
How do GameShark/GameGenie codes work? - dhruvbhatia
http://gaming.stackexchange.com/questions/76858/how-do-gameshark-codes-work
======
kanzure
GameShark is how I first stumbled on to the internet. I was looking up "the
codes". I was really upset when GameShark's UBB instance went dark. Years
later, I returned to look at some favorites and found that I could easily use
all these programming skills I've developed to directly hack games.

<https://github.com/kanzure/pokecrystal>

So things like "beat the Elite Four 16,383 times" turn out to be definitely
false. Also "mash A to increase the chances of catching" is also unfortunately
wrong.

But at least you can just directly look at the WRAM file to see where actual
values are stored:

<https://github.com/kanzure/pokecrystal/blob/master/wram.asm>

These can easily be converted into the old school GB/GBC gameshark codes by
prepending 01, then a two-digit hex value , then a little indian (reverse)
two-byte address.

So if you wanted to hack level 80 with a GameShark code you would look up and
find this:

    
    
        PartyMon1Level: ; dcfe
            ds 1 ; just one byte
    

to come up with:

    
    
        0150FEDC
    

(0x50 because 0x50 == 80)

The GameShark was a really educational device. At first I didn't know what I
was looking at, but then I realized it was giving me memory dumps and
byte/address search tools. And then for some reason all of the subsequent
devices after N64/GBC were just terrible, and I couldn't get an address
searcher without a modchip?? No clue.

~~~
sesqu
> Also "mash A to increase the chances of catching" is also unfortunately
> wrong.

I remember playing the game, thinking about this. I was wondering whether I
had heard it somewhere or come up with it myself, how unlikely it was to be
true, and how I still found myself doing it occasionally. A small existential
crisis over confirmation bias and clever design.

~~~
ceol
I still do it with the DS versions of the games. It's gotten to the point of
catharsis.

------
Jumblegreen
Wow. I was involved in the game genie development and you might like to know
the only reason we encrypted the codes was because the we were scared of being
sued by Nintento (rightly as it turned out) and we figured naively that it
would help if people couldn't make up their own codes. During the court case
(nintendo did indeed sue us). Ironically the lawyers told us it was the other
way round so we actually published hints on how to experiment making new codes
by trial and error.

~~~
mpclark
Inventor of Game Genie posts in thread and nobody notices...

------
acjohnson55
When I was in high school, I used similar techniques to hack PalmPilot
shareware. I had taught myself Z80 and 68k assembly starting as a middle
schooler to program my TI-83 (and later 89) graphing calculator.

I knew from experience that most responses to user input and state ultimately
hinged on a single comparison instruction. For most shareware, there could be
numerous checks that change the behavior of the code depending on whether it's
registered or not, but the state of registration itself usually came down to a
single flag stored someplace. Sometimes, developers would really obscure how
this state was stored, but often, the weakpoint is at the point of
registration. If you simple invert the comparison that determines if the
registration code is correct, you can invert the registration
approval/rejection process.

Using a disassembler, I isolated exactly where the comparison point was.
Usually, this could be done by searching for code references to the success
and failure screen or dialogs, and working backwards. Very often, it was as
simple as using an onboard hex editor to replace a "branch if equal" opcode
with a "branch if not equal". Then as long as you don't accidentally enter a
correct code, you're in!

There are far more sophisticated registration schemes used back then and
especially today, which require far more complicated methods to circumvent.

I did all this for two reasons. First was the fun/puzzle of it. Second was the
fact that PalmPilot apps were often priced for business people, and relatively
simple software would sell for $20-50; way more than my high school allowance
allowed me to afford. I never did become a contributor to the whole crackz
scene though. In the modern app world, the going price is like $2-5, making
things way more affordable.

------
davbryn
I pretty much discovered programming by messing around with my Action Replay
as a chid. I was probably 12 years old and my family were poor so we didn't
have a computer. My big brother had a Dreamcast and this could be hooked up to
our phone line (56K) to get online. I was allowed to do this one hour per
week, on a Saturday if I'd been behaved that week. It was terrible: it locked
up my mum's phone line so it was a strict hour, and it used to take forever to
connect, so I'd get maybe 30 mins to try and load codejunkies.com and post my
weekly discoveries to the forum. This was tricky as I had to type using the
dreamcast controller and I wrote all my codes out on pen and paper (I had a
whole book of my notes).

I remember one weekend I got to use the main TV and plugged in the dreamcast.
Found the codejunkies forum and there were a bunch of people doing things that
I had been doing. Some random names, I remember Dr Ian, FoxDie, SubDrag,
Krusha... there were a load of people with strange names doing exactly the
same things I'd been doing in the back room during the week.

I posted some of the codes I had figured out, nothing major at first: Adding a
timer to any Goldeneye level, modifying the character's head/body. I checked
back a week later and some of these 'big names' had commented on my codes! I
was ecstatic :)

I looked forward to my weekly hour online and I used all my time on Action
Replay/Gameshark sites. I even wrote a tutorial on N64 hacking (using a
Dreamcast controller, it sucked).

I got to the stage where I could look at the Memory Editor on a page of
Goldeneye and know exactly what part of code/data it was. I knew after a while
that 3F80 somehow related to a default value, and if I made it larger things
in the game would usually grow. I would change a value like this and them run
around for ages until I saw something bigger. Didn't always work, but once it
did I would look at the memory address for the 3F80 and do a search for that
address.

This (I thought at the time) would be the place that knows about the object,
so I would read the hexdump and follow anything that looked like an address in
the editor, modifying the value at that address and seeing what it would
change.

Somehow this ended up working out well (I had never used a computer for
anything but Word an Excel at this stage) and I found I could replace objects,
change their sizes, colour, physics... I could replace them with objects that
were no longer in the game (suitcases in Goldeneye etc).

It was fun!

Once I was comfortable with it I started looking for the big prizes. Things I
would see on my weekly journey to the forums that people wanted. Connery Bond
was a big one. There were rumours that you could play as the other bonds.

So I figured I would find him. I figured that since you pause the game in
Goldeneye and see the arm + watch, Connery would have a white arm. So I took
some time tracking the seconds hand on the watch and travelled up the memory
addresses until I found a value that was near a 3F80. I switched it, paused
the game and had a white suit!! Amazing!

I ended up quite with an intimate knowledge of the Goldeneye hex dumps. I
found a weird level that I could load, providing I emptied it of objects and
props. So I found a way to stop the game from loading anything other than
level data and I could briefly see a strange silver ramp level with blue
skies, but I would fall and die immediately. I later discovered that this was
the Citadel level and some other clever guys managed to make it playable :)

The thing that ended for me though, was my biggest hack ever...

I read a cheat book (I collected N64 magazine) that said Banjo and Kazooie had
many more cheats than released while lying on my bed. I figured that I knew a
couple of the codes (you entered them in a floor of a sandcastle, but it was
basically a keyboard), so if I entered a code and did a memory dump after each
letter I could home in on the counter that was checking them.

So I hit take a mem dump, hit a letter, mem dump search for values greater
than lat and repeat.

Found it.

Then I search for the memory address at that pointer and find something
pointing at it. Repeating this I find a whole bunch of crappy values with 00
between them.

Deciding that these were the codes, but encrypted (:-|) I wrote them all down
on paper, all 60ish and took them to the front room. From the codes that were
released I could figure out the majority of the letters: A was 65, E was 69
etc so I went through filling those out. I gave my mum and dad a few pages
each and (love them) they sat there and filled out the missing letters.

An hour later I had every code for that game in my lap :)

I waited a few days for internet access and used the entire hour typing them
into an email that I sent to Official Nintendo Magazine, GamesMaster and N64
magazine (my favourite).

Next week I checked online and Nintendo Magazine got back to me asking where I
found the codes. They later published a full cheat book with them (without
credit) and credited me for a really crap cheat in the main magazine. I didn't
care - they sent me WWF No Mercy for free (big deal for a poor kid) and my
name was in a magazine!

I was walking home a few weeks later and saw N64 Magazine in the newsagents.
Cover had Banjo and Kazooie on it - NEW CHEATS REVEALED: GET THE ICE KEY AND
MORE...

Holy shit!

I couldn't afford it but I ran in and flicked through the pages to look for my
name. This was epic!

Except it wasn't. Turned out some other hackers had found the codes at the
same time and they had their name in my favourite magazine. I was gutted.

Two weeks later my parents couldn't afford the phone line and my brother sold
his Dreamcast.

It was a fun time, and looking back at it now wit a computer science degree I
can't help but smile.

I only wish I knew what ASCII was before me and my parents used frequency
analysis to crack it haha!

~~~
wnight
I had an Apple 2+ but did very similar things.

It got to the point where I could recognize Ultima 4 terrain in Copy2+'s
sector editor.

I guess I got started glitching - overwriting lots of things to see what died
and by narrowing my probe, discover what smaller bits did. Then editing
constants and map data, etc.

I've still got scans of notebooks where I mapped dungeons, recorded stats,
etc, and then documented the memory structures once I'd found them.

It's no real surprise that I'm now a maintenance coder / reverse-engineer /
re-implementor.

~~~
Spl3en
Hello, I love reverse engineering and programming a lot. I'd love to work as a
"maintenance coder / reverse-engineer / re-implementor", but I've still no
idea in which domain it is really needed. I do it for my own pleasure on some
games / softwares at the moment.

Could you tell me what is the best way to become a "a maintenance coder /
reverse-engineer / re-implementor" ?

Thank you.

~~~
mtrimpe
It sounds like you and tptacek might get along...

~~~
Spl3en
Thank you for your answer.

I've took a look at the Matasano project. It seems terribly interesting for me
and it fits with my expectations.

Unfortunately, they recquire to work in their office, as an european (french)
guy, I can't afford to move in America : I'd like to stay not too far from my
family and friends if possible. I love programming / computer security very
much, but I think I'd suffer from not seeing them anymore.

I'm looking for an french/european job, similar to the one proposed for
Matasano Project. AFAIK, it doesn't exist... I consider moving to America if
it isn't possible, but I'd like to avoid that if possible.

~~~
mtrimpe
In Europe I'd guess you'd be most at home in the Linux world. At the moment
all the activity there is in virtualisation related companies, so I'd try to
approach some of them and see if they've got something for you. I think NetApp
is hiring in your area, but I'm not sure what exactly they do there.

You can also become a Vulnerability Reward Program bounty-hunter as a hobby
for a while. If you manage to find some high-profile bugs and blog about it,
work will probably also start coming to you.

~~~
Spl3en
Thank you for all those precious advices, it means a lot to me.

I'll start blogging as soon as I've got something new and interesting.

I need to show what I can do, I'm currently studying and I feel like I haven't
a lot of opportunities to really show off my skills because the level of
recquirements is not high enough, that's frustrating sometimes.

I agree that a blog could be a good solution, I also enjoy writing articles
even if my English is not the best.

I'll keep you informed if you enjoy receiving news from random internet
people.

I'll certainly think about some softwares I'd like to analyze during the next
few days and start working on finding bugs/vulnerabilities/things interesting.

------
sordina
The wikipedia article for GameShark is pretty lean. I'm sure someone
experienced in this subject could contribute a great deal of information.

------
hdra
ahh,,, good ol' cheating... trying to cheat in computer games was how i got
into programming. it all began with simple memory editing, then learned c++ to
write some trainers, then got into disassembler and play around more.

one of the good thing growing up without a game console i guess,,

------
quackerhacker
Cool explanation...it's like a physical mitm attack (lol).

Ahhh the good ol' days when games were physically held and you had to blow the
*ish out of them to make em' work.

------
djhworld
This is cool.

I'm currently writing an emulator for the gameboy (as an educational exercise)
and I can definitely understand how this would work

------
ohkine
I was really really into the GameShark during the PSX days. The original one
was nice, but the best thing was the GameShark Pro, which allowed you to
(amongst other things) generate your own codes via a rudimentary hex
editor/comparison tool that could be invoked by pressing a button on the
device. (You could also connect it to a Windows PC via a parallel port on the
back, which was tedious, but the accompanying software was easier to work
with.)

So to create (e.g.) an infinite-ammo code, you would reload so that you had a
full magazine of 30 rounds, and press the button. Then you'd have the
GameShark search for addresses with a value of 30. Usually it'd return a huge
amount of mostly garbage, so then you'd return to the game, shoot once or
twice to change the number of rounds, and go back and tell it to narrow the
results down by showing only the addresses that had changed to 29 or whatever.

After doing that two or three times, you'd have a working code that you could
save to the device or share with people.

Sometimes it wasn't obvious what the value of a variable was, so you'd have to
do a 'not equals' search. So to get weapon values, you would equip a knife, do
a search, change to a hand gun, do a 'not equals' search, usually repeat that
many times (because there are always going to be things changing) until you
finally end up with an address that specifies the weapon (and sometimes one or
two accompanying addresses).

Firstly, by watching the value of these addresses (you could always return to
the results screen and see what the new value was), you would find out which
values correspond to which guns. The knife might be 01, the hand gun 02, the
rocket launcher 0A, and so on. That would allow you to take the address and
create many codes for different weapons by adjusting the values.

More humorously: In some games, like Resident Evil, the address for the weapon
function would be accompanied by another address for the weapon ammo. You
could adjust the two values so that they differed from each other — for
example, set the function to 01 and the ammo to 0A — and then you would end up
with a knife that shoots rockets.

The codes that were the most challenging to create, and also probably the most
fun, were what i used to call 'abusive codes'. Abusive codes were usually more
humorous than practical — instead of giving you useful things like infinite
ammo or lives, abusive codes would screw with the game's display or physics.

One of my favourite abusive codes was roller-skate mode for Silent Hill.
Silent Hill is an extremely frightening and morbid horror game (i still can't
play it alone), and enabling roller-skate mode completely changed the dynamic.
First of all, during game-play, Harry's legs wouldn't move — he would just
scoot around like he was sliding on ice. What was funnier, though, was that
the sliding would persist into the game's cut scenes (which usually involved
the discovery of something gruesome). So for example Harry would come across
some mutilated corpse, the music would get all shrieky and he would exclaim
how terrible it was, and all the while he would be scooting all over the
screen. It turned the game from something frightening into something
hilarious.

Most of the other abusive codes that i and my friends experimented with had
similar effects on the physics. For example, in Resident Evil 2, we created a
code where, if you pressed a certain button on the controller, the characters
legs would shoot around like a helicopter and, if you held it long enough,
they would gradually 'fly' up through the ceiling and off the screen.

Other games would allow you to alter aspects of the display. You could make
the characters into giants, or make specific body parts extremely large or
small, or make all of the doors turn into different objects. This was 'after
my time', so to speak, but one of the Resident Evil games for GameCube allowed
you to adjust the main character's breast size. If you cranked the value high
enough, you could make her boobs fill the entire screen.

------
RobotCaleb
You can still do the equivalent searching of memory on PC games pretty easily
with <http://www.cheatengine.org/>

