wrong, and then my computer crashed.
I never had the cartridge myself, but the cartridge wasn't necessary to play the dumped games.
Game Genie cheat codes are what taught 8-year old me that 0x63 = 99 and 0xFF = 255 due to the frequency of those characters in infinite life/max score codes.
Codemasters tried to build a walled garden around Game Genie codes so they could sell you updated codebooks. The codes were hashed so they had little relation to the memory location they referred to.
funny just a couple of days ago I was thinking about my action replay and the fun I had with it - I must have been about 10 years old at the time - give or take a couple of years.
The Nintendo 64 Game Shark actually did. You'd set up filters for various conditions (e.g. RAM value is X, where X is number of lives, items, character position, etc) and ask the Game Shark to filter RAM addresses that meet them. Change your game state and re-filter until you're down to very few, then you could tweak the values to see if it changes what you wanted. Pretty neat, especially since you could do it right on the console in realtime.
The Game Boy wouldn't run a game unless the cart sent it the Nintendo loading screen - a clever legal ploy that meant unofficial games were breaking copyright laws simply by replicating the logo.
Diabolical! I wonder if Nintendo ever used this one in the courts.
Famously, Argonaut impressed Nintendo by circumventing this copy protection. The gameboy actually reads the contents of the ROM twice. Once to check that all the data is correct and again to display on the screen. Argonaut just used a capacitor which was set up to charge at the right rate to switch between ROMs and the logo on the screen was their company's logo. It ended up leading to them designing the FX-1 chip for the SNES.
Microsoft did the same with the Xbox360 HDD's (atleast at the birth of the console, I know later in the consoles life MS removed the restriction on using USB Hard drives with the console). The hard drive contained a "security sector" which contained the MS Logo in PNG format (made with Macromedia Fireworks MX 2004 on the 19th of July 2005).
I'm not sure if anyone at MS ever confirmed it but we presumed MS had put it there so that if anyone was found selling unofficial hard drives then you could of been found to be breaking copyright laws because you needed to include the Microsoft logo in the hard drives you were selling for them to work on the 360.
We still rely on stuff like this. For example, just recently GNU Emacs requires modules to export a symbol called PLUGIN_IS_GPL_COMPATIBLE in order to enforce the GPL. Code is law, it seems. You would have to do something like modify and ship Emacs without this requirement as well as your plugin and then try to argue that the combination doesn't violate the GPL, which lawyers like Eben Moglen currently believe would not be viewed favourably by a judge.
It shows willful infringement, I think, or something like it. Exporting the variable indicates intent of GPL compatibility. It's a bit like signing "I agree". If you're nevertheless infringing on the GPL despite writing in your code that you did not, lawyers think that judges would not look favourably upon your case.
> There is a law for variables names?
It's a funny thing that programmers try to view the law as a programming language (and even sometimes try to work around it that way, such as for example by writing GPL wrappers). Judges and juries don't care so much about that but kind of detail, but about what people declare and what they do in regards to the legal text. Also, it's all very subjective and slightly unpredictable.
In the original Game Genie article, you see that they were doing one kind of legal workaround that is known to work: clean-room reverse engineering. That's why one team would come up with the codes and without telling details to the other guy they would ask him to test the code.
A couple of unofficial cartridges required you to put an official cartridge into them similar to a Game Genie, which they'd use to satisfy the interlock mechanism.
It actually recently showed up on Steam for $5 for some reason. It runs on all platforms (Mac, Windows, Linux, and by extension most of the UNIXes that can emulate one of the three), and has generally good reviews, if you're interested.
They were not breaking copyright law at all. Interoperability is not a copyright violation. They were not breaking trademark either, showing a picture of a trademark is not illegal, unless it causes confusion in the mind of the corner. but that would be avoided by adding a simple disclaimer when shipping a cartridge or loading a game.
I had a GameShark for the N64. It persisted cheat codes you'd entered in-between sessions and it came with a built-in debugger which was surprisingly good.
I especially liked its variable search function. When you started the variable search you could choose whether you knew the value of the variable you were looking for or not. Then, at any time, you could pause the game and tell the game either what exact value the variable should have now or simply that it was the same, different, greater or lower than the previous value. The GameShark itself then kept track of all memory positions which matched those constraints. This made it really easy to find where in memory something was stored. Playing around with this little toy taught me a few valuable lessons in debugging.
The coolest thing I managed to pull off was playing the Single Player levels of Perfect Dark in Multiplayer. It took a while, since the current level wasn't stored in the same place for Single Player and Multiplayer. I seem to remember there being some difference in the level numbering, as well.
I remember a friend of mine and I did co-op in Turok 2: Seeds of Evil with the help of a Gameshark. The only problem was that the portals in the game that teleported you to different areas would cause the player's screen who used it to freeze. The exciting part though was being able to go straight to the last boss in co-op mode and have that work without any issue.
Wow, I'm sad now that I never tried to get one for my N64. I would have had so much fun with a debug mode for the console; I didn't know it could do stuff like that before emulators.
I think I would have been more into assembler-level stuff in CS earlier in my education and career; enough to have made it my focus.
That would have been the thing to totally jazz me and change my thinking.
I always wondered if this was how they created the codes. Even at 10 years old I had assumed the process was more eloquent. Amusing that I had assumed wrong.
There's also Cheat Engine for PC games, which is basically a debugger streamlined for finding memory related to cheating at games. I have to admit I use it from time to time to give myself money or ammo in games.
The Game Genie is actually a fascinating piece of hardware/software, and there are many great tales like this one associated with it. Also of significance is its cousin, the Game Shark, which came a bit later.
I never really got the hang of asm myself, though... I should probably give writing some GB software a crack at some point. I might actually learn it if there's a use.
Game hacking is pretty fun. One useful(?) task is to search for unused stuff in games and document it at <http://tcrf.net >. For example, I learned 6502 assembly and NES MMC3 codes to write a level map dumper for M.C. Kids and its prototype, which lead to a full comparison of how the levels changed during the game's development process <https://tcrf.net/Proto:M.C._Kids#Level_Changes >. It was a really fun learning experience.
This is great. At the time I had no idea how a Game Genie worked or how they'd come up with codes, though thinking about it now of course that's what they did.
I know what Mickey Mouse game they're talking about too. "Mickey's Dangerous Chase" I'm pretty sure. At least it had patrol dogs and fire hydrants, so it seems likely.
it never occurred to an 8 year old me how game genie worked and 25 years later, I had sort of forgotten about it.
It, like the Virtual Boy and the camera/printer peripheral were a few game boy accessories that were totally ahead of their time.
I've still got my Game Boy Camera, along with a Game Boy Pelican Codebreaker, with an integrated debugger and flash to backup savegames into (it was great for transferring saves between versions of Pokemon).
I pull them out every once in a while. The Codebreaker is more interesting to play with now than it was as a kid actually, because I can understand more of its functions.
I don't really buy it, though. Listing a numeric offset can't possibly be any kind of legal risk, and anyone with a brain would understand that's how the device worked anyway. And especially, Nintendo could easily disassemble the BIOS and see the grade-school level cipher being used. Plus, Pro Action Replay used raw address:value pairs and never had any issues.
I always figured the point was to make it hard for normal people to tweak the codes, and to bloat out their code lists. You can have "Start with 3 lives; 5 lives; 9 lives", but if the last value is 03,05,09 ... then there's not much point in offering three codes.
I got tired of the shady websites full of ads giving you Game Genie codes for the wrong regions, so I worked with another person (mightymo) who made a list of all known codes. Then I decoded all of them to raw address:value pairs, and I ship all of those codes in a database with my emulator. The downside of this is you can't input your own codes in the weird Game Genie encode format. But so far, no one has complained.
Now moving onto the GBA era, and the devices just got disgusting. Each game would have a "master code" you had to enter first. That was actually an RNG seed value for all subsequent codes. So many people must have wasted so much time hand-keying in those things for zero added value. I'm almost completely certain the purpose of those was for the manufacturers to protect their codes from being stolen by competitors with similar hardware devices.