
Game Genie declassified: That summer I played 230 Game Boy games - jsnell
http://www.eurogamer.net/articles/2016-09-24-game-genie-declassified-that-summer-i-played-230-game-boy-games
======
byuu
Interesting that the article claims they encrypted the codes for legal
reasons.

I don't really buy it, though. Listing a numeric offset can't possibly be any
kind of legal risk, and anyone with a brain would understand that's how the
device worked anyway. And especially, Nintendo could easily disassemble the
BIOS and see the grade-school level cipher being used. Plus, Pro Action Replay
used raw address:value pairs and never had any issues.

I always figured the point was to make it hard for normal people to tweak the
codes, and to bloat out their code lists. You can have "Start with 3 lives; 5
lives; 9 lives", but if the last value is 03,05,09 ... then there's not much
point in offering three codes.

I got tired of the shady websites full of ads giving you Game Genie codes for
the wrong regions, so I worked with another person (mightymo) who made a list
of all known codes. Then I decoded all of them to raw address:value pairs, and
I ship all of those codes in a database with my emulator. The downside of this
is you can't input your own codes in the weird Game Genie encode format. But
so far, no one has complained.

Now moving onto the GBA era, and the devices just got disgusting. Each game
would have a "master code" you had to enter first. That was actually an RNG
seed value for all subsequent codes. So many people must have wasted so much
time hand-keying in those things for zero added value. I'm almost completely
certain the purpose of those was for the manufacturers to protect their codes
from being stolen by competitors with similar hardware devices.

~~~
derefr
> Listing a numeric offset can't possibly be any kind of legal risk

Theoretically, if the code _also_ for some reason needed to contain the
original byte-value of the address at that offset, you could be sued for
copyright-infringing reproduction ("you published one byte of the game ROM!")
Encryption would prevent this being a clear reproduction.

One could then argue, given that, that when it's trivial to deduce what the
original value _would_ have been given what the code does, you _still_ have
published a reproduction. E.g., if a code XXXXXX:YY means "give a player 0xYY
lives at the start of the game", and the game regularly starts with 0x05
lives, then it's clear that byte $XXXXXX of the ROM must be 0x05.

~~~
byuu
> Theoretically, if the code also for some reason needed to contain the
> original byte-value of the address at that offset

The NES and Game Boy devices usually needed this. Without it, bank-switching
would result in one code changing several actual ROM bytes, when you only
wanted to change one. The SNES almost never used bank switching so it wasn't
necessary there.

Still, it's not a one-way hash function here. If you were sufficiently bored,
it would be very easy to deduce the encoding for at least the :value portion
of the codes, just by comparing the codes in the book. I actually did
something similar as a kid. If a phrase (as in a sentence of text) were
illegal, using rot13 on it wouldn't make it legal. And Nintendo were chomping
at the bit to ban/outlaw/block Game Genie devices (Nintendo has a sad history
of being fiercely litigious against everyone), so I'm certain they would have
gone for this had they thought they stood a chance at winning.

That would be one hell of a jury trial, though. "They clearly reproduced the
number 5, which was in our original game! It's obviously an illegal
reproduction of our copyrighted game code!"

~~~
jandrese
Nintendo did sue Galoob/Codemasters, but they lost. I have to wonder if the
same trial was held today if the outcome would be the same. Copyright lawyers
have really gotten quite good at convincing juries about the necessity of
Copyright maximalism.

------
jeffwass
"With the Addams Family game for example, Fred just couldn't locate where the
game stores the lives or any useful value - the only thing he managed to do
was lock the jump button on, so your character was permanently and uselessly
leaping about the level. We submitted this to Codemasters QA as 'unlock pogo
stick mode', and they accepted it."

Awesome bit of marketing right there!

------
LeoPanthera
I have fond memories of a tool for Acorn RISC OS computers called "The
Hacker", later "Desktop Hacker", the website for which astonishingly still
exists:
[http://www.doggysoft.co.uk/cheat.html](http://www.doggysoft.co.uk/cheat.html)

It worked very much like the examples given in the linked article, except you
had to find the memory locations yourself, in most cases. So for example, if
you wanted to find a cheat for extra lives, you'd start the game, drop out
into the "Hacker" tool, search memory for "3", then lose a life, then search
the results for "2", and test anything that was left by modifying it. Fun
stuff.

~~~
qwertyuiop924
Not only does the website still exist, so does RISC OS. And it's free.

That's right, if you've got a Raspberry Pi or other RISC computer on your
hands, you can re-live the 90's once again, and emulate the 80's from within
it.

Have fun.

~~~
LeoPanthera
Yeah I've tinkered with it. RISC OS has some huge limitations in the 21st
century, most notably, no multithreading, so you can never use more than a
single core. On top of that 32-bit only (and 26-bit software from the 90s
crashes), no IPv6, tiny fixed-size icons... sadly, the OS is dating rapidly.

~~~
qwertyuiop924
There are some efforts to bring it into the modern era.

------
Lord_Nightmare
The Game genie gameboy code "encryption", if anyone cares:

each letter is one hex digit.

GG CODE: ghi-jkl-mno

Address = lijk XOR 0xF000

Data = gh

Compare = mo ROTATED right by 2, and the result XOR by 0xBA

Mystery value = n

Codes can be 6 or 9 digits long, 6 digits if the compare value feature is not
used.

The game genie can only modify addresses in the 0000-7fff range, meaning it
cannot modify on-cart ram banked in the a000-bfff area (the later datel action
replay, however, can modify this and other ram areas, using a periodic
interrupt and swapping out the interrupt vectors for its own)

Mystery value has a min of 0, never greater than 7? this was apparently, from
what I remember from the usenet leak, intended to thwart games which would
checksum their roms before starting, but seems to me to have little practical
use, and I'm not even sure how it worked if it worked at all, it may have
restored the original value if it saw an access to rom 'mystery value' bytes
away from the value being changed by the code within a certain number of
cycles, or something like that.

The compare value is so that the game genie can selectively patch values in
banked rom gameboy games which have multiple rom pages appear at certain
addresses due to mapper chips, in which case it will only replace the value at
said address if the compare value matches.

LN

~~~
RetroSpark
There is a Game Genie code decoder/encoder here:

[http://www.smspower.org/maxim/forumstuff/gamegenie.html](http://www.smspower.org/maxim/forumstuff/gamegenie.html)

(This was designed for the Sega Game Gear version, but the Game Boy algorithm
is the same.)

------
phjesusthatguy3
The one cartridge I want to know more about (that I never owned myself, but
was a _huge_ influence on me) is ISEPIC for the C64 (I always pronounced it
"I-Sep-Ick" which obviously is wrong). From what I can put together myself
after the fact, it dumped the loaded game from memory to disk and included a
fastloader to read that dump back into RAM. I had _hundreds_ of games on
floppies that my cousins mailed to me monthly. In particular, I remember Beach
Head II - the dumped game ran fine, but when I tried to duplicate the floppy
it was on, I ended up with a long message about how pirating games was wrong,
and then my computer crashed.

I never had the cartridge myself, but the cartridge wasn't necessary to play
the dumped games.

------
minimaxir
Game Genie cheat codes are what taught 8-year old me that 0x63 = 99 and 0xFF =
255 due to the frequency of those characters in infinite life/max score codes.

~~~
deelowe
Haha. Me too. They should have included a lightweight debugger or hex dumper
with it. I would have had a blast creating my own codes.

~~~
qbrass
Codemasters tried to build a walled garden around Game Genie codes so they
could sell you updated codebooks. The codes were hashed so they had little
relation to the memory location they referred to.

What you really wanted was an Action Replay.

~~~
cpayne
LOVED my Action Replay. That was really clever - apart from infinite lives,
you could also pull out the sprites.

I feel like we live in similar times any time I see a good javascript game!

------
sigil
_The Game Boy wouldn 't run a game unless the cart sent it the Nintendo
loading screen - a clever legal ploy that meant unofficial games were breaking
copyright laws simply by replicating the logo._

Diabolical! I wonder if Nintendo ever used this one in the courts.

~~~
phjesusthatguy3
_Sega v. Accolade_ [0] is an interesting take on the same issue.

[0][https://en.wikipedia.org/wiki/Sega_v._Accolade](https://en.wikipedia.org/wiki/Sega_v._Accolade)

~~~
userbinator
Later, Lexmark tried the same thing with printer cartridge DRM:

[https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v....](https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc).

------
Agentlien
I had a GameShark for the N64. It persisted cheat codes you'd entered in-
between sessions and it came with a built-in debugger which was surprisingly
good.

I especially liked its variable search function. When you started the variable
search you could choose whether you knew the value of the variable you were
looking for or not. Then, at any time, you could pause the game and tell the
game either what exact value the variable should have now or simply that it
was the same, different, greater or lower than the previous value. The
GameShark itself then kept track of all memory positions which matched those
constraints. This made it really easy to find where in memory something was
stored. Playing around with this little toy taught me a few valuable lessons
in debugging.

The coolest thing I managed to pull off was playing the Single Player levels
of Perfect Dark in Multiplayer. It took a while, since the current level
wasn't stored in the same place for Single Player and Multiplayer. I seem to
remember there being some difference in the level numbering, as well.

~~~
fl0wenol
Wow, I'm sad now that I never tried to get one for my N64. I would have had so
much fun with a debug mode for the console; I didn't know it could do stuff
like that before emulators.

I think I would have been more into assembler-level stuff in CS earlier in my
education and career; enough to have made it my focus.

That would have been the thing to totally jazz me and change my thinking.

~~~
Agentlien
I understand what you mean. As a 13 year old aspiring game programmer, the
GameShark was the perfect toy to sink countless hours into.

------
deelowe
I always wondered if this was how they created the codes. Even at 10 years old
I had assumed the process was more eloquent. Amusing that I had assumed wrong.

~~~
ikeboy
Nowdays they'd use an emulator to find them, which is at the very least
faster.

~~~
gh02t
There's also Cheat Engine for PC games, which is basically a debugger
streamlined for finding memory related to cheating at games. I have to admit I
use it from time to time to give myself money or ammo in games.

[http://www.cheatengine.org/](http://www.cheatengine.org/)

------
qwertyuiop924
The Game Genie is actually a fascinating piece of hardware/software, and there
are many great tales like this one associated with it. Also of significance is
its cousin, the Game Shark, which came a bit later.

I never really got the hang of asm myself, though... I should probably give
writing some GB software a crack at some point. I might actually learn it if
there's a use.

~~~
coldpie
Game hacking is pretty fun. One useful(?) task is to search for unused stuff
in games and document it at <[http://tcrf.net](http://tcrf.net) >. For
example, I learned 6502 assembly and NES MMC3 codes to write a level map
dumper for M.C. Kids and its prototype, which lead to a full comparison of how
the levels changed during the game's development process
<[https://tcrf.net/Proto:M.C._Kids#Level_Changes](https://tcrf.net/Proto:M.C._Kids#Level_Changes)
>. It was a really fun learning experience.

~~~
qwertyuiop924
It sounds fun, I just don't know where to start.

------
acheron
This is great. At the time I had no idea how a Game Genie worked or how they'd
come up with codes, though thinking about it now of course that's what they
did.

I know what Mickey Mouse game they're talking about too. "Mickey's Dangerous
Chase" I'm pretty sure. At least it had patrol dogs and fire hydrants, so it
seems likely.

------
jph98
POKE 47196, 201

~~~
Pulce
KL!

------
digi_owl
Ah Codemasters, another name from my Amiga years.

Anyways, these days you can try your hand on cheat finding on most well
developed emulators.

------
noer
it never occurred to an 8 year old me how game genie worked and 25 years
later, I had sort of forgotten about it. It, like the Virtual Boy and the
camera/printer peripheral were a few game boy accessories that were totally
ahead of their time.

~~~
khedoros
I've still got my Game Boy Camera, along with a Game Boy Pelican Codebreaker,
with an integrated debugger and flash to backup savegames into (it was great
for transferring saves between versions of Pokemon).

I pull them out every once in a while. The Codebreaker is more interesting to
play with now than it was as a kid actually, because I can understand more of
its functions.

