kuntz
/
Gamehacking-Archive
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Gamehacking-Archive/The Secrets of Professional...

12462 lines
539 KiB
HTML
Executable File
Raw Blame History

<!-- saved from url=(0048)https://macrox.gshi.org/The%20Hacking%20Text.htm -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>The Secrets of Professional GameShark(tm) Hacking</title>
<meta content="MSHTML 6.00.2800.1170" name="GENERATOR"><!-- base href="http://gshi.org/faqs/hackv500c.html" --></head><body font="COURIER NEW" alink="#ff0000" link="#0000ff" vlink="#880000">
<pre> ____ ______ ______ THE ______ ______ ____
/ \ | ___| | | _____ | ___| |_ _| / \
| |__| | |__ | |__| | \ | |__ | | | |__|
\ \ | __| | | | | | | __| | | \ \
_\ \ | | | |__ | / | | | | _\ \
| | | | |___ | | | | | \ | |___ | | | | |
\____/ |______| |______| |___|__\ |______| |__| \____/
Of Professional Gameshark(tm) Hacking
_____ 0001110101001110010110100011
..~` a`~~.. 110100000100001000100000101000001
..~` }100000111000110001110001100011111110
-----` /\/\/\/10100011100110000111001100001110011000
`. \\\ | 00010001001111110010011111100100111111100
; \/\/\100100111001100001110011000011101100010
.` ___/01000111000110001110001100011100110010
; ..~~~~```` 11011000100100100101010100100110101001
.` ..``
; ..``
; .`
.-` .`
.-` ,` "The most elaborate, in-depth hacking guide
/ .. . for Game Cheat Devices, ANYWHERE!"
|.-`` `. \
`.|
[Originally By: Kong K Rool* and Macrox]
with additions by [Tolos, DGenerateKane,
HyperHacker, Viper187, and Kenobi]
-----------------------------------------------
<b><i><font size="+1">Table Of Contents</font></i></b>
-----------------------------------------------
<b> Section 1 : <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#section_1">Foreword</a></b><p>
<b>I <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#this_version">This Version</a></b>
<b>II <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whats_new">What's New</a></b>
<b>III <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#coming_soon">Coming Soon</a></b>
<b>IV <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#dedication">Dedication</a></b>
<b>V <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#preface">Preface</a></b>
<b>VI <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#Acknowledgments">Acknowledgments</a></b>
<b> Section 2 : <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#section_2">Hacking</a></b>
<b>VII <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#introduction">Introduction</a></b>
<b>VIII <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_basics">Hacking Basics - Theory</a></b>
</p><ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#know_the_code">Know The Code</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#systems_of_counting">Systems Of Counting Or Number Base</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#offsets">Offsets</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#decimal">Decimal</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#binary">Binary</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#bitwisemath">Bitwise Operations</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hexadecimal">Hexadecimal</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#octal">Octal</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#ascii">ASCII</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#floatingpoints">Floating Points</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#about_most_gameshark_hackers">About Most GameShark Hackers</a></li>
</ul><b>IX. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#how_to_guide">How-to Guide - Getting Started</a></b>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#what_do_i_need">What do I need?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#what_do_i_need_to_know">What do I need to know?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#learn_your_shark">Learn Your Shark - Code Types, Buttons and all. </a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_code_types">Nintendo 64 Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#playstation_code_types">Playstation Gameshark Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#psx_xp_code_types">Playstation Xploder/Xplorer Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#ps2_code_types">Playstation 2 Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#dc_code_types">Sega Dreamcast Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#ssaturn_code_types">Sega Saturn Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gameboy_code_types">Gameboy/Gameboy Color Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gsa_code_types">Gameboy Advance Gameshark V1/V2 Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#cba_code_types">Gameboy Advance Codebreaker Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#AR_V3_Code_Types">Action Replay V3 Code Types</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#button_activators">Button Activators - Info &amp; Digits</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#patch_codes">Patch Codes</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#encryption">Encryption</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#ps2_encryption">Playstation 2 Gameshark Encryption</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#dc_encryption">Sega Dreamcast Encryption</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gba_encryption">Gameboy Advance Encryption</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#xp64_encryption">Xploder/Xplorer N64 &amp; PSX Encryption</a>
</li></ul></li></ul><b>X. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#the_hacking_begins">How-to Guide - The Hacking Begins</a></b>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#one_small_step_for_man">One Small Step For Man...</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#the_methods">The Methods</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#using_game_trainers">Using Game Trainers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_with_gameshark_pro">Hacking With GameShark Pro - Step by step</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#easy_gspro">Hacking The Easy Stuff</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#int_gspro">Hacking The Intermediate Stuff</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hard_gspro">Hacking The Harder Stuff</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_enablers">Finding N64 Enable Codes</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_mtc0">Hacking MTC0 Enablers</a>
<a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_mtc02">MTC0 Enablers An Easier Way</a>
<a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_nonmtc0">Hacking Non-MTC0 Enablers</a>
<a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_ffenablers">Finding 'FF' Enablers</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_emu">N64 Emulator Based Hacking</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_asm">N64 Assembly ("ASM") Hacking</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_gs33">Hack Your Shark!?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_ps2_codes">Hacking Playstation 2 Codes</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_dc_codes">Hacking Sega Dreamcast Codes</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#code_porter">The online Code Porter</a>
</li></ul><b>XI. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#the_hacking_begins">How-to Guide - Gameboy Hacking</a></b>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_with_vba">Hacking Gameboy Advance Codes With Visualboy Advance</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gba_size">Gameboy Advance Size Modifiers How-To</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hacking_gameboy_advance_enabler_codes">Finding Gameboy Advance Enable Codes</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#ar3_with_arcrypt">Creating AR V3 Codes Using AR Crypt Beta8c</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gba_non_standard_master">Hacking Non-Standard Master Codes</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gba_asm">Gameboy Advance ASM Tutorial</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gameboy_30_hacking">GameBoy 3.0 Hacking - by Curly9od</a>
<ul><b> Section 3 : <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#section_3">Reference</a> </b></ul>
</li></ul>
<b>XIII. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#downloads">Downloads</a></b>
<b>XIV. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gameshark_gameshark_pro_faq">GameShark / GameShark Pro FAQ</a></b>
<b>XV. <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#psx_xplorer_infO">Playstation Xplorer/xploder Information</a></b>
<ul>
<ul><b> Section 4 : <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#section_4">Legal</a> </b></ul>
</ul>
<hr width="800">
<center><b><font size="+1"><a name="section_1">Section 1 : Foreword</a></font></b></center>
<hr width="800">
-----------------------------------------------
<b><i><font size="+1"><a name="this_version">I) This Version</a></font></i></b>
-----------------------------------------------
Version Number: 5.00c
Release Date: 03-25-2003
Edited by Tolos, Viper and macrox
* = aka Parasyte
-----------------------------------------------
<b><i><font size="+1"><a name="whats_new">II) What's New</a></font></i></b>
-----------------------------------------------
<u>03-02-04</u>
minor update:
-Hacking "unhackable" GBA master codes
-Bitwise Operations info
-A little basic info on using COP1 instructions (N64 ASM)
-IcyGuy revamped his Image Mods and GBA Size Mods info
-MAX Crypt, GCN Crypt, and GCN Code Type Helper downloads added
<u>06-27-03</u>
"Secrets..." goes solely HTML!
-XPloder 7K decryption algorithm
-New AR Crypt info added
-Added PS2 encryptor program (javascript)
-Added Z64 and V64 info in the GameShark FAQ
-Added N64 Emulator Based Hacking guide
-Updated N64 ASM Hacking
-Updated the Downloads section
-More Downloads Added
-Image Modifiers
<u>05-31-03</u>
Tons of new info added:
-codetypes updated/added for all systems
-new N64 enabler information
-More complete Button Activator/Joker info
-New method of hacking N64 Button Activators
-Hacking Timer codes
-Quickstart/Skip Into codes
-CPU &lt;&gt; P2 Control Modifier Codes
-New Moon Jump Method
-X/Y/Z Coordinate Modifiers
-Floating Points info
-Encryption information PS2
-AR Crypt for GBA: Program, V3 code types and guide.
-PS2 hacking
-Info on DC hacking
-Huge N64 ASM Guide
-GBA ASM Hacking tutorial
-GBA Size Mods
-Brought the GS FAQ up-to-date
-Greatly expanded the TOC
-Added a few mini-TOCs in places they'll be useful
<u>05-21-03</u>
Tolos finally manages to pull an update together.
-Added PS2 code type info
-GSA and CBA info
-Added N64 control stick activator info.
-Added links in the Table of Contents for easy refernce (HTML version).
<u>01-01-03</u>
Macrox fixed the errata of missing code types for GS and CB GBA.
<u>05-20-02</u>
Tolos assigned new acting editor by macrox.
-Hacking GameBoy Advance enabler codes
-GameBoy Advance code types
-Added a tidbit on hacking debug codes
-Added a section on hacking GameBoy Advance codes.
<u>11-27-01</u>
Interact Accessories affiliation in legal section removed. Reference to
Gameshark removed from work title. The reader is to Infer the term
gameshark, codebreaker and xplorer to mean cheat device where it occurs
in this work. See legal section for proper credit.
<u>04-21-01</u>
-Revised section on N64 and XP code types
-DC code types and buttons.
-Comparison of GameBoy hacking devices
-Reflashing a GameBoy Shark.
-More on hacking enabler codes and forcing high and low mode res
-DC code types: CodeBreaker, Xplorer and Gameshark.
-How to Hack Speed modifiers.
-Update on Keycodes list
-Revised FAQ section.
<u>11-11-00</u>
-Reflashing a corrupted GameShark
-Info on Pelican's new hack device for Game Boy, "Code Breaker"
-Gameboy hacking info courtesy of Curly9od
<u>05-06-00</u>
-How to hack specific codes section appended
-Using the memory editor has been appended
-How to install the pc hacking utilities, hooking the GameShark
to a PC and upgrading (flashing) the GameShark Rom added.
-How to hack enabler codes
-Hacking walk through walls (WTW) codes
-Link to online code porter (when text viewed online).
<u>07-22-99</u>
-New chapter added - Chapter 4 - GameShark / GameShark Pro FAQ.
-New "How-to" added, for the Big Time Hackers.
-Decimal/Hexadecimal conversion formula added.
-"This Version", "What's New" and "Coming Soon" sections added.
-Many new code type prefixes added.
-----------------------------------------------
<b><i><font size="+1"><a name="coming_soon">III) Coming Soon</a></font></i></b>
-----------------------------------------------
Gamecube Hacking
Caetla Code Types
XP64 Code Types
Saturn Emulator Hacking
CodeBreaker2 Code Types
TBA - To be announced topics.
-----------------------------------------------
<b><i><font size="+1"><a name="dedication">IV) Dedication - by Kong K. Rool</a></font></i></b>
-----------------------------------------------
This document, in all its entirety is dedicated to my dad. A very
brilliant man in the computer/science fields. He passed away July 9th of
1999 at the age of 36. May he rest in peace.
- Kong K. Rool (aka Parasyte)
-----------------------------------------------
<b><i><font size="+1"><a name="preface">V) Preface</a></font></i></b>
-----------------------------------------------
First off I want to say, Macrox has semi-retired from the
hacking scene. That left no one to tend this marvelous document. Then Interact
suddenly stopped hosting GSCentral when they learned that their GameBoy Advance
encryption code had been cracked, and the people at GSCentral were creating
codes that worked with the GameBoy Advance GameShark. After GSCentral came
back, we learned we could not use the word GameShark (TM), or have the Hacking
Text displayed.
So I volunteered to host this document. I hope I can do a
good job; as well as Macrox and Parasyte: that is my aim. I also want to thank
macrox, HyperHacker, and DgenerateKane for helping me along.
Happy hacking,
Tolos (Assigned Editor in Chief)
P.S. The Hacking Text has been re-instated on GSCentral. A mirror copy
of this document will be kept on Tolos<6F> web sites. These are the only officially
endorsed sites by macrox on the most up to date versions of the text.<p></p>
- macrox 1-1-2003 (Editor - retired)
-----------------------------------------------
<b><i><font size="+1"><a name="Acknowledgments">VI) Acknowledgments</a></font></i></b>
-----------------------------------------------
Many talented people have contributed to this work over time either directly or indirectly.
To those people we say thank you for all your contributions to the world of video games and
for hacking codes and sharing ideas on how to hack codes.
People whom have shared ideas and contributed information for this
document:
Kong K. Rool (aka Parasyte)
Macrox <a href="mailto:macrox_the_sage@yahoo.com">macrox_the_sage@yahoo.com</a>
Tolos <a href="mailto:tolos_magician@yahoo.com">tolos_magician@yahoo.com</a>
HyperHacker
DGenerateKane
ShadowKnight
Jim Reinhart (GSCentral Founder)
Code Master
Kamek
Freeza
Subdrag
Viper666(187) <a href="mailto:viper@gscentral.com">viper@gscentral.com</a>
Sutaz
james007
Gold64007
Stinky613
Crocc
Zap2
CodeBoy
Savior
Charizard
Dr. Ian
Curly9od
Bleeding Gums Murphy
Kola
FoxDie
ARHQ - our AR PRO replay affiliates.
Kenobi
Icy Guy
Goldenboy
This list goes on and on, we apologize for any omissions of people who gave of
their time to advance the art. The authors want to thank everyone at GSCentral,
Game Shark Zone, Game Shark (Software) Code Creators Club, Gamasutra, Dextrose,
Interact, MadCatz, and Datel for fruitful discussions.
<hr width="800">
<center><b><font size="+1"><a name="section_2">Section 2 : Hacking</a></font></b></center>
<hr width="800">
-----------------------------------------------
<b><i><font size="+1"><a name="introduction">VII) Introduction</a></font></i></b>
-----------------------------------------------
Welcome to the GameShark World. In this document, you will learn several
different ways to hack your own codes. These methods range in degree of
difficulty from easy to difficult and yield various results. As you read
you are encouraged to practice the methods that are described in this
document. This way, you will learn by your activities.
There is more than one way to hack codes. This ranges from guessing, to
a secret hacking system, which not everyone will understand. Again, as you
read, try the ideas mentioned. It has been proven that people learn easier
and faster when they are active in a project.
It is the authors wish that the material presented here meets the
anticipated needs of the reader's wishes to learn to hack GameShark codes.
You might even come up with another variation of these methods to hack
codes. If you do, let us know and we will consider including it in future
versions of this document.
-----------------------------------------------
<b><i><font size="+1"><a name="hacking_basics">VIII) Hacking Basics</a></font></i></b>
-----------------------------------------------
<b><u><i><a name="know_the_code">A) Know the Code</a></i></u></b>
<b><u><i><a name="offsets">Offsets</a></i></u></b>
Offsets(or RAM addresses) are typically found by examination of the game
memory by using advanced hacking equipment such as a GS Pro, Shark Link or
hex viewer on a ROM. Basically, an offset is a "memory holder" in which
it (usually) holds a byte of memory(a two digit hexadecimal code).
If you find an offset that holds the health digits when using a ROM and
hex viewer, you can be certain that it isn't the GS code(if you find the
health at offset "012203" the GS code usually won't be "80012203 FFFF".)
There is less than a 1% chance of finding an offset and it actually being
the code. The reason the offset and the offset digits in a GS code are not
the same is this - There are MANY, MANY offsets which are used to tell the
platform what type of game it is(size, language, title, checksum values,
etc.), and other operation codes which will assign all the offsets to do
what they are meant to do. There are offsets that hold the hex values that
make up the pictures you see in the game, the coordination's of the character
you control, mathematical operations... The list goes on and on... The
header(tells the machine what type of game you're are booting) might take up
all offsets past "012203" itself!
There is a block of info that tells where the quantifier-offsets(the
byte of memory which you change through GS codes begin and which are usually things
such as number of an item you have or level of health you have). This block is
called RAM(Random Access Memory), which does exactly what it says. RAM is
memory that will be changed all throughout its processing. Score and health
are good examples of RAM, the values for both will be changed while you're
game is running. So think of GameShark as a RAM Editor.
More information about offsets is beyond the scope of this document and
will not be included in future editions of this text.
<b><u><i><a name="systems_of_counting">B) Systems of counting or number base</a></i></u></b>
<b><u><i><a name="decimal">B-1) Decimal</a></i></u></b>
Decimal Notation, based on ten digits, is something you already know.
Count to 50 like you normally count. You can count using decimal notation.
<b><u><i><a name="binary">B-2) Binary</a></i></u></b>
Binary, or dual counting, is based on two digits. It's really easy to
understand and use. You'll need to know the following -
There are two characters used in binary - 0,1
(Think of it as a switch).
A "1" means the switch is turned ON.
A "0" means the switch is turned OFF.
That's what binary is, a bunch of switches. I won't go into any more
detail about switches now, but will return to this topic later in the
document.
A four-digit string of code written in binary is called a "word".(this
is also the same in hex[1-digit])
Four Binary Digits(bits - 'BInary digiTS') equals 1 digit hex.
Three bits equals 1 digit octal.
Now that you know that, hex and octal should seem easier to learn. In
this document, we will refer to any and all hex values with "-h" and decimal
values with "-d". So value "100" decimal will read like this - "100-d" and
"64-h". How do you convert from bits to hex and back? Look at this chart -
Hex Binary Hex Binary
0 - 0000 8 - 1000
1 - 0001 9 - 1001
2 - 0010 A - 1010
3 - 0011 B - 1011
4 - 0100 C - 1100
5 - 0101 D - 1101
6 - 0110 E - 1110
7 - 0111 F - 1111
If you notice, there are no more 4-digit combinations of "0,1" left. Now
for the conversion part. Look at the 4 bits, each of the numbers have a
value assigned to them. We will call these values, "Bit Values".
Number in Hex 6
Number in Binary 0110
Bit Value 8421
(The Bit Value will ALWAYS be this! So remember it!)
You are going to learn to convert by using multiplication. Math is a
great tool to use when working with the GameShark.
You can represent the binary word by letting "0110"(8421) = "IJKL" and
thus you get "1xL + 2xK + 4xJ + 8xI" = "L+2K+4J+8I"(in algebraic terms). Now
substitute the binary back in, you would get "1x0 + 2x1 + 4x1 + 8x0" =
"0+2+4+0" which adds up to six. Six is what the hex value was in the
beginning.
To convert back to binary, use the formula "L+2K+4J+8K", find the
numbers, which add up to six. In this case, "4 and 2". Remember, "IJKL" = the
bit value. Then substitute the binary back in - "1x0 + 2x1 + 4x1 + 8x0" =
"0110".
Why do that when there's an easier way? Because there is no use in
converting when you don't understand why it is done in that way. You will
learn an easier way soon, in fact, make one up!
Octal conversions are the same as hex-to-bit. Only, octal goes up to
"7". So the bit value looks like this -
Octal 3
Binary 011
Bit value 421
The Bit Value will NEVER change. The bit value is actually the value
assigned for each bit. If you have an 8-bit value, the bit value would look
like this -
(128)(64)(32)(16)(8)(4)(2)(1)
Notice that every time a new bit is added(to the beginning, no doubt),
the last bits' value will double. Further explanation is beyond the scope of
this text.
To convert between hex and decimal, use this formula -
yz = 2-digit value hex
(when) z = "A-hex", A = "10-dec"
(when) z = "B-hex", B = "11-dec"
(when) z = "C-hex", C = "12-dec"
(when) z = "D-hex", D = "13-dec"
(when) z = "E-hex", E = "14-dec"
(when) z = "F-hex", F = "15-dec"
(if) z = #, skip next step
z-hex = z-dec, z-dec = q
(if) y = #, skip next step
y-hex = y-dec, y-dec = r
y*6 = s
yz+s = yz-dec
This looks confusing, I know, but I'll explain it as if I were talk to a
10-year-old child.
First, "yz" represents a 2-digit hex value. Our value will be
"64"(y=6, z=4). When "z" is an "A", A equals "10-d". Understand that so far?
If "z"(in the 'yz' hex value) is a number, skip the next step(4 is a number,
so we skip this next step). Transfer "z" to decimal(look at the "when's").
If "y" is a number, skip the next step(6 is also a number, we skip the next
step). Transfer "y" to decimal(look at the "when's"). Multiply value "y"
by 6, the factor is "s". 6*6 = 36, s=36. Add value yz and value s.
64+36 = 100 64-h = 100-d.
Now let's do it short-hand -
"yz" = C8
C = 12, yz = (12)8
12*6 = 72
(12)8 + 72 [7]2 -- 72-d
+(12)8 -- C8-h
------
[20]0 -- 200-d
C8 = 200
If this doesn't make sense, I didn't explain it well enough. It is
important to understand how to do the number base conversions before
continuing. If you do not understand, the reader is encouraged to review the
material already presented.
<b><i><u><a name="bitwisemath">B-3) Bitwise Operations</a></u></i></b>
You may hear about "Bitwise Operators" and wonder what some of them
actually do. They're used for doing binary math, for lack of a better
explanation.
<i><u>&amp; (AND)</u></i>
The AND operation can best be understood like addition.. only there's no
adding or carrying involved... really the only similarity is that you work
with each digit the same as you do with addition...
Like this:
1000
+0001
------
1001
Just add each digit downward. Well, AND requires you to work with each digit
downward as well. Here are the rules:
1 &amp; 1 = 1
1 &amp; 0 = 0
0 &amp; 1 = 0
0 &amp; 0 = 0
That means the result will be a 1 ONLY if both comparing digits are 1
Think of it as true and false.. if TRUE &amp; TRUE, then TRUE.
1100
&amp;1010
------
1000
Starting from the left-most digits, 0 &amp; 0 = 0, 0 &amp; 1 = 0, 1 &amp; 0 = 0,
1 &amp; 1 = 1.... and there's your result.
You can use bitwise AND for a technique called MASKING. Masking allows you to
strip certain bits, while saving others. Say you wanted to strip the upper
nybble of a byte, and save only the lower nybble... Well, you AND that byte
with 00001111b. When you do that, the upper 4 bits will be completely stripped,
because 0 &amp; anything is always equal to 0 and the lower four bits will copied
over directly, because 1 &amp; anything = bits that were set. This can be useful
when dealing with hex numbers as well. Say you have AC1B02FF and you want the
lower four bits for some reason. AC1B32ED AND 0000FFFF = 000032ED
<i><u>| (OR)</u></i>
When using OR, TRUE or anything = TRUE
The rules:
1 OR 1 = 1
1 OR 0 = 1
0 OR 1 = 1
0 OR 0 = 0
OR is used to set bits... whereas AND is used to clear. So, if you wanted to
set the least significant bit, your could do "BYTE OR 00000001"
<i><u>XOR</u></i>
XOR means EXCLUSIVE OR. it's purpose is to inverse bits.
The rules:
1 XOR 1 = 0
1 XOR 0 = 1
0 XOR 1 = 1
0 XOR 0 = 0
Pretty simple here... it works just like OR, with the exception that
1 XOR 1 = 0. Say you have a flag, and you want to toggle it on and off. You
can do "VAR XOR 00000001" and it will inverse it; it will turn it on if it's
off, or it will turn it off if it's on. That's much easier than doing "if VAR =
0 then VAR = 1, else if VAR = 1 then VAR = 0." Just a simple XOR operation and
you're done. Much faster.
<i><u>NOT</u></i>
NOT works EXACTLY like XOR with the mask completely filled with 1's NOT will
inverse the variable completely. All 1's are changed to 0 in the result, and
all 0's are changed to 1 in the result
10101010 XOR 11111111 = 01010101
NOT 10101010 = 01010101
What's the difference?
As you can see, NOT does not have a mask... so you just say "NOT VAR" and you
know it's the same as "VAR XOR 11111111"
The difference could be speed. Especially in assembly, where you might have
to load 0xFFFFFFFF into a register to perform the XOR; you could just do a
simple NOT instead.
Inversing is great because you can negate numbers with it NOT VAR + 1 = -VAR
Take for example...
NOT 00000001 = 11111110
11111110 + 1 = 11111111
and of course, 11111111 = FF, FF is -1
<i><u>&lt;&lt; (Left Shift)</u></i>
Shifting left works like multiplication when you shift left, all right-most
bits get shifted over to the left, and 0's get shifted into the blank spaces.
Here are some examples:
00111111 &lt;&lt; 2 = 11111100
00000001 &lt;&lt; 3 = 00001000
10000000 &lt;&lt; 1 = 00000000
Just shifting digit places. So, shift left by 1 is the same as multiplying by
2, left shift by 2 is the same as multiplying by 4. shift left by 3 is the
same as multiplying by 8, etc. Left shit works best as a means to multiply by
a power of 2. 2^1 = 2, 2^2 = 4, 2^3 = 8, etc. Shift left x is the same as
multiply by 2^x.
<i><u>&gt;&gt; (Right Shift)</u></i>
Right shift works the same, only opposite, so it's like dividing. When right
shifting, bits shifted off of the right side are completely lost, and bits
shifted in from the left come in as 0. Well, they usually shift in as 0 when
right shifting. In MIPS, you may have noticed "Shift Right Arithmetic (SRA)"
and "Shift Right Logical (SRL)." Shifting right logical will ALWAYS shift 0's
into the new spaces. Shifting right arithmetic will shift the MSB (most
signifigant bit) into the new spaces. The MSB is treated as a sign bit with
arithmetic right shift. That's a way to preserve the sign when you divide a
negative number.
Here are some examples...
SRA = Shift Right Arithmetic, SRL = Shift Right Logical:
10000000,00000000,00000000,00000000 SRA 4 =
11111000,00000000,00000000,00000000
10000000,00000000,00000000,00000000 SRL 4 =
00001000,00000000,00000000,00000000
<b><i><u><a name="hexadecimal">B-4) Hexadecimal</a></u></i></b>
Hexadecimal is a programming 'language' you must know in order to hack
GameShark codes. So, what is it? Hex is what your GameShark codes are
written in. There are sixteen characters used in a GS code. The characters
are as follows -
0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
Let's learn to count in hex. If you look above, you'll see how to count
to fifteen in hex. What's sixteen? "10-h" is sixteen. By the way, don't say
"ten," say, "one, zero" for '10-h'. Let's see what you've learned.
What comes after 19?
What comes after 3F?
If you said, "1A" for question #1, that is correct.
If you said, "40" for question #2, you should know how to count in hex!
<b><u><i><a name="octal">B-5) Octal</a></i></u></b>
Octal is just another way to write binary(like hex), but octal
words are longer than hex words. What you've already read is enough to know
about octal. You do not need to know octal to hack GS codes.
<b><u><i><a name="ascii">B-6) ASCII</a></i></u></b>
ASCII is what you are looking at right now. ANYTHING that can be typed
on the keyboard is ASCII. ASCII is useful to know when hacking in my secret
way. It is also useful for using the text editor search option in hacking
devices such as the GameShark PRO. You don't need to know the assignments for
ASCII characters(although you might need to know them when hacking text editing
codes).
<b><u><i><a name="floatingpoints">B-7) Floating Points</a></i></u></b>
Floating Points are a hexidecimal representation of "real numbers", usually
following the IEEE-754 standard. This could be considered an advanced topic, if
nothing else, because even some long time hackers I've mentioned it to have
never heard of them. However, even those who haven't heard of them, have
most likely dealt with them in one game or another. To put it in the simplest
terms possible: Floating Points are numbers with decimal points. 100.0 and 100
are common values used by games to represent your max health. The difference is
100 is 64 in hex; 100.0 is 42C80000 in hex.
In hacking terms, Floating Points can make it difficult to find some things,
if you're only using 8-Bit comparisons. I'm not saying 32-Bit comparisons are
required though. Most things that use Floating Points are still found by 16-bit
searches.
So how can you convert those hex values like 42C80000 to their decimal form?
This is a question I've been asking for a while now. I'm told it involves advanced
math functions like Shifts and XORs. Don't get worried though. As with most things
that require much thinking, somebody wrote a program to do the conversions for us.
You can get FloatConvert <a href="http://www.gscentral.com/lib/downloads/FloatConvert.zip">here</a>. Nobody really knows who wrote this, but I thank that
person whoever they are.
It's not required you know anything about Floating Points to hack most codes,
but they are a major part of games and certain, more advanced, code types can be
harder to find if don't have a little understanding of this.
<b><u><i><a name="about_most_gameshark_hackers">C) About Most GameShark Hackers</a></i></u></b>
Most hackers use more than one way to hack. Most know programming
languages such as binary/hex/octal, HTML and Perl, scripting languages, R300
Instruction sets, etc. HTML and Perl is included here because many hackers
want to use this language to create a website that has all their codes displayed.
You don't need to learn many of the things other than binary and hexadecimal
to "hack better than the Pros."
Here are some ways you can hack(1 star[*] by the name is easy,
2 is harder, etc.) -
Guessing****
This isn't easy, because you don't always find a code this way.
It's not only troublesome, but risky at some times. Some guessed
codes can corrupt game data and corrupt hacking devices.
Modifying Codes*
One of the easiest things to do. Change a number on an existing
code, you make a new code. (Only works when you have a basis[base
code] to work with.) This technique was and still is widely used.
Looking At The Source[Code]***
Hard, but most effective. Worth a shot. This technique requires the
reader to have a working knowledge of dissembler programs and is
currently beyond the scope of this work.
Using Hacking Equipment* - ***(Code Generators; i.e. GS PRO)
Another way to get codes. It might not be very easy, but it
doesn't take much time. Plus, it's the second most effective way
to hack. Can be used to get easy to hard code types.
Porting**
Porting is taking a code from one version of a game, and making it
work on another version of that same game. This does not always
work. The reason is the same reason that they make more than one
version. Possibly to fix a minor bug. So the offsets will be in a
higher or lower position, or even moved to a totally different
location. You can use the "GS Code Porter"(available at GameShark
Central) to port any code for you. Hence you can make a code
before anyone else gets the chance! See FAQ section.
Combination Hacking* - ***
All you need to do is hack using two or more methods at once, for a
greater chance of finding a code.
(!!!!!There is a slight risk of loosing saved data on your GS
when turning the system on and off while guessing or modifying
codes.)
-----------------------------------------------
<b><i><font size="+1"><a name="how_to_guide">IX) How-to Guide - Getting Started</a></font></i></b>
-----------------------------------------------
<b><u><i><a name="what_do_i_need">A) What do I need?</a></i></u></b>
You need a Game Platform(N64, PSX, Dreamcast, Game Boy, etc.), you need a
game to hack, and you need a GameShark,GameShark PRO or GameShark CDX and/or
other hacking devices such as the Blaze Xplorer/Xploder or Pelican CodeBreaker.
You will also need other things to hack in other ways such as a hex editor and
calculator can do hex math or perhaps an emulator that can capture memory dumps
or can do game saves all of which can be analyzed later by some hex editor
program. A will to learn, basic math skills, patience, endurance, practice and
this using this document are the things you need.
<b><u><i><a name="what_do_I_need_to_know">B) What do I need to Know?</a></i></u></b>
If you've managed to read everything above, then you know about basis of
everything you'll need to know about hacking. The remainder is learning
to use hacking equipment and the software for it and to master the basics as
presented here and then from there to be resolved to try as best you can to
hack the harder code types.
<b><u><i><a name="learn_your_shark">C) Learn Your "Shark" and code types</a></i></u></b>
There are a few things you'll need to know about your GameShark before
we begin hacking. You'll discover how the GameShark codes work.
This is the layout of all N64/PSX 'Shark codes -
XXYYYYYY ZZZZ
This is the layout of all GB 'Shark codes -
XXZZYY-YY This format is called endian. Most Memory ram dumps are
in this format. The GB Gameshark rewrites the code to reversed endian
format as XXZZYYY. The Pelican CodeBreaker uses unencrypted endian format.
The Xploder uses both encrypted and decoded reverse endian formats.
"X" digits is the 'prefix', used to tell the GS what kind of code
you are using.
"Y" digits are the 'Offset Digits', used to locate the offset digits
you want to change.
"Z" digits are the 'Quantity Digits', used to change the quantity of
the chosen offset.
The reason there is a hyphen between the Y's in the GB code layout is
because the Y's are actually set up backwards. The first two Y's should be
behind the second two. Of course, you only need to know this if you are
going to use my hacking method... You ARE going to try it, right?
<b><u>Note:</u></b>
GameShark and Action Replay code types are the same.
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><a name="#n64_code_types">Nintendo 64 Code Types</a></i></b></nobr></td>
<td><nobr>Compatibility</nobr> </td></tr><tr><td><nobr><i>8-bit Constant Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Constantly writes the value specified by YY to address XXXXXX.
This and its 16-Bit counterpart below are the most used code types on N64. You'll probably be making
most of your new codes with them. &nbsp;<br>&nbsp;
</td><td rowspan="2">GS/XP64</td></tr><tr><td><nobr>80XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr></nobr></td></tr><tr><td><nobr><i>16-bit Constant Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>
Constantly writes the 16-Bit value specified by YYYY to address XXXXXX. &nbsp;<br>&nbsp;
</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>81XXXXXX YYYY </nobr></td></tr><tr><td><nobr></nobr></td></tr><tr>
<td><nobr><i>8-bit Uncached Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Constantly writes the value specified by YY to the uncached address XXXXXX. &nbsp;<br>&nbsp;
</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>A0XXXXXX 00YY </nobr></td></tr><tr><td><nobr></nobr></td></tr><tr>
<td><nobr><i>16-bit Uncached Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Constantly writes the 16-Bit value specified by YYYY to the uncached address XXXXXX. &nbsp;<br>&nbsp;</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>A1XXXXXX YYYY </nobr></td></tr><tr><td><nobr></nobr></td></tr><tr>
<td><nobr><i>8-bit GS Button</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Writes the value YY to address XXXXXX ONLY when the GS Button is pressed. &nbsp;<br>&nbsp;</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>88XXXXXX 00YY </nobr></td></tr><tr><td><nobr></nobr></td></tr><tr>
<td><nobr><i>16-bit GS Button</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>16bit version of the above. Writes the value YYYY to address XXXXXX ONLY when the GS Button is pressed. &nbsp;<br>&nbsp;</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>89XXXXXX YYYY </nobr></td></tr><tr><td><nobr></nobr></td></tr><tr>
<td><nobr><i>8-Bit Equal To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Execute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is equal to YY. &nbsp;<br>&nbsp;</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>D0XXXXXX 00YY<br>ZZZZZZZZ ZZZZ<br></nobr></td></tr><tr>
<td><nobr><i>16-Bit Equal To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Same as above, only it reads a 16bit value. GS Pro 3.0+ ONLY! &nbsp;<br>&nbsp;</td><td rowspan="2">GS/XP64</td></tr><tr>
<td><nobr>D1XXXXXX YYYY<br>ZZZZZZZZ ZZZZ<br></nobr></td></tr><tr>
<td><nobr><i>8-Bit Different To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Execute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is NOT equal to YY. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 3.0+</td></tr><tr>
<td><nobr>D2XXXXXX 00YY<br>ZZZZZZZZ ZZZZ<br></nobr></td></tr><tr>
<td><nobr><i>16-Bit Different To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Same as above, only it reads a 16bit value. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 3.0+</td></tr><tr><td><nobr>D3XXXXXX YYYY<br>ZZZZZZZZ ZZZZ<br></nobr></td></tr><tr>
<td><nobr><i>Disable Expansion Pack</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Keeps the game from using the expansion pack if it is present.
Also used on some older non-expansion pack games to increase compatibility with the code generator. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.2+</td></tr><tr>
<td><nobr>EE000000 0000<br></nobr></td></tr><tr>
<td><nobr><i>Disable Expansion Pack</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Disabled the expansion pack (if present) using a secondary method. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.2+</td></tr><tr>
<td><nobr>DD000000 0000<br></nobr></td></tr><tr>
<td><nobr><i>Disable Expansion Pack</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Disabled the expansion pack (if present) using a 3rd method. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.2+</td></tr><tr>
<td><nobr>CC000000 0000<br></nobr></td></tr><tr>
<td><nobr><i>Enable Code</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Tells the GameShark where the value "3C0880" is in the RAM. This type of code does not write a value to the given address. It sets the entry point which the GS will use to start the game. Games which require that code have a specific protection chip which will set the entry point upon booting the N64. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 1.08+</td></tr><tr>
<td><nobr>DEXXXXXX 0000<br></nobr></td></tr><tr>
<td><nobr><i>Enable Code / 8-Bit Write Once</i>
</nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Tells the GameShark what address is causing malfunction with it, and writes the supplied value to that address.
Writes the value YY to the address XXXXXX once on boot. F0\F1 codes write to RAM before starting the game. This way, the codes take effect before the code handler is executed. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.0+ / XP64</td></tr><tr>
<td><nobr>F0XXXXXX 00YY<br></nobr></td></tr><tr>
<td><nobr><i>Enable Code / 16-Bit Write Once</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>16-Bit version of the above. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.0+ / XP64</td></tr><tr>
<td><nobr>F1XXXXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Set Store Location For Active Codes</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Sets the location in RAM where active codes are stored. Usually only used on games that utilize the expansion pack. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.3+</td></tr><tr>
<td><nobr>FFXXXXXX 0000<br></nobr></td></tr><tr>
<td><nobr><i>Enable Code - Xploder64</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>The same as an F1 enabler on GS Pro. &nbsp;<br>&nbsp;
</td><td rowspan="2">XP64</td></tr><tr>
<td><nobr>2AXXXXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Enable Code - Xploder64</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>The exact use of this code type
is unknown as of now. &nbsp;<br>&nbsp;</td><td rowspan="2">XP64</td></tr><tr>
<td><nobr>3CXXXXXX YYYY<br></nobr></td></tr><tr><td><nobr><i>Patch Code</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>
Patch codes, aka Serial Repeaters, are used to make a code string shorter. EG, You have five codes put together to give you "all weapons." Use the patch to shorten it to two codes.
XX is the number of addresses to write; YY is the amount (offset) to add to each address; ZZ is the amount to add to each value. &nbsp;<br>&nbsp;</td><td rowspan="2">GS Pro 3.3+</td></tr><tr>
<td><nobr>5000XXYY 00ZZ<br>TTTTTTTT VVVV<br></nobr></td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1"><a name="playstation_code_types">Playstation Code Types</a></font></i></b></nobr> </td><td><nobr>Compatibility</nobr> </td></tr><tr><td colspan="4"><font size="+1"><div align="center">GameShark</div></font></td></tr><tr>
<td><nobr><i>8-bit Constant Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Constantly writes the value specified by YY to address XXXXXX. This and its 16-bit counterpart below are the most used code types on PSX. You'll probably be making most of your new codes with them. &nbsp;<br>&nbsp;</td><td rowspan="2">GS x.x</td></tr><tr>
<td><nobr>30XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Constant Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Constantly writes the value specified by YY to address XXXXXX. This and its 16-bit counterpart below are the most used code types on PSX. You'll probably be making most of your new codes with them. &nbsp;<br>&nbsp;</td><td rowspan="2">GS x.x</td></tr><tr>
<td><nobr>80XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Equal To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is equal to the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>E0XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Different To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is different to the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>E1XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Less Than Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is less than the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>E2XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Greater Than Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is greater than the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>E3XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Equal To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is equal to the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS x.x</td></tr><tr>
<td><nobr>D0XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Different To Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is different to the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>D1XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Less Than Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is less than the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>D2XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Greater Than Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When the value for the given address is greater than the supplied value, activate the following code. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>D3XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Universal Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Same as D0 except not RAM dependent. More easily used as a button activator. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>D4000000 YYYY </nobr></td></tr><tr>
<td><nobr><i>16-bit All-code Button Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When buttons pressed equal YYYY then activate all codes. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>D5000000 YYYY </nobr></td></tr><tr>
<td><nobr><i>16-bit Universal De-Activator</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>When buttons pressed equal YYYY then de-activate all codes. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>D6000000 YYYY </nobr></td></tr><tr>
<td><nobr><i>16-bit Increment Value</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Add value(16-bit) code. Use with D/E activators. Example -<br>(adds value "1007" to address "001221" when address "110012" equals value "5")<br>D0110012 0005<br>10001221 1007 &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>10XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>16-bit Decrement Value</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Subtract value(16-bit) code. Use only with D/E activators. Example -<br>(subtracts value "102" from address "001221" when address "110012" equals value "6")<br>D0110012 0006<br>11001221 0102 &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>11XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Increment Value</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Add value(8-bit) code. Use with D/E activators. Example -<br>(adds value "7" to address "001221" when address "110012" equals value "5")<br>D0110012 0005<br>20001221 0007 &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>20XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>8-bit Decrement Value</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Subtract value(8-bit) code. Use only with D/E activators. Example -<br>(subtracts value "2" from address "001221" when address "110012" equals value "6")<br>D0110012 0006<br>21001221 0002 &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>21XXXXXX 00YY </nobr></td></tr><tr>
<td><nobr><i>Patch Code</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Patch codes, aka Serial Repeaters, are used to make a code string shorter. EG, You have five codes put together to give you "all weapons." Use the patch to shorten it to two codes. XX is the number of addresses to write; YY is the amount (offset) to add to each address; ZZ is the amount to add to each value. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>5000XXYY 00ZZ<br>TTTTTTTT VVVV<br></nobr></td></tr><tr>
<td><nobr><i>Activate All Codes</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Works like the D0/E0 code type, but affects ALL codes. Use as an (M) Must Be On if the game won't load with codes turned on. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.2+</td></tr><tr>
<td><nobr>C0XXXXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Activate All Codes On Delay</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Works like the D0/E0 code type, but affects ALL codes. This is like a timer. A value of around 4000 or 5000 will usually give you a good 20-30 second delay before codes are activated. Use as an (M) Must Be On if the game won't load with codes turned on. &nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>C1000000 YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Copy Bytes</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Copy's YYYY bytes from location XXXXXX to location ZZZZZZ. <br>Example use would be:<br>C2040450 0008<br>80040680 0000<br>That would copy 8 bytes from 40450 to 40680.<br>&nbsp;<br>&nbsp;</td><td rowspan="2">GS 2.41+</td></tr><tr>
<td><nobr>C2XXXXXX YYYY<br>80ZZZZZZ 0000 </nobr></td>
</tr><tr>
<td colspan="4"><div align="center"><font size="+1">Xplorer/Xploder</font> -- <a name="#psx_xp_code_types">see explorer FAQ for more info</a></div></td></tr><tr>
<td><nobr><i>8-bit Constant Write</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Writes value YY to address XXXXXX. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>30XX XXXX 00YY<br></nobr></td></tr><tr>
<td><nobr><i>16-bit Constant Write</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Writes value YYYY to address XXXXXX. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>80XX XXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Slow Motion Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Delays CPU by X per cycle. Best used with activator. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>4000 0000 000X<br></nobr></td></tr><tr>
<td><nobr><i>Text Replace Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Writes any number of bytes ZZ to address XXXXXX. YYYY is the number of bytes to write. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>50XX XXXX YYYY<br>ZZZZ ZZZZ ZZZZ<br>ZZZZ ZZ.. ....<br></nobr></td></tr><tr>
<td><nobr><i>Do on Event Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>CPU breaks at address AAAAAAAA; YYYY is number of bytes used (XX's); FFFFFFFF is the break point mask; CCCC is the type of break point, which can be E180 (instruction gotton by CPU but not yet implemented), EE80 (data to be read or written), E680 (data to be read), EA80 (data to be wrtten) or EF80 (instruction). &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>6000 0000 YYYY<br>AAAA AAAA CCCC<br>FFFF FFFF XXXX<br>XXXX XXXX XXXX<br></nobr></td></tr><tr>
<td><nobr><i>Do-if-True Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>If address XXXXXX is equal to value YYYY execute following code. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>70XX XXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Do-if-False Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>If address XXXXXX is not equal to value YYYY execute following code. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>90XX XXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Patch Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>nn is the number of repetitions (plus one); AAAA is the size of the address step; BBBB is the increase in the data value per step; XXXXXX is the initial address; YYYY is the inital value. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>B0nn AAAA BBBB<br>10XX XXXX YYYY<br></nobr></td></tr><tr>
<td><nobr><i>Do-if-True Code (c-code)</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Same as 7-code, but only functions from 0010 0000 to 01FF FFFF. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr>
<td><nobr>C0XX XXXX YYYY<br></nobr></td></tr><tr><td><nobr><i>Do-if-True Code (d-code)</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Same as 7-code. but only functions from 0000 0000 to 000F FFFF. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr><td><nobr>D0XX XXXX YYYY<br></nobr>
</td></tr><tr><td><nobr><i>Auto-Activating Code</i></nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>
Automatically activates other selected codes if address XXXXXX is equal to YYYY. &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr><td><nobr>F0XX XXXX YYYY </nobr>
</td></tr><tr><td><nobr><i>32-Bit Constant Write</i></nobr> </td><td colspan="2" rowspan="2">&nbsp;<br>
32-bit constant write to XXXXXX address (0000YYYY) &nbsp;<br>&nbsp;
</td><td rowspan="2">Xplorer</td></tr><tr><td><nobr>00XX XXXX YYYY </nobr>
</td></tr><tr><td><nobr></nobr></td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="2"><nobr><b><i><font size="+1"><a name="PS2_code_types">Playstation 2 Code Types</a> - Courtesy hellion (<a href="http://hellion00.thegfcc.com/">hellion00.thegfcc.com</a>)</font></i></b></nobr></td></tr><tr><td colspan="2"><i>Note that all the code types below are in RAW form. RAW codes must be encrypted to work on the Gameshark<72> for Playstation 2.</i></td></tr><tr><td><nobr><i>8-bit Constant Write</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command will constantly write the value <br>specified by dd to the address specified by aaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>0aaaaaaa 000000dd </nobr></td></tr><tr><td><nobr><i>16-bit Constant Write</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command will constantly write the value <br>specified by dddd to the address specified by aaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>1aaaaaaa 0000dddd </nobr></td></tr><tr><td><nobr><i>32-bit Constant Write</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command will constantly write the value <br>specified by dddddddd to the address specified by aaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>2aaaaaaa dddddddd </nobr></td></tr><tr><td style="text-align: center;" colspan="2"><b>Increment/Decrement Commands</b> </td></tr><tr><td><nobr><i>8-bit Increment</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command adds the value specified by nn to <br>the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>301000nn aaaaaaaa </nobr></td></tr><tr><td><nobr><i>8-bit Decrement</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command subtracts the value specified by nn <br>to the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>302000nn aaaaaaaa </nobr></td></tr><tr><td><nobr><i>16-bit Increment</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command adds the value specified by nnnn to <br>the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>3030nnnn aaaaaaaa </nobr></td></tr><tr><td><nobr><i>16-bit Decrement</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command subtracts the value specified by nnnn <br>to the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>3040nnnn aaaaaaaa </nobr></td></tr><tr><td><nobr><i>32-bit Increment</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command adds the value specified by nnnnnnnn <br>to the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>30500000 aaaaaaaa<br>nnnnnnnn 00000000 </nobr></td></tr><tr><td><nobr><i>32-bit Decrement</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>This command subtracts the value specified by nnnnnnnn <br>to the value stored at the address aaaaaaaa. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>30600000 aaaaaaaa<br>nnnnnnnn 00000000 </nobr></td></tr><tr><td style="text-align: center;" colspan="2"><b>Test Commands</b> </td></tr><tr><td><nobr><i>16-bit Equal</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is equal to the value specified by dddd will the next <br>line of code be executed. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Daaaaaaa 0000dddd </nobr></td></tr><tr><td><nobr><i>16-bit Not Equal</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is not equal to the value specified by dddd will the <br>next line of code be executed. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Daaaaaaa 0010dddd </nobr></td></tr><tr><td><nobr><i>16-bit Less Than</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is less than the value specified by dddd will the next <br>line of code be executed. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Daaaaaaa 0020dddd </nobr></td></tr><tr><td><nobr><i>16-bit Greater Than</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is greater than the value specified by dddd will the <br>next line of code be executed. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Daaaaaaa 0030dddd </nobr></td></tr><tr><td><nobr><i>16-bit Equal : Multiple Skip</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is equal to the value specified by dddd will the next nnn <br>lines of code be
executed. Otherwise, they will be skipped. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Ennndddd 0aaaaaaa </nobr></td></tr><tr><td><nobr><i>16-bit Not Equal : Multiple Skip</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is not equal to the value specified by dddd will the next <br>nnn lines of code be executed. Otherwise, they will be skipped. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Ennndddd 1aaaaaaa </nobr></td></tr><tr><td><nobr><i>16-bit Less Than : Multiple Skip</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is less than the value specified by dddd will the next <br>nnn lines of code be executed. Otherwise, they will be skipped. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Ennndddd 2aaaaaaa </nobr></td></tr><tr><td><nobr><i>16-bit Greater Than : Multiple Skip</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Only when the value at the address specified by aaaaaaa <br>is greater than the value specified by dddd will the next <br>nnn lines of code be executed. Otherwise, they will be skipped. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Ennndddd 3aaaaaaa </nobr></td></tr><tr><td style="text-align: center;" colspan="3"><b>Miscellaneous Commands</b> </td></tr><tr><td><nobr><i>Copy Bytes (GS2 v2.0 or higher)</i><br></nobr></td><td rowspan="2"><br>&nbsp;<br>a = Address to copy from<br>b = Address to copy to<br>n = Number of bytes to copy <br><br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>5aaaaaaa nnnnnnnn<br>bbbbbbbb 00000000<br></nobr></td></tr><tr><td><nobr><i>32-bit Multi-Address Write</i> </nobr></td><td rowspan="2"><br>&nbsp;<br>Starting with the address specified by aaaaaaa, this code will <br>write to xxxx addresses. The next address is determined by <br>incrementing the current address by (yyyy * 4). The value <br>specified by dddddddd is written to each calculated address. Also known as a "Patch Code." <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>4aaaaaaa xxxxyyyy<br>dddddddd 00000000 </nobr><nobr></nobr></td></tr><tr><td colspan="3"><b>Untested Commands</b> </td></tr><tr><td>3000nnnn dddddddd aaaaaaaax(n-1) </td><td>32-bit Multiple Address Write? <br></td></tr><tr><td>8aaaaaaa bbbbbbbb cccccccc 00000000 </td><td>Master Command <br></td></tr><tr><td>Aaaaaaaa dddddddd </td><td>32-bit Write Once? <br></td></tr><tr><td>B0000000 nnnnnnnn </td><td>Timer Command <br></td></tr><tr><td>Caaaaaaa dddddddd </td><td>32-bit Equal? <br></td></tr><tr><td>Faaaaaaa bbbbbbbb </td><td>Master Command <br></td></tr><tr><td>DEADFACE xxxxxxxx</td><td>"DEADFACE" Master Command - changes encryption seeds<br><xmp></xmp></td></tr></tbody></table>
<!-- Begin DC code types ============================================================================== -->
<table border="1" cellpadding="7" cellspacing="1" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1"><a name="#dc_code_types">Sega Dreamcast Code Types</a></font></i></b></nobr></td></tr><tr><td colspan="3"><i>The following are what decrypted or raw code types look like. Xploder and Codebreaker use this format. Gameshark uses an encrypted format for the first line of the code (the address) while all use the second line as is (offset or quantifier). Dreamcast has 32 bit codes. These codes will require 8 digits for the offset and 8 digits for the quantifier, 2^32= FFFFFFFF in hex. Example, XXYYYYYY ZZZZZZZZ.<br><br><b><u>Note:</u></b> It is not unusual for manufacturers of cheating devices to encrypt their codes. Fire International (Blaze USA) has encrypted codes in both its N64 and Game Boy Xploder/Xplorer, while Interact has employed encryption in its DC Shark, GameBoy Advance Shark, and Playstation 2 Shark. If the code begins with a '0', then it is in decrypted format. As in any encryption there always is a crack to defeat it. Codebreaker and Xploder both have the built in ability to accept DC gameshark codes in decipher them. It is left to the reader to explore the decryption further. </i></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>Code Value</p></font></td><td valign="top" width="76%"><b><font face="Courier New" size="2"></font></b><p><b><font face="Courier New" size="2">Description</font></b></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>00xxxxxx</p><p>000000vv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Write 8bit (byte) value "vv" to memory address 8cxxxxxx. That is, 8 bit constant write.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>01xxxxxx</p><p>0000vvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Write 16bit (2byte) value "vvvv" to memory address 8cxxxxxx. That is, 16 bit constant write.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>02xxxxxx</p><p>vvvvvvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Write 32bit (4byte) value "vvvvvvvv" to memory address 8cxxxxxx. That is, 32 bit constant write.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0300nnnn</p><p>aaaaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>Group write code. nn specifies how many 32 bit values follow. aaaaaaaa is the addrsss to write to. The values following this code are written to address aaaaaaaa. E.g:</p><p>03000004 </p><p>8c012000</p><p>11111111 </p><p>22222222 </p><p>33333333 </p><p>44444444 </p><p>The effect is as follows: With a count of 00000004 codes, to address 8c012000:</p><p>8c012000 = 11111111</p><p>8c012004 = 22222222</p><p>8c012008 = 33333333</p><p>8c01200c = 44444444</p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>030100vv</p><p>aaaaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Increment code. Add the 8bit value vv to the value at address aaaaaaaa</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>030200vv</p><p>aaaaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Decrement code. Subtract the 8bit value vv from the value at address aaaaaaaa</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0303vvvv</p><p>aaaaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Increment code. Add the 16bit value vvvv to the value at address aaaaaaaa</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0304vvvv</p><p>aaaaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Decrement code. Subtract the 16bit value vvvv from the value at address aaaaaaaa</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>03050000</p><p>aaaaaaaa</p><p>vvvvvvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Increment code. Add the 32bit value vvvvvvvv to the value at address aaaaaaaa</font></p><p><font face="Courier New" size="2">Note that this code is 3 lines long and so will require an 0exxxxxx condition (not a 0dxxxxxx) if you're using it with a condition code.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>03060000</p><p>aaaaaaaa</p><p>vvvvvvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Decrement code. Subtract the 32bit value vvvvvvvv from the value at address aaaaaaaa</font></p><p><font face="Courier New" size="2">Note that this code is 3 lines long and so will require an 0exxxxxx condition (not a 0dxxxxxx) if you're using it with a condition code.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>04xxxxxx</p><p>rrrrssss </p><p>vvvvvvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>Repeat/Filler code. Writes to address 8Cxxxxxx. Writes the 32bit value vvvvvvvv. Repeats this rrrr time, each time increasing the address by ssss (actually ssss x 4). That is, 32-Bit Constant Serial Write E.g:</p><p>04007a30</p><p>00030001</p><p>12345678 </p><p>Effect: </p><p>8c007a30 = 12345678</p><p>8c007a34 = 12345678</p><p>8c007a38 = 12345678</p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">&nbsp;</font></p><p><font face="Courier New" size="2">05xxxxxx</font></p><p><font face="Courier New" size="2">dddddddd </font></p><p><font face="Courier New" size="2">nnnnnnnn </font></p></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>Copy bytes code. Copy nnnnnnnn bytes from the address 8cxxxxxx to the address dddddddd. That is, constant copy bytes</p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">071000XX </font></p></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">Change Decryption Type</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0b0xxxxx</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>Delay putting on codes for xxxxx cycles.</p><p>Default 1000 (0x3e7)</p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0cxxxxxx</p><p>vvvvvvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">If the value at address 8Cxxxxxx is equal to vvvvvvvv, execute ALL codes; otherwise no codes are executed. Useful for waiting until game has loaded.</font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0dxxxxxx</p><p>0000vvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8Cxxxxxx is equal to vvvv, execute the following code. Can be used with code types 00, 01 and 02 only. To use this type of control with other codes use an 0e code. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0dxxxxxx</p><p>0001vvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8Cxxxxxx is different to vvvv, execute the following code. Can be used with code types 00, 01 and 02 only. To use this type of control with other codes use an 0e code. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0dxxxxxx</p><p>0002vvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">If the value at address 8Cxxxxxx is less than vvvv (unsigned), execute the following code. Can be used with code types 00, 01 and 02 only. To use this type of control with other codes use an 0e code. </font></p></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>0dxxxxxx</p><p>0003vvvv</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8Cxxxxxx is greater than vvvv (unsigned), execute the following code. Can be used with code types 00, 01 and 02 only. To use this type of control with other codes use an 0e code. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0ennvvvv</p><p>00aaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">&nbsp;</font></p><p><font face="Courier New" size="2">If the value at address 8caaaaaa is equal to vvvv, execute the following nnnn lines of codes. E.g:</font></p><p><font face="Courier New" size="2">0e04abcd</font></p><p><font face="Courier New" size="2">00012000</font></p><p><font face="Courier New" size="2">02300040</font></p><p><font face="Courier New" size="2">ffffffff</font></p><p><font face="Courier New" size="2">02300050</font></p><p><font face="Courier New" size="2">eeeeeeee</font></p><p><font face="Courier New" size="2">if address 8c012000==abcd, execute the 04 lines of codes following. The 4 lines of codes being two "02xxxxxx" codes "02300040=ffffffff" and "02300050=eeeeeeee".</font></p><font face="Courier New" size="2"></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0ennvvvv</p><p>01aaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8caaaaaa is different to vvvv, execute the following nnnn lines of codes. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0ennvvvv</p><p>02aaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8caaaaaa is less than vvvv (unsigned), execute the following nnnn lines of codes. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"><p>&nbsp;</p><p>0ennvvvv</p><p>03aaaaaa</p></font></td><td valign="top" width="76%"><font face="Courier New" size="2"><p>&nbsp;</p><p>If the value at address 8caaaaaa is greater than vvvv (unsigned), execute the following nnnn lines of codes. </p></font></td></tr><tr><td valign="top" width="24%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">0F-XXXXXX</font></p><p><font face="Courier New" size="2">0000YYYY </font></p></td><td valign="top" width="76%"><font face="Courier New" size="2"></font><p><font face="Courier New" size="2">16-Bit Write Once Immediately. (Activator code)</font></p></td></tr></tbody></table>
<!-- End of DC code types ============================================================================== -->
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody>
<tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1">
<a name="#ssaturn_code_types">Sega Saturn Code Types</a> - Courtesy Leo/<a href="http://www.agscc.com/">AGSCC</a> and <a href="http://www.cmgsccc.com/">CodeMaster</a></font></i></b>
</nobr></td></tr>
<tr><td><nobr><i>16-bit Constant Write</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Just what it implies. Continuously writes YYYY value to XXXXXXX address. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>1XXXXXXX YYYY </nobr>
</td></tr><tr><td><nobr><i>8-bit Constant Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuous write of YY value to address XXXXXXX. &nbsp;<br>&nbsp;
</td></tr><tr><td><nobr>3XXXXXXX 00YY </nobr></td></tr><tr><td><nobr><i>16-bit Write Once</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Writes YYYY value to XXXXXXX address once on boot up. <br> Same as F0/F1 on N64 &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>0XXXXXXX YYYY </nobr>
</td></tr><tr><td><nobr><i>16-bit Equal To Activator</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;
<br>Activates the code on the line directly beneath it ONLY when XXXXXXX address is YYYY value. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>DXXXXXXX YYYY </nobr>
</td></tr><tr><td><nobr><i>16-Bit Enable Code</i> </nobr>
</td><td colspan="2" rowspan="2">&nbsp;<br>Enable Code &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>FXXXXXXX YYYY </nobr>
</td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1"><a name="#gameboy_code_types">Gameboy/Gameboy Color Code Types</a></font></i></b></nobr></td></tr><tr><td><nobr><i>8-bit Constant Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>The most common GS code prefix for Gameboy is "01". This means the code resides in the first bank of the address line. Codebreaker users will find that 00 and 01 are equally used code types. The "00" simply means the code resides in the zero bank and "01" as above, the first bank. There are no known other code types for gameboy as there are for N64, Playstation and Dreamcast. Z is the data bank; XXXX is the address; YY is the value. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>0ZYYXXXX </nobr></td></tr><tr><td><nobr></nobr></td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1">
<a name="#gsa_code_types">Gameboy Advance Gameshark V1/V2 Code Types<br> - by Parasyte (Additions by DGenerateKane)</a></font></i></b></nobr></td></tr><tr><td colspan="3"><i>Note that all the code types below are in RAW form. RAW codes must be encrypted to work on the Gameshark for Gameboy Advance.</i></td></tr><tr><td><nobr><i>8-bit Constant Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuously writes the value xx to the RAM address aaaaaaa. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>0aaaaaaaa 000000xx </nobr></td></tr><tr><td><nobr><i>16-bit Constant Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuously writes the 16-Bit value xxxx to the RAM address aaaaaaa. Address must be aligned to 2 (must end with one of the following digits - 0,2,4,6,8,A,C,E). &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>1aaaaaaaa 0000xxxx </nobr></td></tr><tr><td><nobr><i>32-bit Constant Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuously writes the 32-Bit value xxxxxxxx to the RAM address aaaaaaa. Address must be aligned to 4 (must end with one of the following digits - 0,4,8,C). &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>2aaaaaaaa xxxxxxxx </nobr></td></tr><tr><td><nobr><i>32-bit Group Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Writes data to the following "count" (cccc) addresses. (xxxxxxxx value is also concidered an address, not really a problem, just a very stupid bug -- thanks Datel!!) Many addresses can follow. Example: 30000004 01010101 03001FF0 03001FF4 03001FF8 00000000 (write 01010101 to 3 addresses - 01010101, 03001FF0, 03001FF4, and 03001FF8. '00000000' is used for padding, to ensure the last code encrypts correctly) &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>3000cccc xxxxxxxx aaaaaaaa </nobr>
</td></tr><tr><td><nobr><i>16-bit ROM Patch</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>This type allows GSA to
intercept ROM reads and returns the value xxxx. The address is shifted to the right by 1 (divided by 2).
You can either manually shift the address left by 1, or multiply by 2 to get the real address. GSAcrypt
(Win32 version) has an option to automatically shift the address for you. <b>Note:</b> V1\V2 hardware can only have
up to 1 user-defined rom patch max. V3 can have up to 4. some enable code types can shorten the amount of user-defined rom patches available.
&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>6aaaaaaa 0000xxxx </nobr>
</td></tr><tr><td><nobr><i>16-bit ROM Patch</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>
Similar to first ROM patch code, except patch is enabled before the game starts,
instead of waiting for the code handler to enable the patch.
(address &gt;&gt; 1) &nbsp;<br>&nbsp;
</td></tr><tr><td><nobr>6aaaaaaa 1000xxxx </nobr></td></tr><tr><td><nobr><i>16-bit ROM Patch</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>16-bit ROM Patch ? (address &gt;&gt; 1) &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>6aaaaaaa 2000xxxx </nobr></td></tr><tr><td><nobr><i>8-bit GS Button Code</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>8-Bit RAM write only when the GS Button is pressed. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>8a1aaaaa 000000xx </nobr></td></tr><tr><td><nobr><i>16-bit GS Button Code</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>16-Bit RAM write only when the GS Button is pressed. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>8a2aaaaa 000000xx </nobr></td></tr><tr><td><nobr><i>Slowdown On GS Button</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Slow down on GS Button. This type will put the GBA into a loop for "xxxx" number of times, each time the code handler is run. This slows the game down. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>80F00000 0000xxxx </nobr></td></tr><tr><td><nobr><i>16-Bit 'If Equal To' Activator</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Activate the code on the next line ONLY when the value of address 'aaaaaaa' is Equal To xxxx. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Daaaaaaa 0000xxxx </nobr></td></tr><tr><td><nobr><i>16-Bit 'If Equal To' Activator (Multi-Line)</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>16-Bit activate the multi lines if-true. If the value at address is equal to xxxx, execute following 'zz' lines. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>E0zzxxxx aaaaaaaa </nobr></td></tr><tr><td><nobr><i>Hook Routine (For Enablers)</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Used to insert the GS code handler routine where it will be executed at least 20 times per second. Without this code, GSA can not write to RAM.<br><br>xxxx:<br>0001 - Executes code handler without backing up the $lr register. Must turn
GSA off before loading game.<br>0002 - Executes code handler and backs up the $lr register. Must turn GSA off before loading game. <br>0003 - Replaces a 32-bit pointer used for long-branches. Must turn GSA off before loading game. <br>0101 - Executes code handler without backing up the $lr register. <br>0102 - Executes code handler and backs up the $lr register. <br>0103 - Replaces a 32-bit pointer used for long-branches. <br>&nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Faaaaaaa 0000xxxx </nobr></td></tr><tr><td><nobr><i>ID Code (For Enablers)</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Used by GSA only for auto-detecting the inserted game. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>xxxxxxxx 001DC0DE </nobr></td></tr><tr><td><nobr><i>DEADFACE - Change Encryption Seeds</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>"Deadface" is used to change the encryption seeds. It's original intent was probably to re- encrypt codes if someone figured out the normal encryption. (Very similiar to the CBA's '9' code type.) &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>DEADFACE 0000xxxx </nobr></td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700"><tbody><tr><td style="text-align: center;" colspan="3"><nobr><b><i><font size="+1"><a name="#cba_code_types">Gameboy Advance Codebreaker Code Types<br> - by Parasyte (Additions by DGenerateKane)</a></font></i></b></nobr></td></tr><tr><td colspan="3"><i>Note that all the code types below are in RAW form. RAW codes must be encrypted to work on the Codebreaker for Gameboy Advance.</i></td></tr><tr><td><nobr><i>Master Code #1</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>xxxx is the CRC value (the "Game ID" converted to hex)<br><br>Flags ("yyyy"):<br>0008 - CRC Exists (CRC is used to autodetect the inserted game) <br>0002 - Disable Interupts &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>0000xxxx yyyy </nobr></td></tr><tr><td><nobr><i>Master Code #2</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>'y' is the CBA Code Handler Store Address (0-7) [address = ((d &lt;&lt; 0x16) + 0x08000100)]<br><br. (?xxx=""><br flags="">1000 - 32-bit Long-Branch Type (Thumb) <br>2000 - 32-bit Long-Branch Type (ARM) <br>3000 - 8-bit(?) Long-Branch Type (Thumb)<br>4000 - 8-bit(?) Long-Branch Type (ARM) <br>0020 - Unknown (Odd Effect) <br>&nbsp;<br>&nbsp;</br.></td></tr><tr><td><nobr>1aaaaaaa xxxy </nobr></td></tr><tr><td><nobr><i>8-Bit Constant RAM Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuosly writes the 8-Bit value specified by 'yy' to address aaaaaaa. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>3aaaaaaa 00yy </nobr></td></tr><tr><td><nobr><i>Slide Code</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>This is one of those two-line codes. The "yyyy" set is the data to store at the address (aaaaaaa), with xxxxxxxx being the number of addresses to store to, and iiii being the value to increment the addresses by. The codetype is usually use to fill memory with a certain value. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>4aaaaaaa yyyy<br>xxxxxxxx iiii </nobr></td></tr><tr><td><nobr><i>16-Bit Logical AND</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Performs the AND function on the address provided with the value provided. I'm not going to explain what AND does, so if you'd like to know I suggest you see the instruction manual for a graphing calculator. This is another advanced code type you'll probably never need to use. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>6aaaaaaa yyyy </nobr></td></tr><tr><td><nobr><i>16-Bit 'If Equal To' Activator</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>If the value at the specified RAM address (aaaaaaa) is equal to yyyy value, active the code on the next line. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>7aaaaaaa yyyy </nobr></td></tr><tr><td><nobr><i>16-Bit Constant RAM Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Continuosly writes yyyy values to the specified RAM address (aaaaaaa). &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>8aaaaaaa yyyy </nobr></td></tr><tr><td><nobr><i>Change Encryption Seeds<br>(When 1st Code Only!)</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Works like the DEADFACE on GSA. Changes the encryption seeds used for the rest of the codes. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>9yyyyyyy yyyy </nobr></td></tr><tr><td><nobr><i>16-Bit 'If Not Equal' Activator</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>Basicly the opposite of an 'If Equal To' Activator. Activates the code on the next line if address xxxxxxx is NOT equal to yyyy &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>Axxxxxxx yyyy </nobr></td></tr><tr><td><nobr><i>16-Bit Conditional RAM Write</i> </nobr></td><td colspan="2" rowspan="2">&nbsp;<br>No Description available at this time. &nbsp;<br>&nbsp;</td></tr><tr><td><nobr>D00000xx yyyy </nobr></td></tr><tr><td><nobr></nobr></td></tr></tbody></table>
<table border="1" cellpadding="7" cellspacing="2" width="700">
<tbody><tr><td colspan="2" style="text-align: center;"><b><i><font size="+1"><a name="AR_V3_Code_Types">AR V3 Codes Types</a></font></i><font size="+1"></font></b></td></tr>
<tr><td colspan="2" style="text-align: center;"><b>About the Code Types Numbers</b></td></tr>
<tr><td colspan="2"><pre>Let's take for exemple :
Type E3
3.0.3.1.x :
00XXXXXX : (00000130 -&gt; C7000130)
ZZZZZZZZ : Write the Word ZZZZZZZZ to the address $4XXXXXX
3.0.3.1.x :
1st number = 3 = Data size (0 to 3)
2nd number = 0 = Code Type (0 to 7)
3rd number = 3 = Cude subtype (0 to 3)
4th number = 1 = Special bit (0 to 1)
5th number : x = Unused bit (0 to 3)
3.0.3.1.0 gives these (bit speaking) = 11.000.11.1.00
reverse it : 00.1.11.000.11 = 0011100011 = E3 = The code type.
I choose to take this numbering to make it that the Ram 8bits write (Type 0),
Ram 16bits write Type 1 andRam 32bits write (Type 2) have the same type number
than for AR/GS V1/2. Moreover, If I didn't "reverse" the numbers, we've gotten
almost only even code type number, which, IMHO, sounds really strange...
</pre></td></tr>
<tr><td colspan="2" style="text-align: center;"><b>1) Normal RAM Write Codes</b></td></tr>
<tr><td>
Type 00<br>
0.0.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 00224EA4)<br>
Fill area (XXXXXXXX) to (XXXXXXXX+YYYYYY) with Byte ZZ.
</td></tr><tr><td>
XXXXXXXX<br>
YYYYYYZZ
</td></tr>
<tr><td>
Type 01<br>
1.0.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 02224EA4)<br>
Fill area (XXXXXXXX) to (XXXXXXXX+YYYY*2) with Halfword ZZZZ.
</td></tr><tr><td>
XXXXXXXX<br>
YYYYZZZZ
</td></tr>
<tr><td>
Type 02<br>
2.0.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 04224EA4)<br>
Write the Word ZZZZZZZZ to address XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>2) Pointer RAM Write Codes</b></td></tr>
<tr><td>
Type 20<br>
0.0.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 40224EA4)<br>
Writes Byte ZZ to ([the address kept in XXXXXXXX]+[YYYYYY]).
</td></tr><tr><td>
XXXXXXXX<br>
YYYYYYZZ
</td></tr>
<tr><td>
Type 21<br>
1.0.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 4224EA4)<br>
Writes Halfword ZZZZ ([the address kept in XXXXXXXX]+[YYYY*2]).
</td></tr><tr><td>
XXXXXXXX<br>
YYYYZZZZ
</td></tr>
<tr><td>
Type 22<br>
2.0.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 4424EA4)<br>
Writes the Word ZZZZZZZZ to [the address kept in XXXXXXXX].
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>3) Add Codes</b></td></tr>
<tr><td>
Type 40<br>
0.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 80224EA4)<br>
Add the Byte ZZ to the Byte stored in XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 41<br>
1.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 82224EA4)<br>
Add the Halfword ZZZZ to the Halfword stored in XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 42<br>
2.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 84224EA4)<br>
Add the Word ZZZZ to the Halfword stored in XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>4) Write to $4000000 (IO Registers!)</b></td></tr>
<tr><td>
Type 63<br>
3.0.3.0.x
</td><td rowspan="2">
(00000130 -&gt; C6000130)<br>
Write the Halfword ZZZZ to the address $4XXXXXX
</td></tr><tr><td>
00XXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type E3<br>
3.0.3.1.x
</td><td rowspan="2">
(00000130 -&gt; C7000130)<br>
Write the Word ZZZZZZZZ to the address $4XXXXXX
</td></tr><tr><td>
00XXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>5) If Equal Code (= Joker Code)</b></td></tr>
<tr><td>
Type 04<br>
0.1.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 08224EA4)<br>
If Byte at XXXXXXXX = ZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 24<br>
0.1.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 48224EA4)<br>
If Byte at XXXXXXXX = ZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 44<br>
0.1.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 88224EA4)<br>
If Byte at XXXXXXXX = ZZ execute all the codes below this one in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 64<br>
0.1.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; C8224EA4)<br>
While Byte at XXXXXXXX &lt;&gt; ZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 05<br>
1.1.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 0A224EA4)<br>
If Halfword at XXXXXXXX = ZZZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 05<br>
1.1.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 0A224EA4)<br>
If Halfword at XXXXXXXX = ZZZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 25<br>
1.1.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 4A224EA4)<br>
If Halfword at XXXXXXXX = ZZZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 45<br>
1.1.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 8A224EA4)<br>
If Halfword at XXXXXXXX = ZZZZ execute all the codes below this one in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 65<br>
1.1.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; CA224EA4)<br>
While Halfword at XXXXXXXX &lt;&gt; ZZZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 06<br>
2.1.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 0C224EA4)<br>
If Word at XXXXXXXX = ZZZZZZZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 26<br>
2.1.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 4C224EA4)<br>
If Word at XXXXXXXX = ZZZZZZZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 46<br>
2.1.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 8C224EA4)<br>
If Word at XXXXXXXX = ZZZZZZZZ execute all the codes below this one in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 66<br>
2.1.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; CC224EA4)<br>
While Word at XXXXXXXX &lt;&gt; ZZZZZZZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>6) If Different Code</b></td></tr>
<tr><td>
Type 08<br>
0.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 10224EA4)<br>
If Byte at XXXXXXXX &lt;&gt; ZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 28<br>
0.2.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 50224EA4)<br>
If Byte at XXXXXXXX &lt;&gt; ZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 48<br>
0.2.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 90224EA4)<br>
If Byte at XXXXXXXX &lt;&gt; ZZ execute all the codes below this one in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 68<br>
0.2.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; D0224EA4)<br>
While Byte at XXXXXXXX = ZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 09<br>
1.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 12224EA4)<br>
If Halfword at XXXXXXXX &lt;&gt; ZZZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 29<br>
1.2.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 52224EA4)<br>
If Halfword at XXXXXXXX &lt;&gt; ZZZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 49<br>
1.2.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 92224EA4)<br>
If Halfword at XXXXXXXX &lt;&gt; ZZZZ disable all the codes below this one.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 69<br>
1.2.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; D2224EA4)<br>
While Halfword at XXXXXXXX = ZZZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 0A<br>
2.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 14224EA4)<br>
If Word at XXXXXXXX &lt;&gt; ZZZZZZZZ then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 2A<br>
2.2.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 54224EA4)<br>
If Word at XXXXXXXX &lt;&gt; ZZZZZZZZ then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 4A<br>
2.2.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 94224EA4)<br>
If Word at XXXXXXXX &lt;&gt; ZZZZZZZZ disable all the codes below this one.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 6A<br>
2.2.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; D4224EA4)<br>
While Word at XXXXXXXX = ZZZZZZZZ turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>7) [If Byte at address XXXXXXXX is lower than ZZ] (signed) Code</b></td></tr>
<tr><td colspan="2">
Signed means :
For bytes : values go from -128 to +127.
For Halfword : values go from -32768/+32767.
For Words : values go from -2147483648 to 2147483647.
For exemple, for the Byte comparison, 7F (127) will be &gt; to FF (-1).
</td></tr><tr><td>
Type 0C<br>
0.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 18224EA4 or 28224EA4)<br>
If ZZ &gt; Byte at XXXXXXXX then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 2C<br>
0.3.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 58224EA4 or 68224EA4)<br>
If ZZ &gt; Byte at XXXXXXXX then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 4C<br>
0.3.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 98224EA4 or A8224EA4)<br>
If ZZ &gt; Byte at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 6C<br>
0.3.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; D8224EA4 or E8224EA4)<br>
While ZZ &lt;= Byte at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 0D<br>
1.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 1A224EA4 or 2A224EA4)<br>
If ZZZZ &gt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 2D<br>
1.3.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 5A224EA4) <br>
If ZZZZ &gt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 4D<br>
1.3.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 9A224EA4)<br>
If ZZZZ &gt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 6D <br>
1.3.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; DA224EA4)<br>
While ZZZZ &lt;= Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 0E<br>
2.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 1C224EA4)<br>
If ZZZZZZZZ &gt; Word at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 2E<br>
2.3.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 5C224EA4)<br>
If ZZZZZZZZ &gt; Word at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 4E<br>
2.3.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 9C224EA4)<br>
If ZZZZZZZZ &gt; HWord at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 6E<br>
2.3.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; DC224EA4)<br>
While ZZZZZZZZ &lt;= Word at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td colspan="2" style="text-align: center;"><b>8) [If Byte at address XXXXXXXX is higher than ZZ] (signed) Code</b></td></tr>
<tr><td colspan="2">
Signed means :
For bytes : values go from -128 to +127.
For Halfword : values go from -32768/+32767.
For Words : values go from -2147483648 to 2147483647.
For exemple, for the Byte comparison, 7F (127) will be &gt; to FF (-1).
</td></tr><tr><td>
Type 10<br>
0.4.0.x.x , 0.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 20224EA4 or 30224EA4)<br>
If ZZ &lt; Byte at XXXXXXXX then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 30<br>
0.4.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 60224EA4 or 70224EA4)<br>
If ZZ &lt; Byte at XXXXXXXX then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 50<br>
0.4.2.x.x , 0.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; A0224EA4 or B0224EA4)<br>
If ZZ &lt; Byte at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 70<br>
0.4.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; E0224EA4 or F0224EA4)<br>
While ZZ =&gt; Byte at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 11<br>
1.4.0.x.x, 1.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 22224EA4 or 32224EA4)<br>
If ZZZZ &lt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 31
1.4.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 62224EA4)<br>
If ZZZZ &lt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 51
1.4.2.x.x, 1.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; A2224EA4 or B2224EA4)<br>
If ZZZZ &lt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 71
1.4.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; E2224EA4)
While ZZZZ =&gt; Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 12
2.4.0.x.x, 2.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 24224EA4 or 34224EA4)
If ZZZZ &lt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 32
2.4.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 64224EA4)
If ZZZZ &lt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 52
2.4.2.x.x,2.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; A4224EA4 or B4224EA4)
If ZZZZ &lt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td>
Type 72
2.4.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; E4224EA4)
While ZZZZ =&gt; Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
0000ZZZZ
</td></tr><tr><td colspan="2" style="text-align: center;"><b>9) [If Value at adress XXXXXXXX is lower than...] (unsigned) Code </b></td></tr>
<tr><td colspan="2">
Unsigned means :
For bytes : values go from 0 to +255.
For Halfword : values go from 0 to +65535.
For Words : values go from 0 to 4294967295.
For exemple, for the Byte comparison, 7F (127) will be &lt; to FF (255).
</td></tr><tr><td>
Type 14
0.5.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 28224EA4)
If ZZZZZZZZ &gt; Byte at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 34
0.5.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 68224EA4)
If ZZZZZZZZ &gt; Byte at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 54
0.5.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; A8224EA4)
If ZZZZZZZZ &gt; Byte at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 74
0.5.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; E8224EA4)
While ZZ &lt;= Byte at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 15
1.5.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 2A224EA4)
If ZZZZZZZZ &gt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 35
1.5.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 6A224EA4)
If ZZZZZZZZ &gt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 55
1.5.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; AA224EA4)
If ZZZZZZZZ &gt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 75
1.5.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; EA224EA4)
While ZZZZZZZZ &lt;= Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 16
2.5.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 2C224EA4)
If ZZZZZZZZ &gt; Word at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 36
2.5.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 6C224EA4)
If ZZZZZZZZ &gt; Word at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 56
2.5.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; AC224EA4)
If ZZZZZZZZ &gt; Word at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 76
2.5.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; EC224EA4)
While ZZZZZZZZ &lt;= Word at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td colspan="2" style="text-align: center;"><b>10) [If Value at adress XXXXXXXX is higher than...] (unsigned) Code </b></td></tr>
<tr><td colspan="2">
Unsigned means
For bytes : values go from 0 to +255.
For Halfword : values go from 0 to +65535.
For Words : values go from 0 to 4294967295.
For exemple, for the Byte comparison, 7F (127) will be &lt; to FF (255).
</td></tr><tr><td>
Type 18
0.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 30224EA4)
If ZZZZZZZZ &lt; Byte at XXXXXXXX then execute next line..
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 38
0.6.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 70224EA4)
If ZZZZZZZZ &lt; Byte at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 58
0.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; B0224EA4)
If ZZZZZZZZ &lt; Byte at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 78
0.6.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; F0224EA4)
While ZZZZZZZZ =&gt; Byte at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 19
1.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 32224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 39
1.6.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 72224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 59
1.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; B2224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 79
1.6.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; F2224EA4)
While ZZZZZZZZ =&gt; Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 1A
2.6.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 34224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 3A
2.6.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 74224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 5A
2.6.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; B4224EA4)
If ZZZZZZZZ &lt; Halfword at XXXXXXXX then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 7A
2.6.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; F4224EA4)
While ZZZZZZZZ =&gt; Halfword at XXXXXXXX turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td colspan="2" style="text-align: center;"><b>11) If AND Code</b></td></tr>
<tr><td>
Type 1C<br>
0.7.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 38224EA4)<br>
If ZZ AND Byte at XXXXXXXX &lt;&gt; 0 (= True) then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 3C<br>
0.7.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 78224EA4)<br>
If ZZ AND Byte at XXXXXXXX &lt;&gt; 0 (= True) then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 5C<br>
0.7.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; B8224EA4)<br>
If ZZ AND Byte at XXXXXXXX &lt;&gt; 0 (= True) then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 7C<br>
0.7.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; F8224EA4)<br>
While ZZ AND Byte at XXXXXXXX = 0 (= False) then turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type 1D<br>
1.7.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 3A224EA4)<br>
If ZZZZ AND Halfword at XXXXXXXX &lt;&gt; 0 (= True) then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 3D<br>
1.7.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 7A224EA4)<br>
If ZZZZ AND Halfword at XXXXXXXX &lt;&gt; 0 (= True) then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 5D<br>
1.7.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; BA224EA4)<br>
If ZZZZ AND Halfword at XXXXXXXX &lt;&gt; 0 (= True) then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 7D<br>
1.7.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; FA224EA4)<br>
While ZZZZ AND Halfword at XXXXXXXX = 0 (= False) then turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type 1E<br>
2.7.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 3C224EA4)<br>
If ZZZZZZZZ AND Word at XXXXXXXX &lt;&gt; 0 (= True) then execute next code.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 3E<br>
2.7.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 7C224EA4)<br>
If ZZZZZZZZ AND Word at XXXXXXXX &lt;&gt; 0 (= True) then execute next 2 codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 5E<br>
2.7.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; BC224EA4)<br>
If ZZZZZZZZ AND Word at XXXXXXXX &lt;&gt; 0 (= True) then execute all following codes in the same row (else execute none of the codes below).
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type 7E<br>
2.7.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; FC224EA4)<br>
While ZZZZZZZZ AND Word at XXXXXXXX = 0 (= False) then turn off all codes.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>12) "Always..." Codes</b></td></tr>
<tr><td colspan="2">
For the "Always..." codes:
-XXXXXXXX can be any authorised address BUT 00000000 (use 02000000 if you don't know what to choose).
-ZZZZZZZZ can be anything.
-The "y" in the code data must be in the [1-7] range (which means not 0).
</td></tr><tr><td>
Type 07
3.y.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 0E224EA4)
Always skip next line.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 27
3.y.1.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 4E24EA4)
Always skip next 2 lines.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 47
3.y.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 8E224EA4)
Always Stops executing all the codes below.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td>
Type 67
3.y.3.x.x
</td><td rowspan="2">
(02024EA4 -&gt; CE224EA4)
Always turn off all codes.
</td></tr><tr><td>
XXXXXXXX
ZZZZZZZZ
</td></tr><tr><td colspan="2" style="text-align: center;"><b>13) 1 Line Special Codes (= starting with "00000000")</b></td></tr>
<tr><td>
Type z00<br>
0.0.0.0.0
</td><td rowspan="2">
End of the code list (even if you put values in the 2nd line).
</td></tr><tr><td>
00000000
</td></tr>
<tr><td>
Type z04<br>
x.1.0.x.x
</td><td rowspan="2">
AR Slowdown : loops the AR XX times
</td></tr><tr><td>
0800XX00
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>14) 2 Lines Special Codes (= starting with '00000000' and padded (if needed) with "00000000")</b></td></tr>
<tr><td colspan="2" style="text-align: center;">Note: You have to add the 0es manually, after clicking the "create" button.</td></tr>
<tr><td>
Type z08<br>
0.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 10224EA4)<br>
Writes Byte ZZ to address XXXXXXXX when AR button is pushed.
</td></tr><tr><td>
XXXXXXXX<br>
000000ZZ
</td></tr>
<tr><td>
Type z09<br>
1.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 12224EA4)<br>
Writes Halfword ZZZZ to address XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type z0A<br>
2.2.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 14224EA4)<br>
Writes Word ZZZZZZZZ to address XXXXXXXX.
</td></tr><tr><td>
XXXXXXXX<br>
ZZZZZZZZ
</td></tr>
<tr><td>
Type z0C<br>
0.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 18224EA4)<br>
Patches ROM address (XXXXXXXX &lt;&lt; 1) with Halfword ZZZZ.
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type z0D<br>
1.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 1A224EA4)<br>
Patches ROM address (XXXXXXXX &lt;&lt; 1) with Halfword ZZZZ. Does not work on V1/2 upgraded to V3. Only for a real V3 Hardware?
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type z0E<br>
2.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 1C224EA4)<br>
Patches ROM address (XXXXXXXX &lt;&lt; 1) with Halfword ZZZZ. Does not work on V1/2 upgraded to V3. Only for a real V3 Hardware?
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type z0F<br>
3.3.0.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 1E224EA4)<br>
Patches ROM address (XXXXXXXX &lt;&lt; 1) with Halfword ZZZZ. Does not work on V1/2 upgraded to V3. Only for a real V3 Hardware?
</td></tr><tr><td>
XXXXXXXX<br>
0000ZZZZ
</td></tr>
<tr><td>
Type z20<br>
x.0.1.x.x
</td><td rowspan="2">
(00000000 -&gt; 40000000)<br>
(SP = 0) (means : stops the "then execute all following codes in the same row" and stops the "else execute none of the codes below)".
</td></tr><tr><td>
00000000<br>
00000000
</td></tr>
<tr><td>
Type z30<br>
x.4.1.x.x
</td><td rowspan="2">
(00000000 -&gt; 60000000)<br>
(If SP &lt;&gt; 2 -&gt; SP = 1) (means : start to execute all codes until end of codes or SP = 0). (bypass the number of codes to executes set by the master code).
</td></tr><tr><td>
00000000<br>
00000000
</td></tr>
<tr><td>
Type z40<br>
0.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 80224EA4)<br>
Writes Byte YY at address XXXXXXXX. Then makes YY = YY + Z1, XXXXXXXX = XXXXXXXX + Z3Z3, Z2 = Z2 - 1, and repeats until Z2 &lt; 0.
</td></tr><tr><td>
XXXXXXXX<br>
000000YY<br>
Z1Z2Z3Z3
</td></tr>
<tr><td>
Type z41<br>
1.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 82224EA4)<br>
Writes Halfword YYYY at address XXXXXXXX. Then makes YYYY = YYYY + Z1, XXXXXXXX = XXXXXXXX + Z3Z3*2,
</td></tr><tr><td>
XXXXXXXX<br>
0000YYYY<br>
Z1Z2Z3Z3
</td></tr>
<tr><td>
Type z42<br>
2.0.2.x.x
</td><td rowspan="2">
(02024EA4 -&gt; 84224EA4)<br>
Writes Word YYYYYYYY at address XXXXXXXX. Then makes YYYYYYYY = YYYYYYYY + Z1, XXXXXXXX = XXXXXXXX + Z3Z3*4, Z2 = Z2 - 1, and repeats until Z2&lt;0.
</td></tr><tr><td>
XXXXXXXX<br>
YYYYYYYY<br>
Z1Z2Z3Z3
</td></tr>
<tr><td colspan="2" style="text-align: center;">WARNING: There is a BUG on the REAL AR (v2 upgraded to v3, and maybe on real v3) with the 32Bits
Increment Slide code. You HAVE to add a code (best choice is 80000000 00000000 : add 0 to value at address 0) right after it, else the AR will
erase the 2 last 8 digits lines of the 32 Bits Inc. Slide code when you enter it !!!</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>15) Special Codes</b></td></tr>
<tr><td>
-Master Code-<br>
Type 62<br>
2.0.3.x.x
</td><td rowspan="2">
(address to patch -&gt; address to patch AND $1FFFFFE)<br>
Master Code settings.
</td></tr><tr><td>
XXXXXXXX<br>
0000YYYY
</td></tr>
<tr><td>
-ID Code-<br>
Type 62<br>
2.0.3.x.x
</td><td rowspan="2">
word at address 080000AC<br>
Must always be 001DC0DE
</td></tr><tr><td>
XXXXXXXX<br>
001DC0DE
</td></tr>
<tr><td>
-DEADFACE-
</td><td rowspan="2">
Must always be DEADFACE<br>
New Encryption seed.
</td></tr><tr><td>
DEADFACE<br>
0000XXXX
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>Final Notes</b></td></tr>
<tr><td colspan="2"><pre>SP = 0 : normal (execute n codes before giving back the hand to the game).
SP = 1 : execute all codes until SP &lt;&gt;1 (or end of codes).
SP = 2 : don't execute anymore codes.
Each time the GSA starts to execute codes (= each time "it has the hand"), SP = 0.
The 'execute all the codes below this one in the same row' makes SP = 1.
The '(else execute none of the codes below)' makes SP = 2.
The 'turn off all codes' makes an infinite loop (that can't be broken, unless
the condition becomes True).
</pre></td></tr>
</tbody></table>
<b><u><i><a name="button_activators">D) Button Activators</a></i></u></b>
<a name="button_activators"><b><i>What is a Button Activator?</i></b>
Most, if not all systems have the ability to use Button Activators.
A Button Activator is a code that will activate another code when you a
button on the controller. These codes use the D0/D1 prefix.
NOTE: Activators *usually* only activate only the code directly beneath them.
There are some special cases though. The digits and such for these codes
vary by system...
<b><i>What is a Control Stick Activator?</i></b>
A Control Stick Activator is the same as a Button Activator, but it is
unknown at this time if they can be used in the same way on the console
itself (only tested on emulator). Based on N64 testing, the reason for this
difference is the range of values that the control stick can have (e.g.
pushing the stick all the way left on the emulator makes the activator
value 82, but odds are it's slightly different on the console). I know at
the very least, these will work on the console to activate codes when the
stick is moved any direction if you change, for example, an 'Equal To
Activator' to a 'Not Equal To Activator' and use 0 for the value. This could
be useful for the THQ wrestling games where the only thing the stick does is
cause your wrestler to taunt; you could use the control stick to activate the
Always Special or Full Spirit code for your player whenever you taunt. I
invite whatever hackers we have left here to experiment with these on the
console and post their findings on the messageboards.
<b><i>What good are they?</i></b>
Activators are used when you only want to have a certain code active
at a certain time, rather than it always being active.
<b><i>Activators on Nintendo 64</i></b>
Activators on N64 come in a few varieties: 8-Bit and 16-Bit. This is also the only system to see
Control Stick Activators thus far.
</a><ul><li><a name="button_activators"><u>Button Activator 1 (8-Bit) values:</u></a></li></ul>
<a name="button_activators"> 00 - No Buttons
01 - D-Pad Right
02 - D-Pad Lefft
04 - D-Pad Down
08 - D-Pad Up
10 - Start
20 - Z
40 - B
80 - A
You can combine these for multiple buttons. I.E. D-Pad Left and
B would be 42.
</a><ul><li><a name="button_activators"><u>Button Activator 2 (8-Bit) values:</u></a></li></ul>
<a name="button_activators"> 00 - No Buttons
01 - C-Right
02 - C-Lefft
04 - C-Down
08 - C-Up
10 - R
20 - L
You can combine these for multiple buttons. I.E. C-Left and R would be 12.
</a><ul><li><a name="button_activators"><u>Dual (16-Bit) Activator values:</u></a></li></ul>
<a name="button_activators"> Dual Activators are nothing more than the above 2 Activators together.
They have 4 digits instead of 2. the first 2 digits use Activator 1 values
and the 2nd 2 use Activator 2 values. This allows for more button combos for
activating codes without having to use both Activators seperately.
I.E. L + R + Z would be 2030.
</a><ul><li><a name="button_activators"><u>Control Stick Activator 1 (8-Bit) values (Nemu 64 only):</u></a></li></ul>
<a name="button_activators">00 - Nothing/Centered
45 - 55% Right
7E - 100% Right
BB - 55% Left
82 - 100% Left
</a><ul><li><a name="button_activators"><u>Control Stick Activator 2 (8-Bit) values (Nemu 64 only):</u></a></li></ul>
<a name="button_activators">00 - Nothing/Centered 45 - 55% Up
7E - 100% Up
BB - 55% Down
82 - 100% Down
</a><ul><li><a name="button_activators"><u>Control Stick Activator 1 (8-Bit) values (Project64 only):</u></a></li></ul>
<a name="button_activators">00 - Nothing/Centered
7E - 100% Right
81 - 100% Left
50 - 100% Right on Axispad
B0 - 100% Left on Axispad
</a><ul><li><a name="button_activators"><u>Control Stick Activator 2 (8-Bit) values (Project64 only):</u></a></li></ul>
<a name="button_activators">00 - Nothing/Centered 7E - 100% Up
81 - 100% Down
50 - 100% Up on Axispad
B0 - 100% Down on Axispad
</a><ul><li><a name="button_activators"><u>Dual (16-Bit) Control Stick Activator values:</u></a></li></ul>
<a name="button_activators"> I would hope you can figure this one out. ;-)
(Same as Dual Button Activators)
<b><i>Gameboy Advance Codebreaker Activator Digits:</i></b>
START 0x0008
SELECT 0x0004
A 0x0001
B 0x0002
UP 0x0040
DOWN 0x0080
LEFT 0x0020
RIGHT 0x0010
Left Trigger 0x0200
Right Trigger 0x0100
<b><i>Playstation Joker Commands</i></b>
Button Activators on Playstation are known as "Joker Commands"; don't
ask me why. You'll see Playstation Jokers in four forms (all are 16-Bit).
The reason there are 4 forms is that, apparetly, game makers never agreed
on a common way to store values when keeping track of what buttons are
being pressed. Digits here were provided by </a><a href="http://www.cmgsccc.com/">GSCCC</a>
<ul><li><u>Normal Joker Command Digits:</u></li></ul>
0000 - No Buttons
0001 - L2 Button
0002 - R2 Button
0004 - L1 Button
0008 - R1 Button
0010 - Triangle Button
0020 - Circle Button
0040 - X Button
0080 - Square Button
0100 - Select Button
0800 - Start Button
1000 - Up Direction
2000 - Right Direction
4000 - Down Direction
8000 - Left Direction
Multi Buttons - Just combine (add) the values. i.e. Up + R1 would
be 1008.
<ul><li><u>Reverse Joker Command Digits:</u></li></ul>
0000 - No Buttons
0100 - L2 Button
0200 - R2 Button
0400 - L1 Button
0800 - R1 Button
1000 - Triangle Button
2000 - Circle Button
4000 - X Button
8000 - Square Button
0001 - Select Button
0008 - Start Button
0010 - Up Direction
0020 - Right Direction
0040 - Down Direction
0080 - Left Direction
Multi Buttons - Just combine (add) the values. i.e. Up + R1 would
be 0810.
<ul><li><u>Max Normal Joker Command Digits:</u></li></ul>
FFFF - No Buttons
FFFE - L2 Button
FFFD - R2 Button
FFFB - L1 Button
FFF7 - R1 Button
FFEF - Triangle Button
FFDF - Circle Button
FFBF - X Button
FF7F - Square Button
FEFF - Select Button
F7FF - Start Button
EFFF - Up Direction
DFFF - Right Direction
BFFF - Down Direction
7FFF - Left Direction
Multi Buttons - Combining these is a little harder. L1 + Select would be FEFB.
<ul><li><u>Max Reverse Joker Command Digits:</u></li></ul>
FFFF - No Buttons
FEFF - L2 Button
FDFF - R2 Button
FBFF - L1 Button
F7FF - R1 Button
EFFF - Triangle Button
DFFF - Circle Button
BFFF - X Button
7FFF - Square Button
FFFE - Select Button
FFF7 - Start Button
FFEF - Up Direction
FFDF - Right Direction
FFBF - Down Direction
FF7F - Left Direction
Multi Buttons - Combining these is a little harder. L1 + Select would be FBFE.
<b><i>Playstayion 2 Joker Command Digits - Courtesy hellion (<a href="http://hellion00.thegfcc.com/">hellion00.thegfcc.com</a>):</i></b>
0001 - Select
0002 - L3
0004 - R3
0008 - Start
0010 - Up
0020 - Right
0040 - Down
0080 - Left
0100 - L2
0200 - R2
0400 - L1
0800 - R1
1000 - Triangle
2000 - Circle
4000 - X
8000 - Square
Multi Buttons - Add the values. 8200 - Square + R2
<b><i>Dreamcast: Indices For DC Pad Commands - By UL1</i></b>
The 'good' thing is: for the DC there are commands available that allow you
to activate a code in the game by pressing one or more buttons on your pad.
The 'bad' thing is : It isn't as easy as it is for the PSX...
The <i>BUTTON COMMAND </i>is easy to use because you just insert the values and
that's it. You can combine different buttons - just subtract the given
values from FFFF.
With the <i>L / R COMMANDS</i> it's a bit difficult...
There are two types :
<ul><li><u>The ANALOG-L/R COMMAND</u></li></ul>
For the <i>A-L/R COMMAND </i>the values for the buttons differ depending on
how strong you push the button(s). So just the value for the default
position of the buttons can be given - you can activate the code
by saying :
Code active if button isn't moved (use '0' instead of the question
mark) or
Code active if button is moved (use '1' instead of the question
mark).
Alternatively, if you want to activate the code(s) when pressing
button(s) to the max, use FF00 for 'L', 00FF for 'R' or FFFF for both.
<ul><li><u>The DIGITAL L/R COMMAND</u></li></ul>
This one is easy to use because you use it the same way as the
<i>BUTTON COMMANDS</i>. The <i>ANALOG STICK COMMAND</i> is similar to the <i>A-L/R
COMMAND</i> but here you have two different values for the default
position of the stick : 0000 or 8080 and there is no value for a max
position. XXXXXXXX always represents the code address. Most of
times the <i>BUTTON</i> and the <i>L/R COMMAND</i> addresses are placed
consecutive in the memory, e.g. :
<i>BUTTON COMMAND</i>
01000000
0000FFFB
<i>L/R COMMAND</i>
01000002
0000FFFD
so you also could use a combination of the two commands. That would
read like this :
01000000
FFFDFFFB
<b>NOTE :</b> Because SEGA / the developers use almost all buttons for game play it's
sometimes difficult to find a combination that doesn't affect other functions in the
game. So I suggest to use the second Pad for activating codes in such cases.
<ul><li><u>BUTTON COMMAND</u></li></ul>
XXXXXXXX
0000<b>????</b>
A = FFFB
B = FFFD
X = FBFF
Y = FDFF
START = FFF7
D-UP = FFEF
D-DOWN = FFDF
D-LEFT = FFBF
D-RIGHT = FF7F
<ul><li><u>A-L/R COMMAND</u></li></ul>
XXXXXXXX
000<b>?</b>0000
0 = active when none of the two buttons is pressed
1 = active when one or both buttons are pressed
L = FF00
R = 00FF
<ul><li><u>D-L/R COMMAND</u></li></ul>
XXXXXXXX
0000<b>????</b>
L = FFFD
R = FFFE
<ul><li><u>A-STICK COMMAND</u></li></ul>
XXXXXXXX
000<b>?</b>0000
or
XXXXXXXX
000<b>?</b>8080
0 = active when A-Stick isn't moved
1 = active when A-Stick is moved
<b><u><i><a name="patch_codes">E) Patch Codes</a></i></u></b>
<a name="patch_codes"><b><i>How do Patch Codes Work?</i></b>
Patch codes are used to make a code string shorter. EG,
You have five codes put together to give you "all weapons." Use
the patch to shorten it to two codes. This is how it works -
50000A02 0000 +
80844CF0 FF5F EXAMPLE ONLY! NOT A REAL CODE!
The first code is the patch, the second is the first code of the
expanded STRING(a string is where the offsets will go up only a few
digits for each code, EG. 100000, 100002, 100004, etc). The patch
does not use an address, yet it is an instruction for the
GameShark. The seventh and eighth digit in the patch tells how many
numbers the second code will raise to get to the next code in the
string. In this case, "2" is used, meaning the next code in the
string must be "80844CF2 FF5F." Then the next code would also go up
by two. So would the next one, and so on. The fifth and sixth
digits of the patch are the digits that tell the GameShark how many
codes are in the string. "0A" is used in the example, so ten codes
are being used at once with only two codes! Also note, the codes
within the string MUST have the same quantity digits!!!! It's
possible to have as many as 255 codes used at once using this
format. Maybe even more in the future. You can also change the
quantity digits in the patch to make the values of each code in the
string raise by a certain value.
This is what the above code would look like with out a patch -
80844CF0 FF5F
80844CF2 FF5F
80844CF4 FF5F
80844CF6 FF5F
80844CF8 FF5F EXAMPLE ONLY! NOT A REAL CODE!
80844CFA FF5F
80844CFC FF5F
80844CFE FF5F
80844D00 FF5F
80844D02 FF5F
Which would you want to use?
Okay now to put a new twist on the Patch Codes. I'll use the materia
modifier for Final Fantasy 7 as an example.
slot 1: 3009CE60 FFxx
slot 2: 3009CE64 FFxx
There are 200 slots but there are only 90 different types materia so
to get them all that's how many codes you'll need. the quantity
digits for those range from 00-5A and 5A equals 90 in decimal. The
codes go up by 4 so we have:
50005A04 0000 +
3009CE60 FFxx
Is that the code to give you all the materia? NO! That code will
give you the same materia in 90 different slots. To get all the
materia we need to make the XX go up by one with each code. We do
that the same way we make the first half of the code.
So here it is:
50005A04 0001 +
3009CE60 FF00
We just did the same thing with the last four digits as we did for
the rest of the code. So which is better 2 codes or 90?
<b><u><i></i></u></b></a><b><u><i><a name="encryption">F) Encryption</a></i></u></b>
<a name="encryption"><b><i></i></b></a><b><i><a name="ps2_encryption">F-1) Playstation 2 Encryption - Courtesy hellion &amp; kpdavatar (</a><a href="http://hellion00.thegfcc.com/">hellion00.thegfcc.com</a>)</i></b>
There are 3 types of encryption that the PS2 Gameshark (and AR) V1/V2 use. The
encryption type is determined by the (M) Must Be On code for each game. You may have
noticed in looking through some codes that some games have a 1 line (M) code and some
games have a 2 line. That extra line sets different encryption seeds. After seeing
"DEADFACE" on GBA, I would've expected this extra line to have more than just 2 ways
of encrypting. I'm guessing we'll see that in the V3 shark if anyone gets around to
studying it.
The Codebreaker for PS2 only has 1 encryption type that we're aware of. No detailed
information about the encryption itself is available at this time, but kpdavatar's
encryptor/decryptor supports them.
<ul><li><u>The "1456E7A5" Encryption Scheme</u></li></ul>
This was the original encryption method -- your 1 line (M) code. You may have
seen codes like "3CA2B610 1456B00C" on some sites. The "1456E7A5" name was derived
from the fact that it's commonly used in the values on encrypted codes. 1456E7A5,
when used in that part of a code, decrypts to 00000000. The other 2 encryption types
are the same wway. Here are the equations that are used for the encryption. The
input to the encryption is denoted as a0a1a2a3 d0d1d2d3, and the output is denoted
as A0A1A2A3 D0D1D2D3. Each a0, a1, etc is a two digit hex number. In the equations
below, the '$' means that the following number is a hexidecimal number. XOR is a
binary operation that can be performed on hex numbers using Windows Calculator in
Scientific Mode. <i>Note: If you're not into equations, there's an encryptor created
by kpdavatar. :)</i>
A0 = (a0 XOR $A6) - $6A
A1 = (a1 XOR $96) - $FF
A2 = (a2 XOR $01) - $7E
A3 = (a3 XOR $82) - $5A
D0 = (d0 XOR $D9) - $C5
D1 = (d1 XOR $3B) - $E5
D2 = (d2 XOR $1B) - $34
D3 = (d3 XOR $CC) - $27
<ul><li><u>The "BCA99B83" Encryption Scheme</u></li></ul>
This encryption is used for games that have certain two-line (M) Must Be On codes.
The first line of the (M) code should be "0E3C7DF2 1853E59E". Here are the equations
that are used for the encryption. The input to the encryption is denoted as
a0a1a2a3 d0d1d2d3, and the output is denoted as A0A1A2A3 D0D1D2D3 . Each a0, a1, etc
is a two digit hex number. In the equations below, the '$' means that the following
number is a hexidecimal number. XOR is a binary operation that can be performed on hex
numbers using Windows Calculator in Scientific Mode.
A0 = (a0 - $69) XOR $69 or A0 = (a0 - $E9) XOR $E9
A1 = (a1 - $4F) XOR $4F or A1 = (a1 - $CF) XOR $CF
A2 = (a2 - $7B) XOR $7B or A2 = (a2 - $FB) XOR $FB
A3 = (a3 - $45) XOR $45 or A3 = (a3 - $C5) XOR $C5
D0 = d0 + $BC or D0 = d0 - $43
D1 = d1 + $A9 or D1 = d1 - $56
D2 = d2 + $9B or D2 = d2 - $64
D3 = d3 + $83 or D3 = d3 - $7C
<ul><li><u>The "F8FCFEFE" Encryption Scheme</u></li></ul>
This encryption is used for games that have certain two-line (M) Must Be On codes.
The first line of the (M) code should be "0E3C7DF2 1645EBB3". Here are the equations
that are used for the encryption. The input to the encryption is denoted as
a0a1a2a3 d0d1d2d3, and the output is denoted as A0A1A2A3 D0D1D2D3 . Each a0, a1, etc
is a two digit hex number. In the equations below, the '$' means that the following
number is a hexidecimal number. XOR is a binary operation that can be performed on
hex numbers using Windows Calculator in Scientific Mode.
A0 = a0 + $1C or A0 = a0 - $E3
A1 = a1 + $F7 or A1 = a1 - $08
A2 = a2 + $4E or A2 = a2 - $B1
A3 = a3 + $CF or A3 = a3 - $30
D0 = (d0 - $44) XOR $44 or D0 = (d0 - $C4) XOR $C4
D1 = (d1 - $42) XOR $42 or D1 = (d1 - $C2) XOR $C2
D2 = (d2 - $27) XOR $27 or D2 = (d2 - $A7) XOR $A7
D3 = (d3 - $09) XOR $09 or D3 = (d3 - $89) XOR $89
<ul><li><u><a name="ps2_encryptor">Playstation 2 Code Encryptor by kpdavatar</a></u></li></ul>
<a name="ps2_encryptor"> You didn't actully want to do all those equations, did you? Well if you do,
knock yourself out. Otherwise, check out kpdavatar's 1337 encryptor below :)
<noscript>
You must have scripting enabled to view the Playstation 2 encrypt program
</noscript>
<!--Begin long encryptor source-->
<script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
var SymRealWinOpen = window.open;
function SymWinOpen(url, name, attributes)
{
return (new Object());
}
window.open = SymWinOpen;
//-->
</script>
<script language="JavaScript">
<!-- start
// All Function by kpdavatar@netbroadcaster.com
// Version 5.01 03/13/2003 05:00 PM CST
// GS2 encryption based on Hellion00 Web page http://hellion00.thegfcc.com
// CB2 encryption based on Herben's Cheat Code Cryptor v2.0.4
function ConvFormGS2() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
var d = document.ConvForm.RCodeType;
var zt = "0";
var m = "Z ";
var tc = "0";
var z = "0";
var c = document.ConvForm.RGS2Mode;
var b = 0;
// radio to GS2
d[0].checked = true;
d[1].checked = false;
d[2].checked = false;
// find what GS2 Mode
b = 0;
for (var i = 0; i < 5; i++) {
if (c[i].checked) {
b = i;
i = 5;
}
}
// set z button
if (b == 0) {
z = "1456E7A5";
m ="G1";
// color
// document.fgColor = "#0000FF";
}
if (b == 1) {
z = "BCA99B83";
m ="GB";
// color
// document.fgColor = "#0000FF";
}
if (b == 2) {
z = "F8FCFEFE";
m ="GF";
// color
// document.fgColor = "#0000FF";
}
if (b == 3) {
ct = document.ConvForm.Code.value;
zt = GS2("0000000000000000",1)
z = zt.substring(8,16);
document.ConvForm.Code.value = ct;
m = "G" + document.ConvForm.MName.value;
// color
// document.fgColor = "#800080";
}
if (b == 4) {
ct = document.ConvForm.Code.value;
zt = GS2("0000000000000000",1)
z = zt.substring(8,16);
document.ConvForm.Code.value = ct;
m = "G" + document.ConvForm.MName.value;
// color
// document.fgColor = "#800080";
}
document.ConvForm.zcode.value = z;
document.ConvForm.Mode.value = "GS2 " + m + " - " + z;
// Code type set GS2
document.ConvForm.RLastType.value = m;
}
function ConvFormHex() {
// Function by kpdavatar@netbroadcaster.com
// Version 3.01 07/03/2002 01:00 PM CST
// Code now Hex find radio
var d = document.ConvForm.RCodeType;
// set z button
document.ConvForm.zcode.value = "00000000";
// radio to Hex
d[0].checked = false;
d[1].checked = true;
d[2].checked = false;
// Code type set Hex
document.ConvForm.Mode.value = "Hex";
document.ConvForm.RLastType.value = "H";
// color
// document.fgColor = "#006000";
}
function ConvFormCB2() {
// Function by kpdavatar@netbroadcaster.com
// Version 3.01 07/03/2002 01:00 PM CST
var d = document.ConvForm.RCodeType;
var LastType = document.ConvForm.RLastType;
// Code now CB2
document.ConvForm.zcode.value = "00000000";
// radio to CB2
d[0].checked = false;
d[1].checked = false;
d[2].checked = true;
document.ConvForm.Mode.value = "CB2";
// Code type set CB2
LastType.value = "K";
// color
// document.fgColor = "#FF0000";
}
function ConvToGS2() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
// Get where is code
var Code = document.ConvForm.Code;
// Get what type of code
var LastType = document.ConvForm.RLastType;
// Where MSG
var MSG = document.ConvForm.MSG;
// temp var's
var x = " ";
var y = " ";
var z = " ";
var l = " ";
var tc = " ";
// Get Code
x = Code.value;
l = LastType.value;
// Check what converting from
// "N"=No Type "G"=GB2 "H"=Hex "K"=CB2
if (l == "H") {
MSG.value = "Conv Hex to GS2";
y = GS2(x,1);
}
if (l == "K") {
MSG.value = "Conv CB2 to GS2";
y = CB2ToHex(x);
x = y;
y = GS2(x,1);
}
if (l.substring(0,1) == "G") {
y = MakeHexW(x);
}
if (l == "N") {
y = x;
}
// put GS2 code out
if (document.ConvForm.CenterSpace.checked) {
x = y.substring(0,8);
z = y.substring(8,16);
y = x + " " + z;
}
if (document.ConvForm.PostDesc.checked) {
y = y + "-GS2"
}
Code.value = y;
y = ConvFormGS2();
}
function ConvToHex() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
// Get where is code
var Code = document.ConvForm.Code;
// Get what type of code
var LastType = document.ConvForm.RLastType;
// Where MSG
var MSG = document.ConvForm.MSG;
// temp var's
var x = " ";
var y = " ";
var z = " ";
var l = " ";
// Get Code
x = Code.value;
l = LastType.value;
// Check what converting from
// "N"=No Type "G"=GB2 "H"=Hex "K"=CB2
if (l.substring(0,1) == "G") {
MSG.value = "Conv GS2 to Hex";
y = GS2(x,0);
}
if (l == "K") {
MSG.value = "Conv CB2 to Hex";
y = CB2ToHex(x);
}
if (l == "H") {
y = MakeHexW(x);
}
if (l == "N") {
y = x;
}
// put Hex code out
if (document.ConvForm.CenterSpace.checked) {
x = y.substring(0,8);
z = y.substring(8,16);
y = x + " " + z;
}
if (document.ConvForm.PostDesc.checked) {
y = y + "-Hex"
}
Code.value = y;
// Code now Hex
y = ConvFormHex();
}
function ConvToCB2() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
// Get where is code
var Code = document.ConvForm.Code;
// Get what type of code
var LastType = document.ConvForm.RLastType;
// Where MSG
var MSG = document.ConvForm.MSG;
// temp var's
var x = " ";
var y = " ";
var z = " ";
var l = " ";
// Get Code
x = Code.value;
l = LastType.value;
// Check what converting from
// "N"=No Type "G"=GB2 "H"=Hex "K"=CB2
if (l == "H") {
MSG.value = "Conv Hex to CB2";
y = HexToCB2(x);
}
if (l.substring(0,1) == "G") {
MSG.value = "Conv GS2 to CB2";
y = GS2(x,0);
x = y;
y = HexToCB2(x);
}
if (l == "K") {
y = MakeHexW(x);
}
if (l == "N") {
y = x;
}
// put CB2 code out
if (document.ConvForm.CenterSpace.checked) {
x = y.substring(0,8);
z = y.substring(8,16);
y = x + " " + z;
}
if (document.ConvForm.PostDesc.checked) {
y = y + "-CB2"
}
Code.value = y;
// Code now CB2
y = ConvFormCB2();
}
function resetconv() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
var Code = document.ConvForm.Code;
var dummy = 0;
var x = " ";
var y = " ";
var z = " ";
// Where MSG
var MSG = document.ConvForm.MSG;
dummy = ConvToHex();
// Get Code
x = "0000000000000000";
y = x;
if (document.ConvForm.CenterSpace.checked) {
x = y.substring(0,8);
z = y.substring(8,16);
y = x + " " + z;
}
if (document.ConvForm.PostDesc.checked) {
y = y + "-Hex"
}
Code.value = y;
MSG.value = "Reset"
}
function MakeHexC(JunkIn) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.00 07/26/2002 08:00 PM CST
// Convert 1 JunkChar to HexChar "0" - "F"
//
var HexOut = " ";
HexOut = "*";
if (JunkIn == "?") { HexOut = "0"; }
if (JunkIn == "0") { HexOut = "0"; }
if (JunkIn == "1") { HexOut = "1"; }
if (JunkIn == "2") { HexOut = "2"; }
if (JunkIn == "3") { HexOut = "3"; }
if (JunkIn == "4") { HexOut = "4"; }
if (JunkIn == "5") { HexOut = "5"; }
if (JunkIn == "6") { HexOut = "6"; }
if (JunkIn == "7") { HexOut = "7"; }
if (JunkIn == "8") { HexOut = "8"; }
if (JunkIn == "9") { HexOut = "9"; }
if (JunkIn == "a") { HexOut = "A"; }
if (JunkIn == "b") { HexOut = "B"; }
if (JunkIn == "c") { HexOut = "C"; }
if (JunkIn == "d") { HexOut = "D"; }
if (JunkIn == "e") { HexOut = "E"; }
if (JunkIn == "f") { HexOut = "F"; }
if (JunkIn == "A") { HexOut = "A"; }
if (JunkIn == "B") { HexOut = "B"; }
if (JunkIn == "C") { HexOut = "C"; }
if (JunkIn == "D") { HexOut = "D"; }
if (JunkIn == "E") { HexOut = "E"; }
if (JunkIn == "F") { HexOut = "F"; }
// if "*" Char is Junk give errormsg
if (HexOut == "*") {
document.ConvForm.MSG.value = "3:Input Error: " + JunkIn;
HexOut = "0";
}
return HexOut;
}
function MakeHexW(JunkIn) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.00 07/26/2002 08:00 PM CST
// Take Junk Code and Make it Hex
// init vars
// vars for input & output
var mx = "0123456789abcdef";
var HexOut = "ERROR ";
// var for parsing HexInput
var CHF = "F";
var CHE = "E";
var CHD = "D";
var CHC = "C";
var CHB = "B";
var CHA = "A";
var CH9 = "9";
var CH8 = "8";
var CH7 = "7";
var CH6 = "6";
var CH5 = "5";
var CH4 = "4";
var CH3 = "3";
var CH2 = "2";
var CH1 = "1";
var CH0 = "0";
var chkspace = " ";
// Parse JunkIn and make valid hex
mx = JunkIn;
CHF = MakeHexC(mx.substring(0,1));
CHE = MakeHexC(mx.substring(1,2));
CHD = MakeHexC(mx.substring(2,3));
CHC = MakeHexC(mx.substring(3,4));
CHB = MakeHexC(mx.substring(4,5));
CHA = MakeHexC(mx.substring(5,6));
CH9 = MakeHexC(mx.substring(6,7));
CH8 = MakeHexC(mx.substring(7,8));
chkspace = mx.substring(8,9);
if (chkspace == " ") {
CH7 = MakeHexC(mx.substring(9,10));
CH6 = MakeHexC(mx.substring(10,11));
CH5 = MakeHexC(mx.substring(11,12));
CH4 = MakeHexC(mx.substring(12,13));
CH3 = MakeHexC(mx.substring(13,14));
CH2 = MakeHexC(mx.substring(14,15));
CH1 = MakeHexC(mx.substring(15,16));
CH0 = MakeHexC(mx.substring(16,17));
} else {
CH7 = MakeHexC(mx.substring(8,9));
CH6 = MakeHexC(mx.substring(9,10));
CH5 = MakeHexC(mx.substring(10,11));
CH4 = MakeHexC(mx.substring(11,12));
CH3 = MakeHexC(mx.substring(12,13));
CH2 = MakeHexC(mx.substring(13,14));
CH1 = MakeHexC(mx.substring(14,15));
CH0 = MakeHexC(mx.substring(15,16));
}
HexOut = CHF + CHE + CHD + CHC + CHB + CHA + CH9 + CH8;
HexOut += CH7 + CH6 + CH5 + CH4 + CH3 + CH2 + CH1 + CH0;
return HexOut;
}
function InvHex(Hex) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.11 07/24/2002 12:30 PM CST
var IHex = "0";
if (Hex == "0") { IHex = "F"; }
if (Hex == "1") { IHex = "E"; }
if (Hex == "2") { IHex = "D"; }
if (Hex == "3") { IHex = "C"; }
if (Hex == "4") { IHex = "B"; }
if (Hex == "5") { IHex = "A"; }
if (Hex == "6") { IHex = "9"; }
if (Hex == "7") { IHex = "8"; }
if (Hex == "8") { IHex = "7"; }
if (Hex == "9") { IHex = "6"; }
if (Hex == "A") { IHex = "5"; }
if (Hex == "B") { IHex = "4"; }
if (Hex == "C") { IHex = "3"; }
if (Hex == "D") { IHex = "2"; }
if (Hex == "E") { IHex = "1"; }
if (Hex == "F") { IHex = "0"; }
if (Hex == "a") { IHex = "5"; }
if (Hex == "b") { IHex = "4"; }
if (Hex == "c") { IHex = "3"; }
if (Hex == "d") { IHex = "2"; }
if (Hex == "e") { IHex = "1"; }
if (Hex == "f") { IHex = "0"; }
return IHex;
}
function DecToHex(DecNum, Group, Sign, Dollar) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.11 07/24/2002 12:30 PM CST
// DecNum = Decimal Number In
// Group = Number of digit to show
// Sign = 0 no sign / Sign = 1 show sign / Sign = 2 invert bits
// Dollar = 0 no $ / Dollar = 1 show $
// 0xFF javascript hex value
// 4294967296 dec = 0x100000000 hex too big
// 268435456 dec = 0x10000000 hex
// 16777216 dec = 0x1000000 hex
// 1048576 dec = 0x100000 hex
// 65536 dec = 0x10000 hex
// 4096 dec = 0x1000 hex
// 256 dec = 0x100 hex
// 16 dec = 0x10 hex
// 1 dec = 0x01 hex
var HexChars = "0123456789ABCDEF";
var HexOut = "00000000";
var tc = " ";
var H7 = 0;
var H6 = 0;
var H5 = 0;
var H4 = 0;
var H3 = 0;
var H2 = 0;
var H1 = 0;
var H0 = 0;
var a = 0;
var b = 0;
var g = 1;
var s = 0;
var st = 0;
var d = 0;
s = 0;
st = 0;
if (Sign == 1) { s = 1; }
if (Sign == 2) { s = 2; }
d = 0;
if (Dollar == 1) { d = 1; }
g = 1;
g = Group;
if (g < 1 || g > 8) {
document.ConvForm.MSG.value = "5:Group Error " + a;
} else {
a = DecNum;
if (a < 0) {
st = 1;
if (s == 1) {
a = a * -1;
}
if (s == 2) {
a = a * -1;
a -= 1;
}
}
if (a > 0xFFFFFFFF) {
document.ConvForm.MSG.value = "5:Dec Error " + a;
} else {
b = a % 0x10000000;
H7 = (a - b) / 0x10000000;
a = b;
b = a % 0x1000000;
H6 = (a - b) / 0x1000000;
a = b;
b = a % 0x100000;
H5 = (a - b) / 0x100000;
a = b;
b = a % 0x10000;
H4 = (a - b) / 0x10000;
a = b;
b = a % 0x1000;
H3 = (a - b) / 0x1000;
a = b;
b = a % 0x100;
H2 = (a - b) / 0x100;
a = b;
b = a % 0x10;
H1 = (a - b) / 0x10;
H0 = b;
}
}
HexOut = "";
if (s == 1 ) {
if (st == 1) {
HexOut += "-";
} else {
HexOut += "+";
}
}
if (d == 1) { HexOut += "$"; }
if (g > 7) {
tc = HexChars.charAt(H7);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 6) {
tc = HexChars.charAt(H6);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 5) {
tc = HexChars.charAt(H5);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 4) {
tc = HexChars.charAt(H4);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 3) {
tc = HexChars.charAt(H3);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 2) {
tc = HexChars.charAt(H2);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
if (g > 1) {
tc = HexChars.charAt(H1);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
}
tc = HexChars.charAt(H0);
if (s == 2 && st == 1) { tc = InvHex(tc);}
HexOut += tc;
// output HexOut
return HexOut;
}
function HexToCB2(HexInput) {
// Function HexToCB2 by kpdavatar@netbroadcaster.com
// Version 4.00 02/20/2003 09:30 PM CST
// CB2 encryption based on Herben's Cheat Code Cryptor v2.0.4
// initialize var
// temp char for HexInput
var mx = "0123456789abcdef";
// var for parsing HexInput
// 0xFF is hex in javasrcript
var CHF = "0";
var CHE = "0x0";
var CH98DCBA = "0x000000";
var CH70 = "00000000";
// ver's for CB2Num
var NCF = 0;
var NCE = 0;
var NC98DCBA = 0;
var NC70 = 0;
var CCF = "0";
var CCE = "0";
var CC98DCBA = "000000";
var CC70 = "000000000";
var CB2Code = "012345678ABCDEF";
var x = 0;
var y = 0;
var c = 0;
var tc = "0123456789";
var eadd = "0x00000000";
var exor = "0x00000000";
var eval = "0x00000000";
var nadd = 0;
var nxor = 0;
var nval = 0;
var nxe = 0;
// store HexInput in memory X make 17 Char long + space
mx = HexInput + "00000000000000000";
mx = mx.substr(0,17);
// make sure input is hex
mx = MakeHexW(mx);
// Parse HexNum
// Make javascript hex
CHF = mx.substring(0,1);
CHE = "0x" + mx.substring(1,2);
// Note: Not in order a9a8aDaCaBaA
CH98DCBA = "0x" + mx.substring(6,8) + mx.substring(2,6);
CH70 = mx.substring(8,16);
// In JavaScript 0xFF is FF Hex
// In JavaScript ^ is Bitwise XOR
// JavaScript always returns Dec numbers
// Herben encryption
// get seeds
tc = GetCB2Seed(CHF);
// convert hex to dec
eadd = "0x" + tc.substring(0,8);
exor = "0x" + tc.substring(9,17);
eval = "0x" + tc.substring(18,26);
nadd = (eadd * 1);
nxor = (exor * 1);
nval = (eval * 1);
c = (("0x" + CHF) * 1);
x = (CH98DCBA * 1) + nadd;
if (x > 0xFFFFFF) { x -= 0x1000000; }
nxe = (CHE * 1);
tc = "0x" + CHF + DecToHex(nxe, 1) + DecToHex(x, 6);
y = (tc * 1)
y = y ^ nxor;
if (y > 0x7FFFFFFF) { y -= 0x1000000; }
if (y > 0xFFFFFFFF) { y -= 0x100000000; }
if (y < 0x0) { y += 0x100000000; }
if (c > 2) {
tc = "0x" + CH70;
NC70 = (tc * 1) + nval;
if (NC70 > 0xFFFFFFFF) { NC70 -= 0x100000000; }
if (NC70 < 0x0) { NC70 += 0x100000000; }
x = NC70 ^ y;
// messy 8 byte xor can change sign
if (x < 0x0) { x += 0x100000000; }
if (x > 0xFFFFFFFF) { x -= 0x100000000; }
CC70 = DecToHex(x, 8);
}
if (c < 3) {
CC70 = CH70;
}
CCE = DecToHex(y, 8);
// Convet Dec to HexChar;
CB2Code = CCE + CC70;
return CB2Code;
}
function GetCB2Seed(Com) {
// Function by kpdavatar@netbroadcaster.com
// Version 4.00 02/20/2003 09:30 PM CST
// CB2 encryption based on Herben's Cheat Code Cryptor v2.0.4
// jout is 'add seed/xor seed/value seed'
var jout = "00000000";
jout = "*";
if (Com == "0") { jout = "00288596/0A0B8D9B/1DD9A10A"; }
if (Com == "1") { jout = "0037DD28/0A0133F8/B95AB9B0"; }
if (Com == "2") { jout = "003BEEF1/0AF733EC/5CF5D328"; }
if (Com == "3") { jout = "000BC822/0A15C574/95FE7F10"; }
if (Com == "4") { jout = "00BC935D/0A50AC20/8E2D6303"; }
if (Com == "5") { jout = "00A139F2/0A920FB9/16BB6286"; }
if (Com == "6") { jout = "00E9BBF8/0A599F0B/E389324C"; }
if (Com == "7") { jout = "00F57F7B/0A4AA0E3/07AC6EA8"; }
if (Com == "8") { jout = "0090D704/0A21C012/AA4811D8"; }
if (Com == "9") { jout = "001814D4/0A906254/76CE4E18"; }
if (Com == "A") { jout = "00C5848E/0A31FD54/FE447516"; }
if (Com == "B") { jout = "005B83E7/0A091C0E/F9CD94D0"; }
if (Com == "C") { jout = "00108CF7/0A372B38/4C24DEDB"; }
if (Com == "D") { jout = "0046CE5A/0A6F266C/68275C4E"; }
if (Com == "E") { jout = "003A5BF4/0A61DD4A/72494382"; }
if (Com == "F") { jout = "006FAFFC/0A0DBF92/C8AA88E8"; }
return jout;
}
function CB2ToHex(CB2Input) {
// Function CB2ToHex by kpdavatar@netbroadcaster.com
// Version 4.00 02/20/2003 09:30 PM CST
// CB2 encryption based on Herben's Cheat Code Cryptor v2.0.4
// initialize var
// temp char for CB2Input
var mx = "0123456789abcdef";
// var for parsing HexInput
// 0xFF is CB2 in javasrcript
var CCF = "0";
var CCE = "0x0";
var CC98DCBA = "0x000000";
var CC70 = "00000000";
// ver's for Hex
var NHF = 0;
var NHE = 0;
var NH98DCBA = 0;
var NH70 = 0;
var CHF = "0";
var CHE = "0";
var CH98DCBA = "000000";
var CHDCBA = "0000";
var CH98 = "0000";
var CH70 = "000000000";
var HexCode = "012345678ABCDEF";
var tc = "0123456789";
var y = 0;
var x = 0;
var c = 0;
var eadd = "0x00000000";
var exor = "0x00000000";
var eval = "0x00000000";
var nadd = 0;
var nxor = 0;
var nval = 0;
var nxe = 0;
// store HexInput in memory X make 17 Char long + space
mx = CB2Input + "00000000000000000";
mx = mx.substr(0,17);
// make sure input is hex
mx = MakeHexW(mx);
// Parse CB2 Code
// Make javascript hex
CCF = mx.substring(0,1);
CCE = "0x" + mx.substring(1,2);
// Note: Not in order A9A8ADACABAA
CC98DCBA = "0x" + mx.substring(2,4) + mx.substring(4,8);
CC70 = mx.substring(8,16);
// Convert to HexCode
// In JavaScript 0xFF is FF Hex
// In JavaScript ^ is Bitwise XOR
// JavaScript always returns Dec numbers
// Herben encryption
// get seeds
tc = GetCB2Seed(CCF);
// convert hex to dec
eadd = "0x" + tc.substring(0,8);
exor = "0x" + tc.substring(9,17);
eval = "0x" + tc.substring(18,26);
nadd = (eadd * 1);
nxor = (exor * 1);
nval = (eval * 1);
c = (("0x" + CCF) * 1);
nxe = (CCE * 1);
x = (CC98DCBA * 1);
mx = "0x" + CCF + DecToHex(nxe, 1) + DecToHex(x, 6);
tc = "0x" + CC70;
if (c > 2) {
x = (tc * 1) ^ (mx * 1);
// messy 8 byte xor can change sign
if (x < 0x0) { x += 0x100000000; }
if (x > 0xFFFFFFFF) { x -= 0x100000000; }
x -= nval;
if (x < 0x0) { x += 0x100000000; }
CH70 = DecToHex(x, 8);
}
if (c < 3) {
CH70 = CC70;
}
y = (mx * 1) ^ nxor;
if (y > 0x7FFFFFFF) { y -= 0x1000000; }
if (y > 0xFFFFFFFF) { y -= 0x10000000; }
if (y < 0x0) { y += 0x100000000; }
tc = DecToHex(y, 8);
CHF = CCF;
CHE = tc.substring(1,2);
tc = "0x" + DecToHex(y, 6);
x = (tc * 1) - nadd;
if (x < 0x0) { x += 0x1000000; }
tc = DecToHex(x, 6);
CH98 = tc.substring(0,2);
CHDCBA =tc.substring(2,6);
// Convet Dec to HexChar;
HexCode = CHF + CHE + CHDCBA + CH98 + CH70;
return HexCode;
}
function MC(ClkVal) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.01 03/13/2003 05:00 PM CST
// Mouse Click Button Get Char Shift to Code
//
// Find Where InputNum is
var Code = document.ConvForm.Code;
// Where to put key hit
var MSG = document.ConvForm.MSG;
// vars for format output
var d = document.ConvForm.RCodeType;
// var for Parsing and Shifting Code
var CHF = "0";
var CHE = "0";
var CHD = "0";
var CHC = "0";
var CHB = "0";
var CHA = "0";
var CH9 = "0";
var CH8 = "0";
var Cspace = " ";
var CH7 = "0";
var CH6 = "0";
var CH5 = "0";
var CH4 = "0";
var CH3 = "0";
var CH2 = "0";
var CH1 = "0";
var CH0 = "0";
// tmp var for clicked char
var ClkIn = "0";
// tmp var for InputNum
var mx = " ";
// Get Inputs
ClkIn = ClkVal.value;
mx = Code.value;
// Out what clicked
MSG.value = ClkIn;
// Parse InputNum
CHF = mx.substring(0,1);
CHE = mx.substring(1,2);
CHD = mx.substring(2,3);
CHC = mx.substring(3,4);
CHB = mx.substring(4,5);
CHA = mx.substring(5,6);
CH9 = mx.substring(6,7);
CH8 = mx.substring(7,8);
if (document.ConvForm.CenterSpace.checked) {
Cspace = mx.substring(8,9);
CH7 = mx.substring(9,10);
CH6 = mx.substring(10,11);
CH5 = mx.substring(11,12);
CH4 = mx.substring(12,13);
CH3 = mx.substring(13,14);
CH2 = mx.substring(14,15);
CH1 = mx.substring(15,16);
CH0 = mx.substring(16,17);
} else {
CH7 = mx.substring(8,9);
CH6 = mx.substring(9,10);
CH5 = mx.substring(10,11);
CH4 = mx.substring(11,12);
CH3 = mx.substring(12,13);
CH2 = mx.substring(13,14);
CH1 = mx.substring(14,15);
CH0 = mx.substring(15,16);
}
// Shift mx
if (ClkIn == "Back") {
mx = "0" + CHF + CHE + CHD + CHC + CHB + CHA + CH9;
if (document.ConvForm.CenterSpace.checked) { mx += " "; }
mx += CH8 + CH7 + CH6 + CH5 + CH4 + CH3 + CH2 + CH1;
} else {
if (ClkIn.length == 1) {
mx = CHE + CHD + CHC + CHB + CHA + CH9 + CH8 + CH7;
if (document.ConvForm.CenterSpace.checked) { mx += " "; }
mx += CH6 + CH5 + CH4 + CH3 + CH2 + CH1 + CH0 + ClkIn;
} else {
mx = CH7 + CH6 + CH5 + CH4 + CH3 + CH2 + CH1 + CH0
if (document.ConvForm.CenterSpace.checked) { mx += " "; }
mx += ClkIn;
}
}
if (document.ConvForm.PostDesc.checked) {
if (d[0].checked) { mx += "-GS2"; }
if (d[1].checked) { mx += "-Hex"; }
if (d[2].checked) { mx += "-CB2"; }
}
// send out blank msg and new InputNum
Code.value = mx;
}
function future() {
document.ConvForm.MSG.value = "Reserved Future Use";
}
function Mem(WhatDo) {
// Function Mem by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
var Code = document.ConvForm.Code;
var MSG = document.ConvForm.MSG;
var b = 0;
var c = document.ConvForm.RMem;
var d = document.ConvForm.RCodeType;
var LastType = document.ConvForm.RLastType;
var x = " ";
var xt = " ";
var y = " ";
var z = " ";
var zt = " ";
var tc = " ";
// find what Mem slot
b = 0;
for (var i = 0; i < 16; i++) {
if (c[i].checked) {
b = i;
i = 16;
}
}
MSG.value = b;
// What to Do
if (WhatDo.value == "MC") {
MSG.value = "Clear Memory";
c[b].value = "0000000000000000N";
}
if (WhatDo.value == "MD") {
MSG.value = "Dump Memory";
newWindow = window.open("","Help","HEIGHT=400,WIDTH=600,scrollbars,resizable");
newWindow.document.write("<HTML><Body bgColor='#C0C0C0'>");
newWindow.document.write("Memory Dump<BR>");
newWindow.document.write("xxxxxxxxxxxxxxxxG? = GS2 Code<BR>");
newWindow.document.write("xxxxxxxxxxxxxxxxH = Hex Code<BR>");
newWindow.document.write("xxxxxxxxxxxxxxxxK = CB2 Code<BR>");
newWindow.document.write("xxxxxxxxxxxxxxxxN = No Code<BR>");
b = 0;
for (var i = 0; i < 16; i++) {
newWindow.document.write("<BR>Mem" + DecToHex(i) + " " + c[i].value);
}
newWindow.document.close();
newWindow.focus();
}
if (WhatDo.value == "MS") {
MSG.value = "Store Memory";
x = Code.value + "00000000000000000";
y = x.substring(0,17);
y = MakeHexW(y);
xt = LastType.value;
if(xt.substring(0,1) == "G") {
tc = MXorAdd(1,0);
xt = "G" + document.ConvForm.MXorAdd.value;
}
c[b].value = y + xt;
}
if (WhatDo.value == "MR") {
x = c[b].value;
xt = x.substring(16,17);
y = x.substring(0,16);
MSG.value = "Recall Memory";
Code.value = y;
LastType.value = xt;
if (xt == "G") {
document.ConvForm.MXorAdd.value = x.substring(17,84);
y = MXorAdd(0,0);
y = ConvToGS2();
}
if (xt == "H") {
y = ConvToHex(1);
}
if (xt == "K") {
y = ConvToCB2(1);
}
}
if (WhatDo.value == "MX") {
MSG.value = "eXchange Memory";
// save current code
x = Code.value + "00000000000000000";
z = x.substring(0,17);
z = MakeHexW(z);
zt = LastType.value;
y = MXorAdd(1,1);
// recall mem
x = c[b].value;
xt = x.substring(16,17);
y = x.substring(0,16);
Code.value = y;
LastType.value = xt;
if (xt == "G") {
document.ConvForm.MXorAdd.value = x.substring(17,84);
y = MXorAdd(0,0);
y = ConvFormGS2();
}
if (xt == "H") {
y = ConvFormHex(1);
}
if (xt == "K") {
y = ConvFormCB2(1);
}
// store saved code
if (zt.substring(0,1) == "G") {
zt = "G" + document.ConvForm.MXorAddt.value;
}
c[b].value = z + zt;
}
}
var newWindow = null
function Help() {
// Function Help by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
newWindow = window.open("","Help","HEIGHT=500,WIDTH=400,scrollbars,resizable");
newWindow.document.write("<HTML><Body bgColor='#C0C0C0'>");
newWindow.document.write("<font color='Purple'>Code Converter 'Bonus Thingy'</font> Version 5.01 03/13/2003 05:00 PM CST<BR>");
newWindow.document.write("By: kpdavatar@netbroadcaster.com<BR>");
newWindow.document.write("or find kpdavatar at <A HREF='http://boards.thegfcc.com'>http://boards.thegfcc.com</A><BR>");
newWindow.document.write("Thanks to:<BR>");
newWindow.document.write("hellion00@comcast.net for his site. ");
newWindow.document.write("<A HREF='http://www.thegfcc.com'>");
newWindow.document.write("http://www.thegfcc.com</A><BR>");
newWindow.document.write("People at InterAct and GameShark.com for making GameShark2 and codes. ");
newWindow.document.write("<A HREF='http://gameshark.com'>GameShark.com</A><BR>");
newWindow.document.write("FNG for making codes and just being FNG<BR>");
newWindow.document.write("RichMan777 for Finding Cheat Code Cryptor v2.0.4<BR>");
newWindow.document.write("Herben for Making Cheat Code Cryptor v2.0.4<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<font color='Red'><B>WARNING!!!!!</B><BR>");
newWindow.document.write("Changing a code is very dangerous if you don't know what you are doing!<BR>");
newWindow.document.write("<B>Disclamer: </B>");
newWindow.document.write("I do not work for Interact,GameShark,CodeBreaker,Or MadCatz!<BR>");
newWindow.document.write("I am not responcible for damage(Physical or Mental) done by codes you make!<BR>");
newWindow.document.write("Ok, I am not responcible for anything. :)<BR>");
newWindow.document.write("Uses at your own risk.</font> Have a nice day. :)<BR>");
newWindow.document.write("P.S. I lost my marbles but found something better.<BR>");
newWindow.document.write("SUPERBALLS! BOING, BOINg, BOIng, BOing, Boing, boing!<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<font color='Green'>Select GS2 encryption:</font><BR>");
newWindow.document.write("00000000 Hex = 1456E7A5 GS2 ONE line (M) codes<BR>");
newWindow.document.write("00000000 Hex = BCA99B83 GS2 TWO line (M) codes<BR>");
newWindow.document.write("00000000 Hex = F8FCFEFE GS2 TWO line (M) codes<BR>");
newWindow.document.write("OR Input first line of (M) code then click Herben<BR><BR>");
newWindow.document.write("<font color='Green'>Paste, Type, or Click on Buttons to enter code</font><BR>");
newWindow.document.write("Will accept 1 space in middle of code<BR>");
newWindow.document.write("<font color='Green'>Convert by clicking on GS2, Hex, or CB2</font><BR>");
newWindow.document.write("Works for ALL CB2 codes. Thanks to Herben. ;)<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<font color='Blue'>Center Space</font> addes a space in center of code<BR>");
newWindow.document.write("<font color='Blue'>Post Desc</font> addes a Description after code");
newWindow.document.write("<HR>");
newWindow.document.write("16 Memory Slots for Codes 0-F<BR>");
newWindow.document.write("<font color='Blue'>MD</font> = Memory Dump<BR>");
newWindow.document.write("Click on a slot and<BR>");
newWindow.document.write("<font color='Blue'>MC</font> = Memory Slot Clear<BR>");
newWindow.document.write("<font color='Blue'>MR</font> = Memory Slot Recall<BR>");
newWindow.document.write("<font color='Blue'>MS</font> = Memory Slot Store<BR>");
newWindow.document.write("<font color='Blue'>MX</font> = Memory Slot eXchange<BR>");
newWindow.document.write("Note: Memory Slots also store Mode(GS2,Xors,Adds,Hex,or CB2)<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<B>WARNING!!!!!</B><BR>");
newWindow.document.write("<font color='Blue'>Hex Offset</font> is very dangerous if you don't know what you are doing!<BR>");
newWindow.document.write("Will accept 1 space in middle of Offset<BR>");
newWindow.document.write("Click Add Offset to Add Offset<BR>");
newWindow.document.write("Click Sub Offset to Sub Offset<BR>");
newWindow.document.write("Offest works with 2 Double Word<BR>");
newWindow.document.write("Each DoubleWord does NOT affect the other<BR>");
newWindow.document.write("Example:<BR>");
newWindow.document.write("00000000 FFFFFFFF Hex + offset 00000000 00000001 = 00000000 00000000 Hex<BR>");
newWindow.document.write("FFFFFFFF 00000000 Hex + offset 00000001 00000000 = 00000000 00000000 Hex<BR>");
newWindow.document.write("Known Glitch: Add Overflow Glitch Caused by Browser can't overflow DoubleWords.<BR>");
newWindow.document.write("Add Overflow-Will Give Zero Result<BR>");
newWindow.document.write("F??????? F??????? Hex + offset 10A02000 10DE3000 = 00000000 00000000 Hex<BR>");
newWindow.document.write("Uses:<font color='Green'>Finding Items</font><BR>");
newWindow.document.write("GameShark.com FNG's PS2 GTA3 Have Stick,3C21D4F81456E7A6 GS2<BR>");
newWindow.document.write("3C21D4F8 1456E7A6 GS2 + offset 00000014 00000000 = 3C21D4201456E7A8 GS2<BR>");
newWindow.document.write("3C21D420 1456E7A8 GS2 + offset 00000014 00000000 = 3C21D7341456E7A1 GS2<BR>");
newWindow.document.write("Have Stick,Have Uzi,Have Shotgun are offset by 00000014 00000000 Hex<BR>");
newWindow.document.write("Other use: <font color='Green'>Converting to Pal or NTSC</font> if you know the offset.<BR>");
newWindow.document.write("Example:<BR>");
newWindow.document.write("GTAVC PAL addessses are <font color='Red'>sometimes</font> +E80-Hex from NTSC addresses<BR>");
newWindow.document.write("No Peds-PAL DEB457F6 BCA99B83<BR>");
newWindow.document.write("Click BCA99B83 for GS2 encryption for GTAVC<BR>");
newWindow.document.write("Put DEB44076 BCA99B83-GS2Pal in Code Area<BR>");
newWindow.document.write("Put 00000E80 00000000-Hex Offset in Hex Offset<BR>");
newWindow.document.write("Click Sub Offset<BR>");
newWindow.document.write("Appears in Code area DEB457F6 BCA99B83-GS2NTSC<BR>");
newWindow.document.write("No pedestrians-GS2NTSC DEB457F6 BCA99B83<BR>");
newWindow.document.write("<font color='Red'><B>WARNING!!!!!</B><BR>");
newWindow.document.write("Hex Offset is very dangerous if you don't know what you are doing!<BR>");
newWindow.document.write("I know the above line is duplicated. But it is so important I thought I'd mention it twice<BR>");
newWindow.document.write("Adding too much can change the command on a code!<BR>");
newWindow.document.write("Example:<BR>");
newWindow.document.write("0FFFFFFF 00000000 Hex + offset 00000001 00000000 = 10000000 00000000 Hex<BR>");
newWindow.document.write("The 8 Bit Write changes to 16 Bit Write<BR>");
newWindow.document.write("0??????? 000000FF Hex + offset 00000000 00000001 = 0??????? 00000100 Hex<BR>");
newWindow.document.write("The value is more than 8 Bits with an 8 Bit Write command<BR>");
newWindow.document.write("D??????? 0000FFFF Hex - offset 00000000 00010000 = D??????? FFFFFFFF Hex<BR>");
newWindow.document.write("The 16 Bit Test Equal changes to a BAD command<BR></font>");
newWindow.document.write("<HR>");
newWindow.document.write("MSG A0 ~ Formula to calculate GS2 codes A0<BR>");
newWindow.document.write("MSG D3 ~ Formula to calculate GS2 codes D3<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<font color='Blue'>Setting GS2 encryption</font>:<BR>");
newWindow.document.write("Select Hellion00 encryptions<BR>");
newWindow.document.write("00000000 Hex = 1456E7A5 GS2 ONE line (M) codes<BR>");
newWindow.document.write("00000000 Hex = BCA99B83 GS2 TWO line (M) codes<BR>");
newWindow.document.write("00000000 Hex = F8FCFEFE GS2 TWO line (M) codes<BR>");
newWindow.document.write("or Custom (for Hellion00 breaking encryptions faster than I can program.) :)<BR>");
newWindow.document.write("OR enter the first line of (M) code and click Herben to create a custom based on Herben's encryptions.<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("For <font color='Blue'>Custom:</font> Best results first put in <font color='Green'>Hex mode</font> to prevent quarky logic codes.<BR>");
newWindow.document.write("Type In a0-d3 <font color='Green'>xor</font><BR>");
newWindow.document.write("Type In a0-d3 <font color='Green'>add</font><BR>");
newWindow.document.write("Select <font color='Green'>Formulas</font> a0-d3<BR>");
newWindow.document.write("XorAdd ~ D2 = (d2 XOR $??) + $??<BR>");
newWindow.document.write("AddXor ~ D2 = (d2 + $??) XOR $??<BR>");
newWindow.document.write("<font color='Green'>Click Custom</font><BR>");
newWindow.document.write("Type <font color='Green'>Mem Name</font>, so you can tell your custom codes apart.<BR>");
newWindow.document.write("Click on <font color='Green'>Mem slot</font><BR>");
newWindow.document.write("Click on <font color='Green'>MS</font><BR>");
newWindow.document.write("and it is stored in the slot!<BR>");
newWindow.document.write("Now you can convert with the Custom by clicking between GS2,Hex,CB2<BR>");
newWindow.document.write("Click on Mem slot, Click on MR to recall Xors and Adds and Formulas and ...<BR>");
newWindow.document.write("So, you can store up to 16 Customs. Have FUN!!!<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("<font color='Blue'>Quick Set Instructions</font><BR>");
newWindow.document.write("After you 'MS' a Custom setting to memory, a string of information is created in Quick Set.<BR>");
newWindow.document.write("Highlight and Copy(Ctrl+C) the information in Quick Set.<BR>");
newWindow.document.write("Open NoteBook(any text editor) and Paste(Ctrl+P) the information in NoteBook.<BR>");
newWindow.document.write("You can now save the NoteBook file.<BR>");
newWindow.document.write("Now, when you want those settings, rather than change all the Xors/Adds/Switches,<BR>");
newWindow.document.write("you Open the NoteBook file.<BR>");
newWindow.document.write("Then, you Highlight and Copy the information in NoteBook.<BR>");
newWindow.document.write("And then, you Paste the information to Quick Set.<BR>");
newWindow.document.write("Last, you Click the Quick Set Button, and you have set all the Xors/Adds/Switches.<BR>");
newWindow.document.write("<HR>");
newWindow.document.write("Nothing more, go play! :)<BR>");
newWindow.document.write("</BODY></HTML>");
newWindow.document.close();
newWindow.focus();
}
function aq(Which,Do,What) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
// GS2 encryption based on Hellion00 Web page http://hellion00.thegfcc.com
// Which = 0-7 ~ a0-d3
// Do = 0 What = 0 return Xor 00
// Do = 0 What = 1 return Add 00
// Do = 0 What = 2 return Sign +
// Do = 0 What = 3 return SignAdd +00
// Do = 0 What = 4 return SwapRaqXorSignAdd 0t00+00
// Do = 0 Set Xor Add Msg
var raq = document.ConvForm.Rd3;
var aqxor = document.ConvForm.d3xor;
var aqadd = document.ConvForm.d3add;
var msgq = document.ConvForm.MSGd3;
var aw = "0";
var aC = "A0";
var ab = "a0";
var ax = "00";
var aa = "00";
var as = "+";
var ar = "t";
var at = "+00";
var dummy = 0;
// get which radios xors adds and msgs
if (Which == 0) {
aw = document.ConvForm.a0Swap.value;
aC = "A0";
ab = "a0";
raq = document.ConvForm.Ra0;
aqxor = document.ConvForm.a0xor;
aqadd = document.ConvForm.a0add;
msgq = document.ConvForm.MSGa0;
}
if (Which == 1) {
aw = document.ConvForm.a1Swap.value;
aC = "A1";
ab = "a1";
raq = document.ConvForm.Ra1;
aqxor = document.ConvForm.a1xor;
aqadd = document.ConvForm.a1add;
msgq = document.ConvForm.MSGa1;
}
if (Which == 2) {
aw = document.ConvForm.a2Swap.value;
aC = "A2";
ab = "a2";
raq = document.ConvForm.Ra2;
aqxor = document.ConvForm.a2xor;
aqadd = document.ConvForm.a2add;
msgq = document.ConvForm.MSGa2;
}
if (Which == 3) {
aw = document.ConvForm.a3Swap.value;
aC = "A3";
ab = "a3";
raq = document.ConvForm.Ra3;
aqxor = document.ConvForm.a3xor;
aqadd = document.ConvForm.a3add;
msgq = document.ConvForm.MSGa3;
}
if (Which == 4) {
aw = document.ConvForm.d0Swap.value;
aC = "D0";
ab = "d0";
raq = document.ConvForm.Rd0;
aqxor = document.ConvForm.d0xor;
aqadd = document.ConvForm.d0add;
msgq = document.ConvForm.MSGd0;
}
if (Which == 5) {
aw = document.ConvForm.d1Swap.value;
aC = "D1";
ab = "d1";
raq = document.ConvForm.Rd1;
aqxor = document.ConvForm.d1xor;
aqadd = document.ConvForm.d1add;
msgq = document.ConvForm.MSGd1;
}
if (Which == 6) {
aw = document.ConvForm.d2Swap.value;
aC = "D2";
ab = "d2";
raq = document.ConvForm.Rd2;
aqxor = document.ConvForm.d2xor;
aqadd = document.ConvForm.d2add;
msgq = document.ConvForm.MSGd2;
}
if (Which == 7) {
aw = document.ConvForm.d3Swap.value;
aC = "D3";
ab = "d3";
raq = document.ConvForm.Rd3;
aqxor = document.ConvForm.d3xor;
aqadd = document.ConvForm.d3add;
msgq = document.ConvForm.MSGd3;
}
// make xors adds hex and get add sign
at = fix(aqxor.value);
ax = at.substring(1,3);
at = fix(aqadd.value);
aa = at.substring(1,3);
as = at.substring(0,1);
if (raq[0].checked) {
ar = "t";
if (aw == "0") {
msgq.value = aC + " = (" + ab + " XOR $" + ax + ") " + as + " $" + aa + " ";
} else {
if (aw == "1") {
msgq.value = aC + " = SN((" + ab + " XOR $" + ax + ") " + as + " $" + aa + ") ";
} else {
msgq.value = aC + " = (SN(" + ab + ") XOR $" + ax + ") " + as + " $" + aa + " ";
}
}
} else {
ar = "f";
if (aw == "0"){
msgq.value = aC + " = (" + ab + " " + as + " $" + aa + ") XOR $" + ax + " ";
} else {
if (aw == "1"){
msgq.value = aC + " = SN((" + ab + " " + as + " $" + aa + ") XOR $" + ax + ") ";
} else {
msgq.value = aC + " = (SN(" + ab + ") " + as + " $" + aa + ") XOR $" + ax + " ";
}
}
}
// do do
if (Do == 1) {
aqxor.value = ax;
aqadd.value = as + aa;
} else {
if (What == 0) { return ax; }
if (What == 1) { return aa; }
if (What == 2) { return as; }
if (What == 3) { ab = as + aa; return ab; }
if (What == 4) { ab = aw + ar + ax + as + aa; return ab; }
}
}
function fix(junk) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.00 07/26/2002 08:00 PM CST
// take xor or add and make +hexpair
// init vars
var mx = "0";
var HexOut = "err";
// var for parsing junk
var l = 0;
var c2 = "+";
var c1 = "0";
var c0 = "0";
mx = "+00" + junk;
l = mx.length
c2 = mx.substring(l-3,l-2);
if (c2 == "-") {
c2 = "-"
} else {
c2 = "+"
}
c1 = MakeHexC(mx.substring(l-2,l-1));
c0 = MakeHexC(mx.substring(l-1,l));
HexOut = c2 + c1 + c0;
return HexOut;
}
function SetXors(What) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
var m = " ";
var dummy = 0;
// conv to hex to solve GS2? to GS2?
dummy = ConvToHex();
if (What.value == "Custom") {
document.ConvForm.MName.value = "Z";
}
if (What.value == "1456E7A5") {
m = "1 0tA6-6A 0t96-FF 0t01-7E 0t82-5A 0tD9-C5 0t3B-E5 0t1B-34 0tCC-27 0";
document.ConvForm.MXorAdd.value = m;
dummy = MXorAdd(0,0);
}
if (What.value == "BCA99B83") {
m = "B 0f69-69 0f4F-4F 0f7B-7B 0f45-45 0f00+BC 0f00+A9 0f00+9B 0f00+83 1";
document.ConvForm.MXorAdd.value = m;
dummy = MXorAdd(0,0);
}
if (What.value == "F8FCFEFE") {
m = "F 0f00+1C 0f00+F7 0f00+4E 0f00+CF 0f44-44 0f42-42 0f27-27 0f09-09 2";
document.ConvForm.MXorAdd.value = m;
dummy = MXorAdd(0,0);
}
if (What.value == "Herben") {
m = KeyCode();
m = SetM();
document.ConvForm.MXorAdd.value = m;
dummy = MXorAdd(0,0);
}
dummy = ConvToGS2();
}
function SetM() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 12:00 PM CST
var KeyCode = document.ConvForm.FKeyCode;
var K76 = "00";
var K54 = "00";
var K32 = "00";
var K10 = "00";
var Bytes = "00000000";
var B0 = "00";
var B1 = "00";
var B2 = "00";
var B3 = "00";
var X0 = "00";
var X1 = "00";
var X2 = "00";
var X3 = "00";
var n = 0;
var Mout = " ";
Mout = "H ";
K76 = KeyCode.value.substring(0,2);
K54 = KeyCode.value.substring(2,4);
K32 = KeyCode.value.substring(4,6);
K10 = KeyCode.value.substring(6,8);
n = ("0x" + K76) * 1;
if (n < 0 || n > 7) { n =0; }
Bytes = HerbenBytes(K54);
B0 = Bytes.substring(0,2);
B1 = Bytes.substring(2,4);
B2 = Bytes.substring(4,6);
B3 = Bytes.substring(6,8);
if (K76 == "00") {
X0 = "0t" + B3 + "+00";
X1 = "0t" + B2 + "+00";
X2 = "0t" + B1 + "+00";
X3 = "0t" + B0 + "+00";
}
if (K76 == "01") {
X0 = "1t" + B0 + "+00";
X1 = "1t" + B3 + "+00";
X2 = "1t" + B1 + "+00";
X3 = "1t" + B2 + "+00";
}
if (K76 == "02") {
X0 = "0f" + "00" + "-" + B3;
X1 = "0f" + "00" + "-" + B2;
X2 = "0f" + "00" + "-" + B1;
X3 = "0f" + "00" + "-" + B0;
}
if (K76 == "03") {
X0 = "0f" + "00" + "+" + B3;
X1 = "0f" + "00" + "+" + B2;
X2 = "0f" + "00" + "+" + B1;
X3 = "0f" + "00" + "+" + B0;
}
if (K76 == "04") {
X0 = "0f" + B3 + "-" + B3;
X1 = "0f" + B0 + "-" + B0;
X2 = "0f" + B2 + "-" + B2;
X3 = "0f" + B1 + "-" + B1;
}
if (K76 == "05") {
X0 = "0t" + B3 + "+" + B2;
X1 = "0t" + B2 + "+" + B1;
X2 = "0t" + B1 + "+" + B0;
X3 = "0t" + B0 + "+" + B3;
}
if (K76 == "06") {
X0 = "1t" + "00" + B3;
X1 = "1t" + "00" + B2;
X2 = "1t" + "00" + B1;
X3 = "1t" + "00" + B0;
}
if (K76 == "07") {
X0 = "1t" + B3 + "+00";
X1 = "1t" + B1 + "+00";
X2 = "1t" + B0 + "+00";
X3 = "1t" + B2 + "+00";
}
Mout += X0 + " " + X1 + " " + X2 + " " + X3 + " ";
n = ("0x" + K32) * 1;
if (n < 0 || n > 7) { n =0; }
Bytes = HerbenBytes(K10);
B0 = Bytes.substring(0,2);
B1 = Bytes.substring(2,4);
B2 = Bytes.substring(4,6);
B3 = Bytes.substring(6,8);
if (K32 == "00") {
X0 = "0t" + B3 + "+00";
X1 = "0t" + B2 + "+00";
X2 = "0t" + B1 + "+00";
X3 = "0t" + B0 + "+00";
}
if (K32 == "01") {
X0 = "1t" + B0 + "+00";
X1 = "1t" + B3 + "+00";
X2 = "1t" + B1 + "+00";
X3 = "1t" + B2 + "+00";
}
if (K32 == "02") {
X0 = "0f" + "00" + "-" + B3;
X1 = "0f" + "00" + "-" + B2;
X2 = "0f" + "00" + "-" + B1;
X3 = "0f" + "00" + "-" + B0;
}
if (K32 == "03") {
X0 = "0f" + "00" + "+" + B3;
X1 = "0f" + "00" + "+" + B2;
X2 = "0f" + "00" + "+" + B1;
X3 = "0f" + "00" + "+" + B0;
}
if (K32 == "04") {
X0 = "0f" + B3 + "-" + B3;
X1 = "0f" + B0 + "-" + B0;
X2 = "0f" + B2 + "-" + B2;
X3 = "0f" + B1 + "-" + B1;
}
if (K32 == "05") {
X0 = "0t" + B3 + "+" + B2;
X1 = "0t" + B2 + "+" + B1;
X2 = "0t" + B1 + "+" + B0;
X3 = "0t" + B0 + "+" + B3;
}
if (K32 == "06") {
X0 = "1t" + "00" + B3;
X1 = "1t" + "00" + B2;
X2 = "1t" + "00" + B1;
X3 = "1t" + "00" + B0;
}
if (K32 == "07") {
X0 = "1t" + B3 + "+00";
X1 = "1t" + B1 + "+00";
X2 = "1t" + B0 + "+00";
X3 = "1t" + B2 + "+00";
}
Mout += X0 + " " + X1 + " " + X2 + " " + X3 + " 3";
return Mout;
}
function MXorAdds() {
// Function by kpdavatar@netbroadcaster.com
// Version 3.01 07/03/2002 01:00 PM CST
var dummy = 0;
// convert to hex to prevent quarky logic codes
dummy = ConvToHex();
dummy = MXorAdd(0,0);
dummy = ConvToGS2();
}
function MXorAdd(Do,Where) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2032 05:00 PM CST
// do = 0 reset XorsAdds to MXorAdd
// do = 1 store XorsAdds to MXorAdd
// where = 0 MXorAdd
// where = 1 MXorAddt
var MXorAdd = document.ConvForm.MXorAdd;
var MXorAddt = document.ConvForm.MXorAddt;
var MXA = "1 0tA6-6A 0t96-FF 0t01-7E 0t82-5A 0tD9-C5 0t3B-E5 0t1B-34 0tCC-27 0";
// 0123456789012345678901234567890123456789012345678901234567890123456
var ta = " ";
var tc = " ";
var dummy = " ";
var b = 0;
var c = document.ConvForm.RGS2Mode;
var b = 0;
var aw0 = document.ConvForm.a0Swap;
var ra0 = document.ConvForm.Ra0;
var a0xor = document.ConvForm.a0xor;
var a0add = document.ConvForm.a0add;
var aw1 = document.ConvForm.a1Swap;
var ra1 = document.ConvForm.Ra1;
var a1xor = document.ConvForm.a1xor;
var a1add = document.ConvForm.a1add;
var aw2 = document.ConvForm.a2Swap;
var ra2 = document.ConvForm.Ra2;
var a2xor = document.ConvForm.a2xor;
var a2add = document.ConvForm.a2add;
var aw3 = document.ConvForm.a3Swap;
var ra3 = document.ConvForm.Ra3;
var a3xor = document.ConvForm.a3xor;
var a3add = document.ConvForm.a3add;
var dw0 = document.ConvForm.d0Swap;
var rd0 = document.ConvForm.Rd0;
var d0xor = document.ConvForm.d0xor;
var d0add = document.ConvForm.d0add;
var dw1 = document.ConvForm.d1Swap;
var rd1 = document.ConvForm.Rd1;
var d1xor = document.ConvForm.d1xor;
var d1add = document.ConvForm.d1add;
var dw2 = document.ConvForm.d2Swap;
var rd2 = document.ConvForm.Rd2;
var d2xor = document.ConvForm.d2xor;
var d2add = document.ConvForm.d2add;
var dw3 = document.ConvForm.d3Swap;
var rd3 = document.ConvForm.Rd3;
var d3xor = document.ConvForm.d3xor;
var d3add = document.ConvForm.d3add;
if (Do == 0) {
if (Where == 0) { MXA = MXorAdd.value; } else { MXA = MXorAddt.value; }
// set MName
tc = MXA.substring(0,1);
document.ConvForm.MName.value = tc;
// set a0
aw0.value = MXA.substring(2,3);
tc = MXA.substring(3,4);
if (tc == "t") {
ra0[0].checked = true;
ra0[1].checked = false;
} else {
ra0[1].checked = true;
ra0[0].checked = false;
}
a0xor.value = MXA.substring(4,6);
a0add.value = MXA.substring(6,9);
tc = aq(0,1);
// set a1
aw1.value = MXA.substring(10,11);
tc = MXA.substring(11,12);
if (tc == "t") {
ra1[0].checked = true;
ra1[1].checked = false;
} else {
ra1[1].checked = true;
ra1[0].checked = false;
}
a1xor.value = MXA.substring(12,14);
a1add.value = MXA.substring(14,17);
tc = aq(1,1);
// set a2
aw2.value = MXA.substring(18,19);
tc = MXA.substring(19,20);
if (tc == "t") {
ra2[0].checked = true;
ra2[1].checked = false;
} else {
ra2[1].checked = true;
ra2[0].checked = false;
}
a2xor.value = MXA.substring(20,22);
a2add.value = MXA.substring(22,25);
tc = aq(2,1);
// set a3
aw3.value = MXA.substring(26,27);
tc = MXA.substring(27,28);
if (tc == "t") {
ra3[0].checked = true;
ra3[1].checked = false;
} else {
ra3[1].checked = true;
ra3[0].checked = false;
}
a3xor.value = MXA.substring(28,30);
a3add.value = MXA.substring(30,33);
tc = aq(3,1);
// set d0
dw0.value = MXA.substring(34,35);
tc = MXA.substring(35,36);
if (tc == "t") {
rd0[0].checked = true;
rd0[1].checked = false;
} else {
rd0[1].checked = true;
rd0[0].checked = false;
}
d0xor.value = MXA.substring(36,38);
d0add.value = MXA.substring(38,41);
tc = aq(4,1);
// set d1
dw1.value = MXA.substring(42,43);
tc = MXA.substring(43,44);
if (tc == "t") {
rd1[0].checked = true;
rd1[1].checked = false;
} else {
rd1[1].checked = true;
rd1[0].checked = false;
}
d1xor.value = MXA.substring(44,46);
d1add.value = MXA.substring(46,49);
tc = aq(5,1);
// set d2
dw2.value = MXA.substring(50,51);
tc = MXA.substring(51,52);
if (tc == "t") {
rd2[0].checked = true;
rd2[1].checked = false;
} else {
rd2[1].checked = true;
rd2[0].checked = false;
}
d2xor.value = MXA.substring(52,54);
d2add.value = MXA.substring(54,57);
tc = aq(6,1);
// set d3
dw3.value = MXA.substring(58,59);
tc = MXA.substring(59,60);
if (tc == "t") {
rd3[0].checked = true;
rd3[1].checked = false;
} else {
rd3[1].checked = true;
rd3[0].checked = false;
}
d3xor.value = MXA.substring(60,62);
d3add.value = MXA.substring(62,65);
tc = aq(7,1);
// set GS2 Mode
tc = MXA.substring(66,67);
document.ConvForm.RGS2Mode[0].checked = false;
document.ConvForm.RGS2Mode[1].checked = false;
document.ConvForm.RGS2Mode[2].checked = false;
document.ConvForm.RGS2Mode[3].checked = false;
document.ConvForm.RGS2Mode[4].checked = false;
if (tc == "0") { document.ConvForm.RGS2Mode[0].checked = true; }
if (tc == "1") { document.ConvForm.RGS2Mode[1].checked = true; }
if (tc == "2") { document.ConvForm.RGS2Mode[2].checked = true; }
if (tc == "3") { document.ConvForm.RGS2Mode[3].checked = true; }
if (tc == "4") { document.ConvForm.RGS2Mode[4].checked = true; }
} else {
// store MName
tc = "";
ta = document.ConvForm.MName.value;
tc += ta + " ";
// store a0
tc += aq(0,0,4) + " ";
// store a1
tc += aq(1,0,4) + " ";
// store a2
tc += aq(2,0,4) + " ";
// store a3
tc += aq(3,0,4) + " ";
// store d0
tc += aq(4,0,4) + " ";
// store d1
tc += aq(5,0,4) + " ";
// store d2
tc += aq(6,0,4) + " ";
// store d3
tc += aq(7,0,4) + " ";
// find what GS2 Mode
b = 0;
for (var i = 0; i < 5; i++) {
if (c[i].checked) {
b = i;
i = 5;
}
}
ta = DecToHex(b,1);
tc += ta;
if (Where == 0) { MXorAdd.value = tc; } else { MXorAddt.value = tc; }
}
}
function GS2(CI,E) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
// CI = CodeIn CO = CodeOut
// E = 0 GS2toHex Unencrypt E = 1 HexToGS2 Encrypt
// Convertion from: http://mywebpages.comcast.net/dstrobri/index.html
// hellion00@comcast.net
// temp char for CI
var mx = "0";
var c = "0";
// ver's for CO
var ca0 = "00";
var ca1 = "00";
var ca2 = "00";
var ca3 = "00";
var cd0 = "00";
var cd1 = "00";
var cd2 = "00";
var cd3 = "00";
var CO = "0";
// ver's for formulas
var a0w = document.ConvForm.a0Swap;
var ra0 = document.ConvForm.Ra0;
var a0xor = document.ConvForm.a0xor;
var a0add = document.ConvForm.a0add;
var a1w = document.ConvForm.a1Swap;
var ra1 = document.ConvForm.Ra1;
var a1xor = document.ConvForm.a1xor;
var a1add = document.ConvForm.a1add;
var a2w = document.ConvForm.a2Swap;
var ra2 = document.ConvForm.Ra2;
var a2xor = document.ConvForm.a2xor;
var a2add = document.ConvForm.a2add;
var a3w = document.ConvForm.a3Swap;
var ra3 = document.ConvForm.Ra3;
var a3xor = document.ConvForm.a3xor;
var a3add = document.ConvForm.a3add;
var d0w = document.ConvForm.d0Swap;
var rd0 = document.ConvForm.Rd0;
var d0xor = document.ConvForm.d0xor;
var d0add = document.ConvForm.d0add;
var d1w = document.ConvForm.d1Swap;
var rd1 = document.ConvForm.Rd1;
var d1xor = document.ConvForm.d1xor;
var d1add = document.ConvForm.d1add;
var d2w = document.ConvForm.d2Swap;
var rd2 = document.ConvForm.Rd2;
var d2xor = document.ConvForm.d2xor;
var d2add = document.ConvForm.d2add;
var d3w = document.ConvForm.d3Swap;
var rd3 = document.ConvForm.Rd3;
var d3xor = document.ConvForm.d3xor;
var d3add = document.ConvForm.d3add;
// store CI in memory X make 17 Char long with space
mx = CI + "00000000000000000";
mx = mx.substr(0,17);
// make sure input is hex
mx = MakeHexW(mx);
// Convert
// 0xFF is hex in javasrcript
c = mx.substring(0,2);
ca0 = EPair(c, a0xor.value, a0add.value, ra0[0].checked, E, a0w.value);
c = mx.substring(2,4);
ca1 = EPair(c, a1xor.value, a1add.value, ra1[0].checked, E, a1w.value);
c = mx.substring(4,6);
ca2 = EPair(c, a2xor.value, a2add.value, ra2[0].checked, E, a2w.value);
c = mx.substring(6,8);
ca3 = EPair(c, a3xor.value, a3add.value, ra3[0].checked, E, a3w.value);
c = mx.substring(8,10);
cd0 = EPair(c, d0xor.value, d0add.value, rd0[0].checked, E, d0w.value);
c = mx.substring(10,12);
cd1 = EPair(c, d1xor.value, d1add.value, rd1[0].checked, E, d1w.value);
c = mx.substring(12,14);
cd2 = EPair(c, d2xor.value, d2add.value, rd2[0].checked, E, d2w.value);
c = mx.substring(14,16);
cd3 = EPair(c, d3xor.value, d3add.value, rd3[0].checked, E, d3w.value);
// build code
CO = ca0 + ca1 + ca2 + ca3 + cd0 + cd1 + cd2 + cd3;
return CO;
}
function EPair(P,X,Y,F,E,W) {
// Function by kpdavatar@netbroadcaster.com
// Version 3.00 0/26/2002 08:00 PM CST
// P = Pair Char X = Xor Y = Add
// W = 0 ~ F = true ~ A? = (a? Xor X) + Y
// W = 1 ~ F = true ~ A? = SN((a? Xor X) + Y)
// W = 2 ~ F = true ~ A? = (SN(a?) Xor X) + Y
// W = 0 ~ F = false ~ A? = (a? + Y) Xor X
// W = 1 ~ F = false ~ A? = SN((a? + Y) Xor X)
// W = 2 ~ F = false ~ A? = (SN(a?) + Y) Xor X
// E = 0 ~ Decrypt
// E = 1 ~ Encrypt
// W = 0
// E = 0 ,F = True ~ A? = (a? !+ Y) Xor X :Decrypt A? = (a? Xor X) + Y
// E = 1 ,F = True ~ A? = (a? Xor X) + Y :Encrypt A? = (a? Xor X) + Y
// W = 1
// E = 0 ,F = True ~ A? = (SN(a?) !+ Y) Xor X :Decrypt A? = SN((a? Xor X) + Y)
// E = 1 ,F = True ~ A? = SN((a? Xor X) + Y) :Encrypt A? = SN((a? Xor X) + Y)
// W = 2
// E = 0 ,F = True ~ A? = SN((a? !+ Y)) Xor X) :Decrypt A? = (SN(a?) Xor X) + Y
// E = 1 ,F = True ~ A? = (SN(a?) Xor X) + Y) :Encrypt A? = (SN(a?) Xor X) + Y
// W = 0
// E = 0 ,F = False ~ A? = (a? Xor X) !+ Y :Decrypt A? = (a? + Y) Xor X
// E = 1 ,F = Flase ~ A? = (a? + Y) Xor X :Encrypt A? = (a? + Y) Xor X
// W = 1
// E = 0 ,F = False ~ A? = (SN(a?) Xor X) !+ Y :Decrypt A? = SN((a? + Y) Xor X)
// E = 1 ,F = Flase ~ A? = SN((a? + Y) Xor X) :Encrypt A? = SN((a? + Y) Xor X)
// W = 2
// E = 0 ,F = False ~ A? = SN((a? Xor X) !+ Y) :Decrypt A? = (SN(a?) + Y) Xor X
// E = 1 ,F = Flase ~ A? = (SN(a?) + Y) Xor X :Encrypt A? = (SN(a?) + Y) Xor X
var c = "+00";
var nx = 0;
var na = 0;
var np = 0;
var ne = 0;
var ce = "00";
var tc = "00";
var s = "+";
var fe = true;
// convert add to Dec
tc = Y;
s = tc.substring(0,1);
c = "0x" + tc.substring(1,3);
na = c * 1;
if (s == "-") { na *= -1; }
// convert xor to Dec
nx = ("0x" + X) * 1;
// W=1 Swap Before Decrypt or W=2 Swap Before Encrypt
if ((W == "1" && E == 0) || (W == "2" && E == 1)) {
P = SwapNibble(P);
}
// convert pair to Dec
np = ("0x" + P) * 1;
// use which formula
// E = 0 decrypt
// Subract instead of add
// Add instead of subtract
// invert formula
fe = F;
if (E == 0) {
na *= -1;
if (F) {
fe = false;
} else {
fe = true;
}
}
if (fe) {
ne = (np ^ nx) + na;
if (ne < 0) { ne += 256; }
if (ne > 255) { ne -= 256; }
} else {
ne = np + na;
if (ne < 0) { ne += 256; }
if (ne > 255) { ne -= 256; }
ne ^= nx;
}
ce = DecToHex(ne, 2);
// W=1 Swap After Encrypt or W=2 Swap After Decrypt
if ((W == "1" && E == 1) || (W == "2" && E == 0)) {
ce = SwapNibble(ce);
}
return ce;
}
function SwapNibble(bytein) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 05:00 PM CST
var tempb = "00";
var tempH = "0";
var tempL = "0";
var byteout = "0";
tempb = bytein;
tempH = tempb.substring(0,1);
tempL = tempb.substring(1,2);
byteout = tempL + tempH;
return byteout;
}
function FormatOut(WhatDo) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 05/12/2003 05:00 PM CST
var d = document.ConvForm.RCodeType;
var dummy = 0;
if (d[0].checked) {
dummy = ConvToGS2();
}
if (d[1].checked) {
dummy = ConvToHex();
}
if (d[2].checked) {
dummy = ConvToCB2();
}
}
function DoOffSet(What) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 10:30 AM CST
// What = 0 Add What = 1 Sub
var OffSet = document.ConvForm.CodeOff;
var Code = document.ConvForm.Code;
var d = document.ConvForm.RCodeType;
var b = 0;
var savemode = 0;
var dummy = 0;
// vars for code and offset
var mc = "fedcba9876543210";
var mcf = "fedcba98";
var mcb = "76543210";
var ncf = 0;
var ncb = 0;
var mo = "fedcba9876543210";
var mof = "fedcba98";
var mob = "76543210";
// find what Mode
b = 0;
for (var i = 0; i < 4; i++) {
if (d[i].checked) {
b = i;
i = 4;
}
}
savemode = b;
// convert to hex to prevent quarky logic codes
dummy = ConvToHex();
// store Code in memory X make 17 Char long + space
// mcf = Code.value;
mc = Code.value + "00000000000000000";
mc = mc.substr(0,17);
// make sure input is hex
mc = MakeHexW(mc);
// store Offset in memory X make 17 Char long + space
// mof = OffSet.value;
mo = OffSet.value + "00000000000000000";
mo = mo.substr(0,17);
// make sure input is hex
mo = MakeHexW(mo);
// cut to word size and make java hex
mcf = "0x" + mc.substr(0,8);
mcb = "0x" + mc.substr(8,16);
mof = "0x" + mo.substr(0,8);
mob = "0x" + mo.substr(8,16);
// add words java (? * 1) makes dec
if (What == 0) {
ncf = (mcf * 1) + (mof * 1);
ncb = (mcb * 1) + (mob * 1);
} else {
ncf = (mcf * 1) - (mof * 1);
ncb = (mcb * 1) - (mob * 1);
}
// put code out
Code.value = DecToHex(ncf,8,2) + DecToHex(ncb,8,2);
// set mode back
if (savemode == 0) {
dummy = ConvToGS2();
}
if (savemode == 1) {
dummy = ConvToHex();
}
if (savemode == 2) {
dummy = ConvToCB2();
}
if (What == 0) {
document.ConvForm.MSG.value = "Add Hex Offset";
} else {
document.ConvForm.MSG.value = "Sub Hex Offset";
}
}
function KeyCode() {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 12:00 PM CST
var MCode = document.ConvForm.MCode;
var KeyCode = document.ConvForm.FKeyCode;
var mx = "0000000000000000";
// var for Parsing and Shifting Code
var CMFE = "0E";
var CMFEDCBA98 = "0E3C7DF2";
var CM76 = "17";
var CM54 = "46";
var CM32 = "EA";
var CM10 = "AD";
var CH76 = "XX";
var CH54 = "XX";
var CH32 = "XX";
var CH10 = "XX";
var n76 = 0;
var n54 = 0;
var n32 = 0;
var n10 = 0;
var x = " ";
var y = " ";
var z = " ";
var n = 0;
var KeyHex = "00000000";
// store (M) in memory X make 17 Char long with space
mx = MCode.value + "00000000000000000";
mx = mx.substr(0,17);
// make sure input is hex
mx = MakeHexW(mx);
CMFE = mx.substring(0,1);
if (CMFE == "E") {
// one line (M) code
KeyCode.value = "05100518";
} else {
// DEADFACE (M) code
CM76 = "0x" + mx.substring(8,10);
CM54 = "0x" + mx.substring(10,12);
CM32 = "0x" + mx.substring(12,14);
CM10 = "0x" + mx.substring(14,16);
n76 = (CM76 * 1) - 0X3B;
if (n76 < 0) { n76 += 0x100; }
n76 ^= 0xD9;
if (n76 < 0 || n76 > 7) { n76 = 0; }
CH76 = DecToHex(n76, 2);
n54 = (CM54 * 1) - 0X1B;
if (n54 < 0) { n54 += 0x100; }
n54 ^= 0x3B;
if (n54 < 0 || n54 > 31) { n54 = 0; }
CH54 = DecToHex(n54, 2);
n32 = (CM32 * 1) - 0XCC;
if (n32 < 0) { n32 += 0x100; }
n32 ^= 0x1B;
if (n32 < 0 || n32 > 7) { n32 = 0; }
CH32 = DecToHex(n32, 2);
n10 = (CM10 * 1) - 0XD9;
if (n10 < 0) { n10 += 0x100; }
n10 ^= 0xCC;
if (n10 < 0 || n10 > 31) { n10 = 0; }
CH10 = DecToHex(n10, 2);
KeyCode.value = CH76 + CH54 + CH32 + CH10;
}
z = mx;
if (document.ConvForm.CenterSpace.checked) {
x = mx.substring(0,8);
y = mx.substring(8,16);
z = x + " " + y;
}
z = z + "-GS2";
MCode.value = z;
return KeyHex;
}
function HerbenBytes(HexBase) {
// Function by kpdavatar@netbroadcaster.com
// Version 5.00 03/12/2003 04:00 PM CST
// function to get Herben's GS2 Data
var OffSet = 0;
var BytesOut = "00000000";
var HData = " ";
var y = 0;
// 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
HData = "0000000025E3AE1F6DA2F39B4F457B69C54012A5CAE0C98004098390931858623A42A9D77D6557440D1C50ECF1C1087543EB043B05B081627169020C661421A3820196A631B209E4218E0F1FD8FB904CFEFAC3054D8662E4C2092744C895216ECC1B3BD90961225BA0144E34060E88E64999F508D521C531F1EC75914603EEAE";
OffSet = ("0x" + HexBase) * 8;
if (OffSet < 0) { OffSet = 0; }
if (OffSet > 248) { OffSet = 0; }
y = OffSet + 8;
BytesOut= HData.substring(OffSet, y);
return BytesOut;
}
// end -->
</script>
<font face="Verdana" size="1">
</font></a><form name="ConvForm" bgcolor="#d0d0d0">
<table style="height: 316px; width: 300px;" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="6" width="600">
<tbody>
<tr bgcolor="#c0c0c0">
<td><center>Code: <input name="Code" size="21" value="00000000 00000000" maxlength="21">
</center></td>
<td><center>Mode: <input name="Mode" size="21" value="Hex " maxlength="21">
</center></td></tr>
<tr bgcolor="#c0c0c0">
<td width="250">
<center>
<input name="RLastType" value="H" type="hidden">
<input name="RCodeType" onclick="ConvToGS2()" value="GS2" type="radio"> GS2&nbsp;&nbsp;
<input name="RCodeType" onclick="ConvToHex()" value="Hex" checked="checked" type="radio"> Hex&nbsp;&nbsp;
<input name="RCodeType" onclick="ConvToCB2()" value="CB2" type="radio"> CB2&nbsp;&nbsp;
</center>
</td>
<td><center>MSG : <input name="MSG" size="21" value=" " maxlength="21">
</center></td>
</tr><tr bgcolor="#c0c0c0">
<td><center>Hex Offset: <input name="CodeOff" size="21" value="00000000 00000000" maxlength="21">
</center></td>
<td align="center"><input onclick="Help()" value=" HELP!!! " type="button">
</td></tr>
<tr align="center" bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="DoOffSet(0)" value="Add Offset" type="button">&nbsp;
&nbsp;<input onclick="DoOffSet(1)" value="Sub Offset" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="Mem(this)" value="MD" type="button">&nbsp;</td>
</tr>
<tr bgcolor="#c0c0c0">
<td align="center" valign="center">
<center>
<table id="TABLE1" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="6" width="200">
<tbody>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="MC(this)" value="C" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="D" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="E" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="F" type="button">&nbsp;</td>
<td><input onclick="resetconv()" value="Reset" type="button"></td></tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="MC(this)" value="8" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="9" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="A" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="B" type="button">&nbsp;</td>
<td><input onclick="MC(this)" value="Back" type="button"></td></tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="MC(this)" value="4" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="5" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="6" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="7" type="button">&nbsp;</td>
<td><input name="zcode" onclick="MC(this)" value="00000000" type="button"></td></tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="MC(this)" value="0" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="1" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="2" type="button">&nbsp;</td>
<td align="center">&nbsp;<input onclick="MC(this)" value="3" type="button">&nbsp;</td>
<td> &nbsp;</td>
</tr><tr bgcolor="#c0c0c0">
<td colspan="5" align="center">
<table id="TABLE1" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="1" width="200">
<tbody>
<tr bgcolor="#c0c0c0">
<td align="center">Output Format</td>
</tr>
<tr bgcolor="#c0c0c0">
<td align="center">Center Space&nbsp;<input name="CenterSpace" onclick="FormatOut(this)" value="0" checked="checked" type="checkbox">&nbsp;
Post Desc.&nbsp;<input name="PostDesc" onclick="FormatOut(this)" value="1" type="checkbox">&nbsp;</td>
</tr>
</tbody></table>
</td></tr>
</tbody></table></center>
</td>
<td align="center" valign="center">
<table style="height: 32px; width: 70px;" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="2" width="30">
<tbody>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="Mem(this)" value="MC" type="button">&nbsp;</td>
<td align="center">Mem0<input name="RMem" value="0000000000000000N" checked="checked" type="radio"></td>
<td align="center">Mem1<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem2<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem3<input name="RMem" value="0000000000000000N" type="radio"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="Mem(this)" value="MR" type="button">&nbsp;</td>
<td align="center">Mem4<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem5<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem6<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem7<input name="RMem" value="0000000000000000N" type="radio"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="Mem(this)" value="MS" type="button">&nbsp;</td>
<td align="center">Mem8<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">Mem9<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">MemA<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">MemB<input name="RMem" value="0000000000000000N" type="radio"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td align="center">&nbsp;<input onclick="Mem(this)" value="MX" type="button">&nbsp;</td>
<td align="center">MemC<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">MemD<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">MemE<input name="RMem" value="0000000000000000N" type="radio"></td>
<td align="center">MemF<input name="RMem" value="0000000000000000N" type="radio"></td>
</tr>
</tbody></table>
</td></tr>
<tr bgcolor="#c0c0c0">
<td colspan="2">
<table style="height: 32px; width: 520px;" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="5" width="520">
<tbody>
<tr bgcolor="#c0c0c0">
<td colspan="5" align="center">
<table style="height: 32px; width: 520px;" bgcolor="#c0c0c0" border="1" bordercolor="black" cellpadding="3" cellspacing="0" cols="5" width="520">
<tbody>
<tr bgcolor="#c0c0c0">
<td colspan="4" align="center"><b>GS2 Encryption</b></td>
</tr>
<tr bgcolor="#c0c0c0">
<td><input name="RGS2Mode" onclick="SetXors(this)" value="1456E7A5" checked="checked" type="radio"> 1456E7A5&nbsp;&nbsp;</td>
<td><input name="RGS2Mode" onclick="SetXors(this)" value="BCA99B83" type="radio"> BCA99B83&nbsp;&nbsp;</td>
<td><input name="RGS2Mode" onclick="SetXors(this)" value="F8FCFEFE" type="radio"> F8FCFEFE&nbsp;&nbsp;</td>
<td align="right"><input name="RGS2Mode" onclick="SetXors(this)" value="Custom" type="radio"> Custom&nbsp;&nbsp;</td>
<td><input name="MName" size="1" value="1" maxlenght="1">Mem Name</td>
</tr>
<tr bgcolor="#c0c0c0">
<td colspan="4" align="left">
<input name="RGS2Mode" onclick="SetXors(this)" value="Herben" type="radio"> Herben&nbsp;&nbsp;
First Line of <b>(M)</b>: <input name="MCode" size="21" value="0E3C7DF2 1746EAAD-GS2" maxlength="21">
<input name="FKeyCode" value="00100018" type="hidden">
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr bgcolor="#c0c0c0">
<td colspan="5" align="right">
<input onclick="MXorAdds(0,0)" value="Quick Set" type="button">&nbsp;
<input name="MXorAdd" size="67" maxlength="67" value="1 0tA6-6A 0t96-FF 0t01-7E 0t82-5A 0tD9-C5 0t3B-E5 0t1B-34 0tCC-27 0">
<input name="MXorAddt" value="Y 0tA6-6A 0t96-FF 0t01-7E 0t82-5A 0tD9-C5 0t3B-E5 0t1B-34 0tCC-27 0" type="hidden">
</td>
</tr>
<tr bgcolor="#c0c0c0">
<td>a0<input name="a0Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Ra0" value="0" onclick="aq(0,1)" checked="checked" type="radio">
AddXor<input name="Ra0" value="1" onclick="aq(0,1)" type="radio"></td>
<td align="center">ADD:<input name="a0add" size="3" value="-6A" maxlength="3"></td>
<td align="center">XOR:<input name="a0xor" size="2" value="A6" maxlength="2"></td>
<td>MSG:<input name="MSGa0" size="30" value="A0 = (a0 XOR $A6) - $6A " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>a1<input name="a1Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Ra1" value="0" onclick="aq(1,1)" checked="checked" type="radio">
AddXor<input name="Ra1" value="1" onclick="aq(1,1)" type="radio"></td>
<td align="center">ADD:<input name="a1add" size="3" value="-FF" maxlength="3"></td>
<td align="center">XOR:<input name="a1xor" size="2" value="96" maxlength="2"></td>
<td>MSG:<input name="MSGa1" size="30" value="A1 = (a1 XOR $96) - $FF " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>a2<input name="a2Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Ra2" value="0" onclick="aq(2,1)" checked="checked" type="radio">
AddXor<input name="Ra2" value="1" onclick="aq(2,1)" type="radio"></td>
<td align="center">ADD:<input name="a2add" size="3" value="-7E" maxlength="3"></td>
<td align="center">XOR:<input name="a2xor" size="2" value="01" maxlength="2"></td>
<td>MSG:<input name="MSGa2" size="30" value="A2 = (a2 XOR $01) - $7E " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>a3<input name="a3Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Ra3" value="0" onclick="aq(3,1)" checked="checked" type="radio">
AddXor<input name="Ra3" value="1" onclick="aq(3,1)" type="radio"></td>
<td align="center">ADD:<input name="a3add" size="3" value="-5A" maxlength="3"></td>
<td align="center">XOR:<input name="a3xor" size="2" value="82" maxlength="2"></td>
<td>MSG:<input name="MSGa3" size="30" value="A3 = (a3 XOR $82) - $5A " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>d0<input name="d0Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Rd0" value="0" onclick="aq(4,1)" checked="checked" type="radio">
AddXor<input name="Rd0" value="1" onclick="aq(4,1)" type="radio"></td>
<td align="center">ADD:<input name="d0add" size="3" value="-C5" maxlength="3"></td>
<td align="center">XOR:<input name="d0xor" size="2" value="D9" maxlength="2"></td>
<td>MSG:<input name="MSGd0" size="30" value="D0 = (d0 XOR $D9) - $C5 " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>d1<input name="d1Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Rd1" value="0" onclick="aq(5,1)" checked="checked" type="radio">
AddXor<input name="Rd1" value="1" onclick="aq(5,1)" type="radio"></td>
<td align="center">ADD:<input name="d1add" size="3" value="-E5" maxlength="3"></td>
<td align="center">XOR:<input name="d1xor" size="2" value="3B" maxlength="2"></td>
<td>MSG:<input name="MSGd1" size="30" value="D1 = (d1 XOR $3B) - $E5 " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>d2<input name="d2Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Rd2" value="0" onclick="aq(6,1)" checked="checked" type="radio">
AddXor<input name="Rd2" value="1" onclick="aq(6,1)" type="radio"></td>
<td align="center">ADD:<input name="d2add" size="3" value="-34" maxlength="3"></td>
<td align="center">XOR:<input name="d2xor" size="2" value="1B" maxlength="2"></td>
<td>MSG:<input name="MSGd2" size="30" value="D2 = (d2 XOR $1B) - $34 " maxlength="30"></td>
</tr>
<tr bgcolor="#c0c0c0">
<td>d3<input name="d3Swap" value="0" size="1" maxlength="1" type="hidden"></td>
<td>
XorAdd<input name="Rd3" value="0" onclick="aq(7,1)" checked="checked" type="radio">
AddXor<input name="Rd3" value="1" onclick="aq(7,1)" type="radio"></td>
<td align="center">ADD:<input name="d3add" size="3" value="-27" maxlength="3"></td>
<td align="center">XOR:<input name="d3xor" size="2" value="CC" maxlength="2"></td>
<td>MSG:<input name="MSGd3" size="30" value="D3 = (d3 XOR $CC) - $27 " maxlength="30"></td>
</tr>
</tbody>
</table>
</td></tr>
</tbody>
</table>
</form>
<!--end long encryptor source-->
<a name="ps2_encryptor"><b><i></i></b></a><b><i><a name="dc_encryption">F-2) Sega Dreamcast Encryption</a></i><a name="dc_encryption"></a></b>
<a name="dc_encryption"> The Gameshark for Sega Dreamcast only accepts codes in their encypted form.
However, Xploder and Codebreaker DC accept both RAW (decrypted) codes and Gameshark
(encrypted) codes. If you have a DC shark and want to encrypt codes for use on it,
then use </a><a href="http://www.gscentral.com/lib/downloads/DCCrypt.zip">DCCrypt</a>. There's also a CD image of the Gameshark
floating around that's been modded to accept RAW codes.
<b><i><a name="gba_encryption">F-3) Converting between GSA and CBA - by DGenerateKane</a></i></b>
Well, I've seen many people asking how, and I'm sure we will get more n00b's who
will ask. So I whipped up this guide on how to. I did it in about 5 minutes, there
may be some mistakes and typos, correct them if you please. And I don't mind feedback
or questions.
GBA Code Conversion Guide Version 1.1
By DGenerateKane
Last Updated: 03-03-03
Code Type List originally by Parasyte, edited by DGenerateKane
CBACrypt and GSACrypt by Parasyte
<b>Table Of Contents</b>
1. GameShark to CodeBreaker
2. CodeBreaker to GameShark
3. Tools
4. Info
5. GSA Code Type List
6. CBA Code Type List
7. What's Next
<b>GameShark to CodeBreaker</b>
1. Get a GS code you want converted. Example: Breath of Fire II Infinite Zenny
4C051DA2 3F3075BB
2. Put it in the left panel of GSACrypt, making sure to seperate the first and
second 8 digits with a space.
3. Press Decrypt. The new code in the right panel is the same code now in RAW
format. The example code: 12006870 0000FFFF
4. Now, refer to the code types to see what the name of the code type is, then
check for the same code type for CB, and change the first digit
accordingly. If there is no matching code type, the code cannot be
converted. Example: 82006870 0000FFFF
5. Now, go to www.cmgsccc.com/gba (I think) for gsccc's CB codes, find the game
that you are converting codes for, and copy the first line of the (M)
code, it starts with a 9. If it doesn't have one, you don't need to
convert it any further, you're done. The BoF II Seed code is:
9171AA80 F67E
6. Paste the 9 code into the left panel of CBACrypt.
7. Paste the RAW code you decrypted into CBACrypt UNDER the 9 code. Delete the
first 4 digits from the second line of 8 digits. EXAMPLE: XXXXXXXX
YYYYXXXX: Delete the four digits in the Y positions. Remember to
seperate the first 8 digits and the last 4 digits with a space. The
example code is: 82006870 FFFF
8. Press Encrypt. The new code in the right panel is the code now in CB
encrypted format. (Ignore the first line, its the 9 code) Example Code:
0AD6BC51 CF46
9. Fine! (End)
<b>CodeBreaker to GameShark</b>
1. First, look at the codes for the game at GSCCC and check if it has a 9 code
in the (M) code. If not, the code is already in RAW format, skip to
step 5 Example: Breath of Fire II Infinite Zenny 0AD6BC51 CF46
2. Take the 9 code from the (M) and paste it into the left panel of CBACrypt.
9 Code is 9171AA80 F67E
3. Paste the CB code you want converted under the 9 code.
4. Press Decrypt. The new code in the right panel is the same code now in
RAW format. (Ignore the first line, its the 9 code) Example Code:
82006870 FFFF
5. Now, refer to the code types to see what the name of the code type is, then
check for the same code type for GS, and change the first digit
accordingly. If there is no matching code type, the code cannot be
converted. Example Code: 12006870 FFFF
6. Paste the RAW code you decrypted into GSACrypt's left panel. Add 4 0's to
the begining of the second line of 8 digits. EXAMPLE: XXXXXXXX YYYY: Add
four 0's in the Y positions. Remember to seperate the first 8 digits and
the last 8 digits with a space. Excample Code: 12006870 0000FFFF
7. Press Encrypt. The new code in the right panel is the code now in GS
encrypted format. Example Code: 4C051DA2 3F3075BB
8. Fine! (End)
<b>Tools</b>
Location of GSACrypt: <a href="http://www.gscentral.com/lib/downloads/ARCrypt%20Final%202_2.rar">ARCrypt Final 2_2</a>
Location of CBACrypt: <a href="http://www.gscentral.com/lib/downloads/CBAcrypt.exe">http://www.gscentral.com/lib/downloads/CBAcrypt.exe</a>
Note for ARCrypt: You must have a program that will extract .rar files, such as
WinRAR.
<b>Info</b>
Unconvertable Codes:
Codes that have a code type in one format but not the other.
(M) Codes. (Different Format)
ID Codes. (Different Format)
GSA 32bit codes. (CB only supports 8 and 16)
GSA GS Button Codes. (The CB for some reason doesn't have one this time around.)
Encryption Seed Code. (Different encryption obviously)
Since I know you are lazy, I have pasted below all the known GS and CB code types.
(see above section - Tolos)
<b><i><a name="xp64_encryption">F-4) Xploder/Xplorer N64 &amp; PSX Encryption</a>
-by Parasyte &amp; Misfire</i></b>
Some Xploder/Xplorer codes are encrypted, and some aren't. We're guessing
that maybe only the "official" ones are encrypted. Perhaps we'll find out more
about this later, but at least we can encrypt/decrypt them. :)
<table border="1" cellpadding="7" cellspacing="2" width="700">
<tbody><tr><td style="text-align: center;"><b>Encryption</b></td><td style="text-align: center;"><b>Decryption</b></td></tr>
<tr><td>A0A1A2A3 D0D1</td><td>a0a1a2a3 d0d1</td></tr>
<tr><td>
A0 = (a0 XOR $06) on PSX<br>
A0 = (a0 XOR $68) on N64<br>
A1 = (a1 XOR $81) - $2B<br>
A2 = (a2 XOR $82) - $2B<br>
A3 = (a3 XOR $83) - $2B<br>
D0 = (d0 XOR $84) - $2B<br>
D1 = (d1 XOR $85) - $2B<br><br>
Alternate:<br><br>
A0 = (a0 XOR $06) on PSX<br>
A0 = (a0 XOR $68) on N64<br>
A1 = (a1 XOR $01) - $AB<br>
A2 = (a2 XOR $02) - $AB<br>
A3 = (a3 XOR $03) - $AB<br>
D0 = (d0 XOR $04) - $AB<br>
D1 = (d1 XOR $05) - $AB
</td><td>
a0 = (A0 XOR $06) on PSX<br>
a0 = (A0 XOR $68) on N64<br>
a1 = (A1 + $2B) XOR $81<br>
a2 = (A2 + $2B) XOR $82<br>
a3 = (A3 + $2B) XOR $83<br>
d0 = (D0 + $2B) XOR $84<br>
d1 = (D1 + $2B) XOR $85<br><br>
Alternate:<br><br>
a0 = (A0 XOR $06) on PSX<br>
a0 = (A0 XOR $68) on N64<br>
a1 = (A1 + $AB) XOR $01<br>
a2 = (A2 + $AB) XOR $02<br>
a3 = (A3 + $AB) XOR $03<br>
d0 = (D0 + $AB) XOR $04<br>
d1 = (D1 + $AB) XOR $05<br>
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>Newer PSX 7K Encryption (PSX Only)</b></td></tr><tr><td colspan="2">A0A1A2A3 D0D1</td></tr>
<tr><td colspan="2">
A0 = (a0 XOR $07)<br>
A1 = (a1 - (a2 AND $73)) + ((a3 XOR $90) - $F5) - d0 - d1<br>
A2 = (a2 - (a3 AND $73)) + ((d0 XOR $90) - $16) - d1<br>
A3 = (a3 - (d0 AND $73)) + ((d1 XOR $90) - $5A)<br>
D0 = (d0 - (d1 AND $73)) + $35<br>
D1 = (d1 + $35)
</td></tr>
<tr><td colspan="2" style="text-align: center;"><b>Newer PSX 7K Decryption (PSX Only)</b></td></tr><tr><td colspan="2">a0a1a2a3 d0d1</td></tr>
<tr><td colspan="2">
d1 = (D1 - $35)<br>
d0 = (D0 + (D1 AND $73)) - $35<br>
a3 = (A3 + (D0 AND $73)) - ((D1 XOR $90) - $5A)<br>
a2 = (A2 + (A3 AND $73)) - ((D0 XOR $90) - $16) + D1<br>
a1 = (A1 + (A2 AND $73)) - ((A3 XOR $90) - $F5) + D0 + D1<br>
a0 = (A0 XOR $07)<br>
</td></tr></tbody></table>
-----------------------------------------------
<b><i><font size="+1"><a name="the_hacking_begins">X) How-to Guide - The Hacking Begins</a></font></i></b>
-----------------------------------------------
Are you ready to start hacking? Of course you are. If you have skipped
directly to this section hoping you can read just this part and think you
can be a GameShark code hacker, think again. It is HIGHLY recommended,
indeed required that you read everything that has already been presented in
this document. If you do not, you won't understand what most of the following
states, and you will most likely not be successful in being able
to hack GameShark codes.
This is the untouched, unchanged GB Hacking Guide written by DaRfUs.
We include it here to honor a hacker who first desired to teach
others his trade.
==========================
<b><u><i>GB Hacking guide Written by DaRfUs</i></u></b>
First you start off by choosing what you want the code to do (start with
something simple like an unlimited life code). Now go to "Game Trainer" in
the GS menu. It will start the game. Walk around for a little bit WITHOUT
getting hit. Now press the little button at the top of the GameShark. It
will take you to the GS menu once more. Again go to Game Trainer. Now walk
around this time I want you to get hit. Press the GS button as soon as the
life goes down. You will be taken back to the menu once again. Go to the
trainer, and select "Continue Trainer" there will be 4 boxes now here is the
most important part... What happened to your life the 2nd time (the time you
got hit? it went down right?) so you would pick the down arrow, because your
life went down! Wasn't that simple! Now it will search for some possible
codes(if you get a big # of possible codes then keep repeating step 2)
==========================
What this says is "compare and contrast", which is what the guys like
CodeBoy and CodeMaster do when hacking! They use the same method the GB GS
trainer uses. In the text above, DaRfUs explains that you choose the "down
arrow". This is not only because your life went down, but so the trainer
will compare the two RAM Dumps(which were taken when you pushed the little
button on top), and display only the codes that had the values lowered in
the second dump. From what I understand, the GameShark Pros' trainer will
work similar to the one on the standard GB 'Shark and the
SharkLink/Comms Links.
With all this information, you should be cutting the edges in your mind.
You should be gathering ideas right now. Thinking of what these trainers
actually do. Discovering for yourself what you want to know about GS
hacking.
<b><i><u>A) <a name="one_small_step_for_man">One Small Step For Man...</a></u></i><u></u></b>
<b><u><i>Nintendo 64</i></u></b> -
This part discusses important information about things like key codes,
and "Enable Codes". A key code is a code which is used to bypass the lock-out
code set into the games header. When a key code is activated in the 'Shark,
it will use that key code as a default for a one-time shot. There are
currently four different key codes available. Check GameShark Central
(www.gscentral.com) for the key codes or check the FAQ section of this
document.
Most "locked" games need the use of an "Enable Code". There are also
many games that use enablers that do not require Key codes. They simply
allow codes to function and the code generator which is the software
newer Game Sharks have function. This code is a code that is placed
in with the others(usually named, "MUST BE ON" or "M" code).
The Enable code used the most is "DE000400 0000" but there are others.
Most recently, Donkey Kong 64 had a multi line enabler code in the 3.2
version to allow codes to work with the Game shark. The 3.3 Game shark
now uses only one line of code. Enablers also allow the gamer to use what
is called hi resolution codes which in order for a game to run would normally
use the memory expansion pack and thus render the GameShark Code Generator unable
to run since it requires this same memory expansion pack.
Any code beginning with "DE" in GS versions 1.08 to 2.1 will cause the
'Shark to freeze up when not used with a key code and needing game.
In my version 2.2, the code "DE000400 0000" will NOT freeze the Shark. Yet
almost any other "DE Code" will freeze it.
As mentioned earlier, there is one key coded game that DOESN'T need an
enable code. The Legend of Zelda: Ocarina of Time and when using the
GameShark 2.2, you see a new addition to the key codes. It's a 32-bit
block(aka instruction code). Now, three of the four key codes use the block
"80 20 10 00". BUT, Zelda uses the block "80 19 00 00". Does this suggest
that using a block different from the default, will make the use of an
Enable Code nullified? I think not. There must be some defect that The GS
has when using the "80 20 10 00" code. This calls for the 'DE' enable code
to make the GameShark work! The GS 3.2 and up does however require an enabler code
or M codes in order to work without freezing.
The DE is used to tell the GameShark where the value "3C0880" is
located. Why "3C0880"? I don't know for sure, but my guess is that the value
is where the RAM begins. So the RAM actually starts at RAM address "000400"
and not "000000"(which also has the value of "3C0880"). The DE code does not
overwrite the value of the given address.
<b><u><i>PlayStation</i></u></b> -
There are a few Enable Codes needed in PSX games(Crash Bandicoot for
example). But I don't understand if the enablers are used for a lock-out, or
to fix a small bug. This part of the section is in need of reference. I know
a few people that could submit contributions, and I'm sure everyone will
greatly appreciate it.
<b><i><u><a name="the_methods">B) The Methods</a></u></i></b>
Here are a few of the many methods used to hack GS codes -
Game Trainers - MadCatz and Datel have their own trainers. You can,
however, get a trainer called "PC Comms Link" which will connect your
platform to your computer where you can use a hex editor to view the ROM/RAM
of your game. You will only be editing the RAM part of your games memory
though. Comms Links may still be available from Datel.
Game Backup Devices - Some devices like "Doctor V64" and "CD64" have a
built-in hex editor and GameShark function that allows you to view the
ROM/RAM and create GameShark codes. There are many LEGAL issues regarding
the use of these type of hacking devices and as such the authors of this
document have declined to include them within the scope of this work.
ROM and Hex Editor - Finally! Kong's secret hacking method is revealed!
It is, at sometimes, seemingly impossible to hack using this primitive
method, but it is well worth the trouble of it all! I was able to hack 54
Harvest Moon GB codes using this. When no one else could even get one code!
How about those results?! I've also hacked numerous other codes this way.
Definitely something to try out! Be Aware, using ROMs(they can be found on
the internet) is ILLEGAL when used for purposes of your own entertainment,
this means you can't use them just to play them! It may be possibly illegal
just because most of the Nintendo game instruction booklets say,
"WARNING: Copying of any Nintendo game is illegal and is strictly prohibited
by domestic and international copyright laws. "Back-up" or "archival" copies
are not authorized and are not necessary to protect your software. Violators
will be prosecuted." The author does not endorse nor will support any
information or the acquisition of obtaining game ROMs for legal reasons, and
their use is explained here for comparison and illustrative purposes only.
The author waives all responsibility for those readers that possess or
attempt to possess such material, and the sole responsibility,
accountability and legal consequences rest solely with the reader.
If none of this scares you, read on. You can hack this way by doing
similar to what DaRfUs explains. If looking for an infinite health code,
start a ROM with an emulator and DO NOT lose any health. Save the current
state(check with your emulators readme file to see how to save a state or a
snapshot), which will be like a ROM Dump. Then restart the ROM, go to a
different spot you were at last time, lose health, and as quickly as you
can, save the state/snapshot! Now load up a hex editor such as
"Hex Workshop". Open the saves that you made(check with your emulators'
readme file to find out what the extension will be). Choose Tools/Compare(in
Hex WorkShop). You will get various comparisons. When you find a comparison
that looks like it could be the one, change it in the second save that you
made. Change the quantifier to something like "00"(this way, you will die if
you have the right offset). Now load your emulator and ROM, load the SECOND
save that you made(with the changed quantifier), if you die, or have less
energy, you found the right offset! Now you need to find the beginning of
the RAM. This might be impossible w/o previous training skills.
A really easy way to hack the beginning of the "valid" RAM, You can
activate certain GameShark codes, and save a state, then find the values
used in the codes, in the hex editor! EG- for Game Boy hacking, I use these
codes together on any game-
013C00C0
013D01C0
014902C0
012203C0
Now I'd save a snapshot. Then Id enter hex workshop and find value
"3C3D4922" which is nearly impossible to see twice(although on some games,
the GS wrights to two different address locations with one code). When I
find the FIRST string with that value, I write the beginning offset on a
piece of paper. then I subtract that offset from "C000". Let's say the first
"3C3D4922" value was at offset "000066D0". I would use this math problem-
C000
- 66D0
----
5930
I then take my value of "5930" and insert that many bytes(hex) into the
BEGINNING of the file. Now search for value "3C3D4922" again, if you come to
offset "C000", then you know that your GS code will modify offset "C000".
And you can now go on hacking like that. The beginning of the valid RAM is
"A000"(GS code "01xx00A0") and it ends at "DFFF"(01xxFFDF).
Other Methods - New methods of hacking will be included in future issues
of this document as they become known and created.
<b><i><u><a name="using_game_trainers">B-1) Using Game Trainers</a></u></i></b>
Using these Trainers is rather easy and usually brings up some codes.
You will learn how to use the trainers by reading this section. You will
learn to hack codes like "Infinite health", "Infinite Ammo", Debug Menus and
even "activators".
Emulators such as "ULTRA HLE" for N64 ROMs and "Bleem" that run PSX games
on the PC, are in the purest sense PC based programs that allow you to run an
image (ROM) of a console game like Zelda64 on the PC. The emulators for the
newest platforms require state of the art video and sound cards to be able
to get a close enough effect as that of the real console, otherwise they
result in poor sound and graphics display and game performance. The legal
debate of having the game image (ROM) is ongoing but is clearly considered
by some companies such as Nintendo as illegal. ROMS can be obtained via the
web but please don't ask for any sites. The emu or emulator really is used
for playing the game. Now the emu coupled with a hex editor can bring a
hacking element into the scene by simply changing addresses in a "save" file
on the PC which acts as the RAM which would be in the console cartridge.
Loading these files after changing them can be the same as loading saved
games. Using the Hex editor with the emu at the sametime can be considered
like using a GS Pro and Game with the console. Using the hex editor requires
no less patience or experience in looking for codes than using a GS Pro. By
the way...a very good Hex editor I use is called the HEX Workshop and can be
found on line at several web sites.
Trainers are earlier, PC based programs similar to the GS Pro. They
required a PC Comms Links card for the PSX console where the Comms Link card
allowed communication of the PC with the console. The N64 required an
additional adapter that was in reality a watered down GameShark. This
adapter was needed because the N64 GameShark never had the 25 pin port on it
the way the PSX did. The legality of using a trainer is transparent in that
you never made a copy of the game ROM. You were just scanning through the
RAM addresses looking for active codes just as you do with the GS Pro. There
are also several proprietary new trainers that are used by the pros that have
not been released to the general public.
<b><i><u><a name="hacking_with_gameshark_pro">B-2) Hacking With GameShark Pro</a></u></i></b>
Here we'll cover:
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#easy_gspro">Hacking The Easy Stuff</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cash">Infinite Cash</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cash">Infinite Cash</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_health">Infinite Health</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_lives">Infinite Lives</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_ammo">Infinite Ammo</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#int_gspro">Hacking The Intermediate Stuff</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_haveitem">Have Weapons/Items</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cheats">Activate In-Game Cheats</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_char">Character Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_control">P2/CPU Control Modifiers</a>
</li></ul></li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hard_gspro">Hacking The Harder Stuff</a>
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_act">Activators/Joker Commands</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_act2">N64 Activators - Quick Tips</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_act3">N64 Activators - A More Techy Way</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_debug">Debug Menus</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cutscene1">Cutscene Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cutscene2">Cutscene Modifiers - Code Gen &amp; Memory Editor</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_cutscene3">Level &amp; Cutscene Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_mj">Moon Jump Codes - GLEE Method</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_mj2">Moon Jumps - 32-Bit Signed Method</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_size">Size Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_xyz">Finding X, Y, and Z Coordinates</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_memedit">Using The Memory Editor</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_text">Using The Text Editor</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_wtw">Walk Through Walls (WTW)</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_speed">Speed Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_timers">Killing Timers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_skipintro">Quickstart/Skip Intros</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_colormods">Hacking Color Modifiers</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#hax0r_images">Hacking Image Modifiers</a>
</li></ul></li></ul>
<b><a name="easy_gspro">Hacking The Easy Stuff: Some examples.</a></b>
The easy stuff is codes that are easily obtained. Such as inf. money,
health, and ammo. A note to beginners, <b><i><u>DO NOT SKIP THIS SECTION!</u></i></b>
Practice makes perfect and is everything to getting the feel of what
hacking codes is about. You must crawl before you walk and find you
will even run in a much shorter time if you heed this advice.
"One learns by doing the thing; for though you think you know
it, you have no certainty until you try" - Sophocles
"Lo...try not, do or do not, there is no try" - Yoda
We will begin:
<!-- 7 spaces -->
<b><i><u><a name="hax0r_cash">Infinite Cash-</a></u></i></b>
To hack an Infinite Money code, first you must start up the trainer
process with a Known Value search. While you have 0 money, search for value
"0". Start the second part of the process, go back into the game. Now earn
some cash, it doesn't need to be a large sum. Then do another search(for the
value that you now have). Now, repeat the process until you find the code.
<b><i><u><a name="hax0r_health">Infinite Health-</a></u></i></b>
For a code like infinite health, you go through the same steps above,
only you will search for an Unknown Value and you character will start with
full health in step one, and less health in step two. So you choose the
"less than" option. And when summarizing the quantifiers, notice that
MOST(not all) games with a health bar will recognize full health at
"0064"(100) or "00C8"(200). With this in mind, you can find the health code
a lot easier!
<b><i><u><a name="hax0r_lives">Infinite Lives-</a></u></i></b>
Now on to infinite lives. Do the same thing you did in the first
example. The first step will be the default amount of lives, and the second
will be one life less. if you started with 3 lives, the first quantifier
should be "0003" OR "0002". Since some games start counting at 0 instead of
1, it may be possible that "2" = "3" But this is not usually done.
<b><i><u><a name="hax0r_ammo">Infinite Ammo-</a></u></i></b>
Another code is Infinite Ammo. This one might be a little trickier. If
you do the first search with 100 bullets(search for 100), and the second
with 50(search for 50). The code should show up.
I hope you know how to hack the easy codes now. So far so good.
<b><i><a name="int_gspro">Hacking The Intermediate Stuff</a></i><a name="int_gspro"></a></b>
<a name="int_gspro"> The intermediate stuff is like "In-Game Cheats", Have
weapons/medals/items codes.
<b><i><u></u></i></b></a><b><i><u><a name="hax0r_haveitem">Have Weapon/Item codes-</a></u></i></b>
If you wanted a code that gave you a weapon or an item, you would first
take one readout without having the weapon/item, then a second with it. When
you compare, choose "greater than". The first quantifier SHOULD be "0000"
and the second "0001". If not, the second could be "0002/0004/0008/0010/
0020/0040/0080/0100/0200/0400/0800/1000/2000/4000/8000". The reason it would
have so many is the game uses the switches(described earlier). Only the
switches are represented in hex. You need a little luck when hacking a code
like this.
<b><i><u><a name="hax0r_cheats">Activate In-Game Cheats-</a></u></i></b>
For a code like "Activate In-Game Cheats", you will take one readout
without the cheat active, and the second with the cheat active. The
quantifiers should read, "0000" &amp; "0001". Good Luck
<b><u><i><a name="hax0r_char">Character Modifiers- (submitted by Gold64007)</a></i></u></b>
1. Select a character, start the game.
2. Push the freeze button and start an Unknown Value search.
3. Change to a different character, start the game.
4. Now do a "Different to" search.
5. Change some other aspects of the game (other than your character)
(example, health, place you are in, depending on what kind of game
it is).
6. Now search for "equal to".
7. Repeat steps 3 through 6 until you get a manageable amount of results
(20 or less).
8. After you have a manageable amount of results, get into the view valid
cheats screen. Now activate the codes one at a time until you find the
character modifier.
9. Now in the view valid cheats screen highlight the Character Modifier
code on the right side of the screen and push the Right C button to edit
the value of the code put in "00" which is probably the first value that
will work (though it could be higher).
10. See which character "00" corresponds with, write it down.
11. Now change the value to "01," see which character you have.
12. Repeat step 10, adding 01 each time until there is no effect.
NOTE: Exit to the main menu of the game before editing the code to keep the
game from freezing.
Using this method, you may find two types of Character Modifiers, The
actual character mod(select any character, always play as certain
character). Or the character selected mod(your 'cursor' will always be on a
certain character at character select screen).
<b><i><u><a name="hax0r_control">Hacking P2 Controls CPU Codes (by HyperHacker)</a></u></i></b>
This only works for a game where P2 can normally play and in 1 Player
mode the CPU takes control of them.
1) Start up a game with Player 2 playing, search for 1.
2) Go to the same level in 1 player mode, search for 0.
3) Keep doing this until you find a few, set to 1 and the computer should
stop (or not do anything in the next round). Set to 0 and in 2 player the
computer should take over.
If that doesn't do it, switch the 1 and 0, and if it still doesn't work just
do Equal/Different searches. some games like to use funny numbering/flags.
(ahem, Mario Kart)
<b><i><a name="hard_gspro">Hacking the harder stuff</a></i><a name="hard_gspro"></a></b>
<a name="hard_gspro"> The hard stuff is like activators, debug menus, cut scenes, walk thru
walls, level modifiers, moon jumps, size modifiers, speed modifiers and
Enabler codes.
<b><i><u></u></i></b></a><b><i><u><a name="hax0r_act">Activators/Joker Commands-</a></u></i></b>
An activator/joker command is a code that will activate another code at
the touch of a button on the controller. These codes use the D/E prefixes.
To hack an activator/joker, start a known value search on the game title
screen. Take this search when NOT pushing any buttons on any controller.
Next, hold the R Button for N64 or Tringle button on PSX, and push the
freeze button while holding the button on the controller. Now search for the
following values-
N64 - "16-d"
PSX - "16-d" NORMAL
PSX - "4096-d" REVERSE
The two PSX versions are listed because some games use activator
quantifiers that are different from the rest. The N64 activators are usually
always the same. So if you do not find the Triangle button with value "32-d",
try value "4096-d". When you find the code that you think it is, put the
prefix to "D0" on the code. Then test it by putting any code after it.
Here is a quick example. Start the game but do not touch any buttons after
coming to the opening screen. Press and hold the "R" button and press the GS
Button to freeze the game. Release the R button. Do a known search for the
value 16 in decimal, which is the equivalent of 10 in hex base. After the
search resume the game and then press and hold L while pressing the GS button
again. Release the L button and do a known search for 32 in decimal, which is
the equivalent of 20 in hex. You should be down to 4 or 5 possibilities. Now
let us say we try one of them to test. Let's pretend the code is 80012345 0010
you choose first. First Change the first digit "8" to a "D" which tells the
Game Shark to execute the code that follows this new code you made, D0012345
0010 once and only once each time you press the R button. Now we pretend the
code we want to use is for selecting a certain weapon, gun, 80022222 0001. So
by combining the two codes;
D0012345 0010
80022222 0001
We get a code that turns the gun on every time we should press R. Now of course
we must test the code to see if it works. If by chance you choose wrong, fear
not, a matter of elimination of the other few possible codes will reveal the
correct one. Once tested and proven you can read on for the next step.
Now we illustrate how we could de-select gun.
Well let us choose the 'L" button to do this. First, again we select the proper
code to use as the activator as before. If you'd like to turn the gun code off,
you can usually put another activator over the code you want turned off.
Example -
D0012345 0020
80022222 0000
Now by putting the two pieces together you can make a double activator let
Let's you turn the gun on and off.
D0012345 0010
80022222 0001
D0012345 0020
80022222 0000
Now, the 'd0' codes are the activators. the one on top is the R button,
and the one on bottom is the L button. The '80' codes are 8-bit gun code.
When you push R button you get the gun and when you push the L you loss
the gun.
This type of code can be used for many types of use. Image transformers, Size
modifiers, Cut scenes, level modifiers, health and status modifiers, items
modifiers... the list goes on and on. Activators come in 3 basic types. Odd
or Normal type 1, even or Normal type 2 for the 8 bit type, and even or dual
for the 16 bit type. In an odd 8-bit type the activator will always have the
8th digit as odd, where it will have the 8th digit for an even value. All
16-bit activators are even by definition simply by inspection that any two
odd 8-bit values create a even number. The only difference in a 16 bit
activator is the 2nd digit will be a "1", e.g., D1012346. A complete list of
quantifiers concludes this section
on activators.
<b>Normal Activator 1 Quantity Digits Button Pressed to Activate </b>
00 No Buttons
01 Right Directional Pad
02 Left Directional Pad
04 Down Directional Pad
08 Up Directional Pad
10 Start Button
20 Z Button
40 B Button
80 A Button
Multi Buttons to use any combination of buttons, like, press Right Directional
and Z to enable the codes. Just add the two digits up for Right Directional and
Z. 01 plus 21 equal 21, so 21 would enable the codes when you push Right
Directional and Z on the Controller 1
<b>Normal Activator 2 Quantity Digits Quantity Digits Button Pressed to Activate </b>
00 No Buttons
01 C Right Button
02 C Left Button
04 C Down Button
08 C Up Button
10 R Button
20 L Button
<b><i><u><a name="hax0r_act2">N64 Activators - Quick Tips ~by Viper187</a></u></i><u></u></b>
Here's 2 tips for finding activators in a hurry:
1. Use more than 1 controller. Press the same button(s) on 2 or even
all 4 controllers. Then when you view possibilities after after
searching, you should see a group (2-4 depending on how many
controllers you used) of results that are 6 or 8 hex apart. In
the 200 or so games I've hacked so far, all but maybe 1 has had
both a set that was 8 apart and at least one set that was 6 apart.
Most times, these even use the same numbers as the last digit of
the address. i.e. in the the typical '8 apart' set P1-P4 would be
D102220<b>4</b>, D102220<b>C</b>, D102221<b>4</b>, D102221<b>C</b> and in the typical '6 apart'
set P1-P4 would be D102220<b>0</b>, D102220<b>6</b>, D102220<b>C</b>, D102221<b>2</b>. The
last digit on each address being 4,C,4,C or 0,6,C,2 respectively.
2. Use a 32-Bit Known Value search (PC Utils, GSCC2k2, etc). If
press, for example, L + R + Z (value 2030), on controller 1
then search for that value as a 32-Bit value by adding 0000
to the end (20300000) you'll usually end up with only
activators as your results; there can be some junk results
depending on the value (button combo) use use though. I've
found that 60200000 (Z + B + L) tend to work rather well, as
does 4030 (B + L + R). Don't move the control stick when doing
this though. That's what the 0000 is. :)
<b><i><u><a name="hax0r_act3">N64 Activators - A Slightly More Techy Method ~by Viper187</a></u></i><u></u></b>
If you haven't noticed this yet, pretty much every N64 game has multiple
sets of Button Activators in different areas of the RAM. There is 1 set that
I refer to as the "good set" because each controllers' activator is seperated
by a 32-Bit value, FF010401. This is how it's setup in respec tto addresses:
81055840 FF01
81055842 0401
81055844 ???? - P1 Button Activator (44 would be Activator 1 and 45 Activator 2)
81055846 ???? - P1 Control Stick Activator
81055848 FF01
8105584A 0401
8105584C ???? - P2 Button Activator (44 would be Activator 1 and 45 Activator 2)
8105584E ???? - P2 Control Stick Activator
81055850 FF01
81055852 0401
81055854 ???? - P3 Button Activator (44 would be Activator 1 and 45 Activator 2)
81055856 ???? - P3 Control Stick Activator
81055858 FF01
8105585A 0401
8105585C ???? - P4 Button Activator (44 would be Activator 1 and 45 Activator 2)
8105585E ???? - P4 Control Stick Activator
81055860 FE00
81055862 0000
Notice the repeating value? if you're using the PC utils or anything that allows
32-Bit searches, search for "FF010401". The only possibilities you get should be
a nice set like that that are 8 hex apart, and the activators for each of the
controllers plugged in are between them. :)
Curious as to what those 'FF010401's actually are? It appears the game uses them
to keep track of what controllers are plugged in and such.
<b><i><u><a name="hax0r_debug">Debug Menus-</a></u></i><u></u></b>
This is NOT easy at all. You will need to search through MANY, MANY
codes if you have no base to go on. If you are looking for a debug menu that
is already known, just take a readout with the menu NOT activated then the
second with it activated choose "greater than". The quantifiers should read
"0000" &amp; "0001". That wasn't so bad was it?
Now it's time to hack the Debug Menus that have never been seen before!
To pull this off, you must start playing the game and do a few million
"equal to" searches. You will see MANY codes that have the values as "0000".
Well, ONE off those "0000" codes MIGHT be a debug menu. That is, if there is
a menu in the game, IN THAT SECTION OF THE GAME. This must be the hardest
code there is to hack. Are you up to the challenge?
<b><i><u><a name="hax0r_cutscene">Cut-Scene Modifiers- (Submitted by SubDrag and macrox)</a></u></i></b>
-Press the freeze button while a cut-scene is playing and start an Unknown
Value search.
-Play the same cut-scene, do an "equal-to" search.
-Play a different cut-scene, search for "different-to" values.
-THROW OUT ALL CODES that have value "FF"... Look for everything else, turn
all codes that are nor "FF" on(some of them at a time). Play a cut-scene, if
you play the same cut-scene no matter where you are, turn off a few
codes(WRITE THEM DOWN), until you get the activate codes that do not play
the same cut scene. Eliminate those codes.
-Turn on one code at a time(that you've written down) until the cut-scene
never changes.
OK, now just play all the cut-scenes, press freeze button, write down
digits, repeat until you get all the cut-scenes... If you have been through
all cut-scenes and notice missing digits, try those missing digits in your
new GameShark code. Sometimes the game will freeze with the missing digits,
but you may find a hidden, or 'unfinished' cut-scene.
<b><i><u><a name="hax0r_cutscene2">Cut-Scene Modifiers - Code Generator and Memory Editor Method
-(submitted by Macrox)</a></u></i></b>
- Press the GS button while the opening cut scene of game is playing.
- Do an unknown search.
- Wait till next cut scene and do greater than search
- Restart the game. Wait for opening cut scene. Do a less than search.
- Again wait until next cut scene and do greater than search.
- Wait for another new cut scene and do another greater than search.
You may have to do this for quite some time to get the possibilities down.
If you feel you are not getting anywhere try the following.
- At the opening cut scene do a Known search of 0 or 1. Make an assumption.
- Wait until the next cut scene and search for values equal to 1 or 2
depending what you choose the step before this.
- Restart game and wait for opening cut scene. Do known search for 0 or 1.
- Again wait for next cut scene and do a search for 1 or 2.
<b><i><u><a name="hax0r_cutscene3">Level Modifiers and Cut Scene Modifiers - by macrox</a></u></i></b>
Now for my secret. Many games are programmed where the level modifier is
addressed close to the cut scene modifier. This is how Castlevania and
Castlevania LOD level and cut scene modifiers were hacked.
- Start game and take initial unknown search on opening level.
- Either wait for interlevel or new level and take greater than search.
- Wait for next interlevel or new level and again take a greater than search.
- Play that level awhile and take an equal to search.
- Restart the game and take less than search on opening level.
- Codes should be dropping in number of possibilities now.
- Once you get the codes possibilities down to 20 or so write them down.
- Start the memory editor and look for the codes you have on your list.
The codes you have should have values no greater than 3 or 4.
- Try changing the code value in the memory editor to something smaller or
larger. For instance, if the value is 3 try changing it to 6. This should
take you to a different level. Once it works you have the level modifier
and interlevel modifier.
Now that you have the level modifier you can find the cut scene modifier with
the memory editor by inspection. Inspection means looking around by going up
and down the address screen while a cut scene is playing for that level. Since
most new levels run a cut scene this makes things easier. You should find the
cut scene modifier rather quickly. Try changing the value after the current cut
scene is done. WARNING! As I have often stated when submitting cut scene codes:
Running cut scenes out of their natural location or level might cause the game
to freeze or do weird things like have your character fall into empty space
once the game resumes.
I will say more about the memory editor again later.
<b><i><u><a name="hax0r_mj">Moon Jump codes- GLEE method </a></u></i></b>
Be sure that you have an activator/joker code before you begin.
1) Start the game, while your character is ON THE GROUND, push the freeze
button and start a 16-bit unknown search.
2) Move your character to a different location. With character on the ground,
push the freeze button search for equal-to values.
3) Repeat above steps a couple more times.
4) Push the jump button(if you have no jump button, fall off of something
really high). While your character is in the air, falling, push the freeze
button and search for greater-than values.
5) When your character lands, and is on the ground, push the freeze button
and search for less than values.
6) Repeat from step one until you narrow down the possibilities.
7) To test the codes available as a moon jump code, jump up in the air and
push the freeze button while the character is going up(if you have no jump
button, fall off of something really high, as your character falls, push the
freeze button).
8) View possibilities. Disregard any codes with value "0". Activate all
possible codes(you should have less than five before doing this). If your
game doesn't have a jump button and you had to fall, activate all codes and
change the values to "0".
9) Return to the game, If you character continues to go up(or is not
falling, but is in the air), then one of those codes is the Moon Jump.
10) Test codes individually. When you have the one you want, find the best
digits for it by making it a few numbers lower, or higher.(for the fallers,
Check to see if the code has value of around "Cxxx" when falling. If so, use
a value of around "4xxx".
11) A value too high will cause the character to fly into the sky too fast
and may cause the game to freeze. A value too low will cause the character
to rise unnoticeably slow.
12) To finish the code- Put an activator in front of the code, set the
activator digits to a button you would like. Now test the code, hold the
button you set it for, if your character doesn't move, but you have the
right code, push the jump button or fall off of something while holding your
Moon Jump button. The character should rise!
Skip these last steps if your code works with out falling off of
something.
13) Try setting the activator to the jump button, this may help.
14) If it doesn't work, or you have no jump button, you need to find out
what codes tell the game that the character is in the air. These codes are
REALLY tricky.
15) You'll need to start an unknown value search while stationary, then one
stationary, elsewhere(perform equal-to search), then fall from something
and do a different-to search. Land, do different-to, move to another place,
equal-to.
16) You get the idea. When you find the code that instructs that the
character is in the air, use it on the Moon Jump code you made before, and
put that on an activator as well.
17) Later we will show you how to use the memory editor to hasten the finding
of the moon jump code and testing it. Which ever way you prefer always
remember GLEE - , Greater, Less than, Equal, Equal. Good Luck!!
<b><i><u><a name="hax0r_mj2">Moon Jumps - 32-Bit Signed Method - by Viper187</a></u></i></b>
If you're using GSCC2k2, you might've noticed the 32-Bit Signed search
options. I'm going to show you a way to find Moon Jumps using this. I can't
say if this method is faster than GLEE. It is a different, slightly
advanced approach to Moon Jumps.
Note that "Signed" searches read hex values somewhat differently. Values are
compared ranging from 80000000 to 7FFFFFFF. Why start in the middle like that?
Because it reads 800000000 as <b>-</b>2147483647, not 2147483648. That's right.
Negative values. FFFFFFFF is now seen as -1, FFFFFFFE as -2, and so on. This is
useful here, since most games use a negative value when you're falling and/or on
the ground, and a positive value when you are going up -- typicly 4xxxxxxx at
the peak of your jump. Now the actual searching method. Reason I wrote this is
because of games like Banjo-Kazzoie. I noticed that the Moon Jump address on
there is the usual 4xxxxxxxx when in the air, but when you're on the ground
it's BF800000. Try doing a normal Greater/Less when you're in the air and on
the ground with that one. I don't think it'd work out that well; someone
apparently found a way to make it work though. ;)
If you can jump:
1) Get hooked up, start game, etc and start a 32-Bit Unknown search, Signed.
2) Now jump and as you start to go up, do Greater Than.
3) Then quickly resume and do Less Than as you start to fall.
4) You can then continue to do Less Than another time or 2 til you hit the
ground.
5) Repeat until you get the results down a ways and you should know what to
look for (Cxxxxxxx going down, 4xxxxxxx going up).
6) Freeze or set to activator to test using 4xxx. The first 16-Bit half of the
32-Bit value should be enough. Say it found 800448A0. To modify it as a 32-Bit
code you'd have to use both 810448A0 and 810448A2. But with Moon Jumps, the
first half (810448A0) is enough.
7) You'll notice I didn't say to do any Equal To searches there. If for some
reason you just can't get the results down, you could try it, but it can also
eliminate the result we're looking for. This is because some games have been
known to change the MJ address when your character is resting. i.e. you feet
are tapping, or your can't does some kind of bounce type thing while standing.
This may not seem like a big deal, but an Equal To at the wrong time and you'll
be starting from scratch.
If you can't jump:
1) Get hooked up, start game, etc and start a 32-Bit Unknown search, Signed.
2) Find the highest place you can and try to commit suicide (walk off). The
point is to get as much time in free fall as you can.
3) As soon as you start moving downward (aaaah!) start doing Less Than over
and over til you finally hit the ground. If you get the possibilities down
enough to pick out the right one, good for you; otherwise head back up for
some more frequent flyer miles.
5) Repeat until you get the results down a ways and you should know what to
look for (Cxxxxxxx going down, 4xxxxxxx going up).
6) Freeze or set to activator to test using 4xxx. The first 16-Bit half of the
32-Bit value should be enough. Say it found 800448A0. To modify it as a 32-Bit
code you'd have to use both 810448A0 and 810448A2. But with Moon Jumps, the
first half (810448A0) is enough.
<b><i><u><a name="hax0r_size">Size Modifiers - </a></u></i></b>
This type of code can be considered moderate to hard to hack depending on
whether or not the object in question normally changes size, e.g., flattens,
or whether the object in question normally stays a constant size, e.g., gates,
trees, rocks, doors etc. The former description would be intermediate difficult
to hack while the latter hard to hard. Let us break up the two types of
difficulty:
<b><i><u>Objects can normally change shape: By Subdrag</u></i></b>
- Start the game and identify the object you want to hack a size mod for.
- Do an unknown search
- Move around the screen, and even change the area you are in if possible.
- Do an equal to search to unload a lot of junk codes from the search.
- Now do whatever you have to do to get the object to normally change
shape. Get hit, fall, flattened or flatten, squeeze...you get the idea.
- Before the object regains it normal shape do a less than search.
- Once the object regains it normal shape, take a greater than search.
- Repeat this several times for whatever time it takes to get the codes down
reasonable number. Inspect the possibilities and look for those codes that
have quantifiers (in hex base) in the range of 3C00 - 4200, which is the
typical values used in N64 and PSX games. Another big hint is to look for
groups of 3 codes close to each other and having close to if not the same
quantifiers. The reason this works is simple. The N64 and PSX are using 3D
objects, hence you need 3 codes, one for each dimension.
<b><i><u>Objects that do not normally change shape: by macrox</u></i></b>
This type of code is harder than above to hack. You have very little to go on
regarding using the code generator (search engine) with the Game Shark alone.
We will also in conjunction with the PC hacking utilities use the memory
editor further aid and organize our search. In fact our example
will show how using the memory editor is a very powerful
tool to use and will be our second example in using the memory editor to hack
a code.
- Start your PC and start the hacking utilities. Insert the Game shark and
game into N64 attached the cable. Turn the N64 on and do a detect on your
PC.
- Start the game and identify the object you want to hack a size mod for.
We will use an example from Castlevania and Castlevania LOD for this.
- We have identified we want to hack a size mod for Cornell the Werewolf.
(We will be pleasantly surprised to find this will pan out for the other
characters as well later.)
- Ok. Now. We already told you that N64 usually uses several types of values
for size variables in their games. Typical values of 3F80 and 3C00 or 3DCC
are not uncommon to see.
- Making an assumption that the value is one of the above may or may not pan
out for the hacker. Patience, endurance and luck are the rule of the day
here.
- Using the PC hacking utilities perform a known search for your value.
We suggest you break down the search by ranges, such as 800XXXXX -
8010XXXX,
then 8010XXXX - 8020XXXX, etc... ALSO use the range value 3C00 - 4200.
Doing this will shorten your search time and minimize guess work.
- By inspection, look over the possibilities and observe is you see the group
of 3 we mentioned before. If the results are not too large you might want
to try changing 1 of 3 codes you see on your list. Observe if the object
on the screen has changed by doing this. Using the process of
elimination you will either exhaust your list or hit pay dirt. No pay dirt?
Perform another search but change the address range in the search.
- Again, by inspection check for the group of 3.
- Eventually, you will find the code. NOW, the question is this, Is this code
valid for any level in the game? If not you will have to repeat this
process for each and every level and interlevel too perhaps. Knowing
whether a constant offset exists for your game is VERY helpful and will
save you tons of work. We discovered that we did not have constant offsets.
So our search routine took
us quite a while in a monotony that would have quite easily discouraged a
beginner hacker. That is why we stress patience and endurance so much.
Anything worthwhile is worth work to coin a phrase.
- Luck was with us in some regard doing this hack. We found that even
though the size moderator code changed for our character for each level
and interlevel...it was in fact the same value for all the other characters
in the game as well. We only wish we had such luck hacking with moon jumps
as they were different for all level/interlevel and characters as well.
- Finally, there is one more secret we would like to share. We have often
noticed that size modifiers are usually close to location modifiers.
Location modifiers being the spatial coordinates the object has while
having its own size coordinates or modifier. This being the case one could
hack first the location modifier for an object and once knowing that use
the memory editor to inspect "look around" at nearby addresses for other
groups of 3.
Those without access to a PC or use of the hacking utilities can none-the-
less still carry out the search but should be warned that this will usually
be a rather longer process and might not yield expected results. Many
hackers that use the memory editor have found many an unexpected code by
simply looking around for "patterns" such as groupings of 3 for size mods,
location mods etc. The memory editor has been very useful to inspect
addresses close to known codes to see if that code could be further
enhanced or whether a new code could be found nearby. We encourage the
beginner to not give up in frustration but understand the hacking is not
always going to hit pay dirt each time you search. Indeed, you will learn
to appreciate the workings of game programming and find as time passes you
will "know" the game code as it you wrote it yourself. A feeling for the
game is a valuable but truly subjective experience for any hacker.
<b><i><u><a name="hax0r_xyz">Finding X, Y, and Z Coordinates - by Viper187</a></u></i></b>
Coordinates are what the game uses to tell where exactly something is
(i.e. Player 1). These are almost always found in a group of 3 32-Bit values,
that we refer to as X,Y and Z. X and Z are for left/right &amp; up/down location
and Y is your vertical location. Y is NOT how high off the ground you are, but
how high you are in general. Thus, if you go up a hill, you are at a higher.
My method here requires hooking your shark to your PC and using 32-Bit Unknown
Value searches with either Interact's old program or GSCC2k2. However, this
should work about the same way with a 16-Bit Unknown search on the in-game
code generator -- just might take longer to get the results down, and there's a
question of which 16-Bits of the coordinate is changing as you move. If you're
going to do this, just make sure you move a good couple feet at a time. This
should keep the upper half of the value changing. If you only move a tiny step
then you may end up rolling over the lower 16-Bits so it becomes less when
you're still searching greater. Confused? by that? Ok. Take an X coordinate
for example. It's 32-Bits, we'll say 3DE93376, now as you move, that increases
or decreases depending on the direction you're going. Now what I mean by the
16-Bit thing, is when you're searching you want to move enough to change the
3DE9 (upper) half because as that changes the 3376 (lower half) could be
anything from 1818 to A2B4. If it was 3ED9E02A when you started, it could end
up 3ED9F5CC when you move, or 3F882046. Now you can see why I say we want to
be careful of how much we're are moving, and why comparing the whole 32_bit
value with the PC programs is easier than comparing the 16-Bit halves.
1) Get hooked up and into the game as usual.
2) Decide which coordinate you want to search for. Remember they're almost
always found in that group of 3 anyway, so you should get them all from
finding one. It's just a matter of what you're more comfortable searching for.
I prefer X or Z, so I'll use that here...
3) Start a 32-Bit Unknown Value search
4) Now pick a direction (I'd go forward) and move that way a few steps or so,
depending on how much room you have before you hit a wall. We want to be able
to move the same direction at least a couple times, then change. Now once
you've moved a few steps, search Greater Than. Next, move a few more and do
Greater Than again. Repeat this as desired, then go to step 5.
5) After you've done a few Greater Thans, start moving in the opposite
direction and do Less Than searches.
6) You should be able to get the possibilities down enough that way. If you
need to though, you *could* stay in 1 place and do an Equal To or 2. I must
warn you though, that you coordinates can change on a game even when you're
not actually moving. Ever notice how your character on some games with sort
of shuffle side to side or something? The coords could be changing as the
character does this. Just a heads up :)
7) Once you ge tthe results down, test them. Either freeze the value and
see if you can still move, or change it a lot and see if it moves you
somewhere else. Some games may write the coords to fast for you to just
change them in the mem editor, so if for some reason you find what you
think should be the group of coords and they just keep changing back when
you try to change them, this is way.
8) No coords? Do the same thing again but search the opposite directions (do
Less Than where you did Greater and vice versa). This should take care of it.
If for some reason you still can't find them, then you could try 16-Bit
searches (maybe the game only uses 16-Bit -- like games with a real short range
of movement), or you could try the same 32-Bit searches, but do them Signed.
Coords are fairly easy to find on most games, once you get used to it, but as
always there are problem games. If you find another strategy, don't hesitate
to let us know. :)
<b><i><u><a name="hax0r_memedit">How do I use the Memory Editor? (Submitted by Kamek)</a></u></i></b>
The most common question I see on the hacking boards
is, "How do I hack with the memory editor?" I'm
not the least bit surprised -- when you enter the
Memory Editor, it looks like some kind of
programmer's screen.
First off, let me explain the big myth about the
Memory Editor. Some people think that just by doing
a text search, they can unlock special areas in the
game. THIS IS NOT TRUE! The Memory Editor just
doesn't work that way. Suppose you loaded up Zelda
and searched for "Master Sword". You probably
wouldn't find it, even though the Master Sword is in
the game. A text search is just that -- a text
search. Some games encode their text, so you might
not always be able to come up with results in the
text search. HOWEVER, you CAN use the Memory Editor
to possibly unlock extra levels, characters, and
other stuff. I'll explain more about that later.
Here is what the Memory Editor CAN do:
* You can use the Memory Editor to unlock game
secrets that are accessible.
If you have unlocked a certain character, then you
can use an unknown search to find the memory address
that tells the game you have that character. By
changing nearby values, you can attempt to convince
the game that you've found other characters that you
haven't really found. BUT, you must have a memory
address to start from. Plus, the character MUST be
accessible. You probably won't be able to play as
the Magikoopa in Mario Kart 64, because he was
removed completely from the game. (You can't have a
4-player Grand Prix either, because the game wasn't
programmed that way.)
* You can use the Memory Editor to find secret
passwords.
If you know a cheat password for a game, you might
be able to find other codes. For example, the cheat
"NOYELLOWSTUFF" in Diddy Kong Racing removes all the
bananas. If you use the Memory Editor's text search
to look for "NOYELLOWSTUFF" in memory, you might
find other passwords nearby!
* You can use the Memory Editor to find weird stuff.
Load up Zelda OOT and open the Memory Editor. Search
for the word "light". You'll be amazed at what you
find! Solid proof that Zelda 64 was originally
designed for the 64DD!
Breakdown of the Memory Editor
80010000: 00 00 00 00 00 00 00 00 ........
80010008: 00 00 00 00 00 00 00 00 ........
80010010: 00 00 00 00 00 00 00 00 ........
etc..
(Note: On some TV screens, the left and right parts
of the Memory Editor are chopped off. Unless your TV
has a Horizontal Size knob or an equivalent, there
is no way to fix this.)
So what is all this mumbo-jumbo? Let's break it
down..
80010000:
This first part of the line is the memory address
you are viewing. Actually, you can chop off the "80"
if you want, and you'll get the real memory address.
(The 80 is just for reference)
00 00 00 00 00 00 00 00
These are the values in the memory. If the number on
the left was 80010000, then the first value is the
value in memory location 80010000, the second value
is what's at 80010001, and so on.
........
You won't see dots, they'll probably be blanks, or
strange characters. This is only useful when looking
for text, and you can ignore it unless you're
looking for text.
The N64 memory starts at 000000 and goes up to
3FFFFF, for your information.
Now, first of all, I would not recommend using the
Memory Editor to find codes from scratch. It's
practically impossible to find a code from scratch.
Here are some things you can do with the memory editor
Suppose you were going to hack a code to get all the
characters for Super Smash Brothers. (It's been
done, but this is just an example.) Let's say that
after several unknown value searches, you find out
that 800A4938 0008 gives you Ness. Open up the
Memory Editor and go to location 800A4938. You'll
get something that looks like this:
800A4900 xx xx xx xx xx xx xx 00
800A4938 08 00 xx xx xx xx xx xx
800A4940 00 00 00 00 00 00 00 00
When searching for "got character" modifiers, common
values are usually powers of 2. (2, 4, 8, hex 10,
etc.) Since the game just takes the power of 2 out
of whatever the value in memory is, you can usually
set the value to FF and possibly get more
characters. So make sure all codes are off, then
change the 08 to FF:
800A4900 xx xx xx xx xx xx xx 00
800A4938 FF 00 xx xx xx xx xx xx
800A4940 00 00 00 00 00 00 00 00
Now, go back to the game and enter the Character
Select screen. Wow, you've got Jigglypuff! (If you
didn't already have Jigglypuff, and got Ness first,
then you play too much SSB!!) Let's try nearby
values to get Captain Falcon and Luigi as well.
800A4900 xx xx xx xx xx xx xx 00
800A4938 FF FF xx xx xx xx xx xx
800A4940 00 00 00 00 00 00 00 00
Change the value at 80AA4939 to FF and return to the
game. The character select screen will need to be
reloaded for the changes to take place, so exit and
return. They're all there!
Now that is how you find extra characters. Hmm...
But what if you change other values? Perhaps you
could unlock a certain classic stage of the Mushroom
Kingdom. Let's try some fiddling around in the
memory editor.
800A4900 FF FF FF FF FF FF FF FF
800A4938 FF FF FF FF FF FF FF FF
800A4940 FF FF FF FF FF FF FF FF
Change them ALL to FF. This way, you'll know that if
you find something, one of those values unlocks it!
Quit the Memory Editor and check out other areas of
the game. Go to Options -- the Sound Test is there!
One of the values you changed is definitely a
modifier to get the Sound Test!
Now, go back to the Memory Editor, and change
everything back to 00. Then, start from the
Ness/Jigglypuff Modifier and work your way
backwards, changing each 00 to FF and reloading the
options screen to see if you got the Sound Test. Or,
you could start at 800A4939 and go upward. However,
it just so happens that the Sound Test, Item Switch,
and Mushroom Kingdom modifier is right before the
Ness/Jigglypuff modifier!
800A4900 00 00 00 00 00 00 00 FF
800A4938 08 00 00 00 00 00 00 00
800A4940 00 00 00 00 00 00 00 00
Congratulations! You hacked your first Memory Editor
code!
What else can the Memory Editor do? I'll explain how
I found the Saffron City Pokemon Anti-Modifier and
other codes.
I was playing with the Yoshi's Island "Stay on cloud
forever" code on one day. I forgot and left it on,
then played a game at Sector Z. Suddenly, the game
froze. Somehow, the Yoshi cloud modifier was causing
something to happen in Sector Z! Not all game
freezes are bad -- sometimes it means you've
stumbled upon something big!!
I wrote down the cloud modifier location (80131400
region), restarted without the Yoshi cloud code,
then watched a CPU battle at Sector Z, going into
the Memory Editor every now and then. Values in the
Memory Editor changed as the Arwing entered and left
the arena. I couldn't find any pattern, so I tried
poking around that same area during a battle at
Saffron City. That's when I noticed the timer.
Every time I went into the memory editor, there was
this one memory location that kept decreasing. Then,
when a Pokemon came out, it suddenly jumped to a
higher value, then started over again. I found the
Pokemon Timer! To test my theory, I changed the
memory value at 13140E to 00 01, then resumed the
game. A Pokemon came out!
You might not be as lucky when looking for codes,
but if a code for a certain stage freezes the game
on another stage, check out that area in the Memory
Editor. You might find something good, or you might
not. It all depends on how the game is programmed.
If you remember only one thing from this document,
let it be that the Memory Editor is not magic. The
magic is in you, and with some skill and a little
bit of luck, you may stumble upon some great codes!
In summary:
* You can only unlock areas that were left in the
game.
* Things that were either partially or completely
deleted from the source code of the game probably
can't be accessed.
* You can quickly find neighboring codes to unlock
more characters than what you searched for in the
Code Generator.
* You can find cheat codes, on some games.
One final warning. You must be careful with the
Memory Editor. It's a ticking time bomb in some
cases. If you put the wrong value in the wrong
memory location, you could end up freezing up your
game. In other cases, you might accidentally
overwrite part of your game's SRAM and either lose
saved games, or ruin the cart. But usually, if you
stick to the areas of memory you find using the Code
Generator, you won't have any problems.
Happy hacking!
<b><i><u><a name="hax0r_text">How do I use the Text Editor? (Submitted by Sutaz)</a></u></i></b>
I shall use the game Mortal Kombat 4 for an example.
I am playing with the fighter Fujin. When I win a round, it says on the
screen "Fujin Wins". Well, what if I want it to say "Sutaz Wins"? Easy.
Press the GS button to get to the in-game menu. Choose memory editor.
Press A to get the search menu. Choose Text Search. Type in the name Fujin.
Press search. We come upon the first set of digits that spell the word Fujin
but this text is in his biography screen. We don't want to alter that text
now, we want the "Fujin Wins" text. So tap A again to continue searching for
Fujin text. After 2 more searches, we come upon the group texts for all the
characters that say "x person wins". Looking at the right of the screen and
search for the term "Fujin Wins". Now we look to the left of the screen and
see the location code for "Fujin Wins" which is 8004C0E8. In the middle of
the screen, we see a set of 8 airs of numbers. What are these? ASCII digits.
These are the numerical code for the letters in the text. There are 8 pairs
per line of code. So, the line for "Fujin Wins" looks like this:
8004C0E8 - 46 75 6A 69 6E 20 57 69
8004C0F0 - 6E 73
46=F
75=U
6A=J
69=I
6E=N
20=(space)
57=W
69=I
6E=N
73=S
So, with the text editor, just look at the ASCII digit menu and choose
the numbers to replace Fujin with Sutaz. Press Up-C or Down-C to cycle
through the digits. With the text editor, the new phrase "Sutaz Wins" would
look like this now:
8004C0E8 - 73 75 74 41 7A 20 57 69
8004C0F0 - 6E 73
73=S
75=U
74=T
41=A
7A=Z
20=(space)
57=W
69=I
6E=N
73=S
That would be the line to change the NS if you wanted. Now how to put
this in your GameShark. Each line of code ends in a string numbering by
8's; 0,1,2,3,4,5,6,7 or 8,9,A,B,C,D,E,F. Each letter in the text "Fujin
Wins" has its own separate code. Example;
To put "Sutaz Wins" as a code in your GameShark to replace "Fujin Wins":
8004C0E8 0073 = S
8004C0E9 0075 = U
8004C0EA 0074 = T
8004C0EB 0041 = A
8004C0EC 007A = Z
No need to enter the blank space for this example, or the term "Wins".
But let's say your name is longer than 5 digits and you need more space.
You got two options; look at the last letter, which in this case is S, and
see if there are more "free" or "empty" digits after it. Example: The line
of code for the NS in "Fujin Wins" looks like this in the text editor:
8004C0F0 6E 73 00 00 53 68 69 6E
You see that you have two slots that are 00 00. Those are "text breaks".
00 or 20 are used to separate text. You could now use the 00 right after the
73 slot to spell a 6 letter word like Macrox. But if you use the second slot
00, you will run into the 53. Look at the text to the right and we see to
conserve space, the programmers put another character's Wins text on this
same line which is Shinnok. Look at the code above again; 53 68 69 6E are
S H I N, obviously for Shinnok. Now if you want to, you could do option 2
for adding more space for bigger words by "bleeding" or running over into
Shinnok's text. You could take all of his digits and spell bigger words like
Darth Maul Wins. Here is the catch, if you choose to fight with Shinnok, his
Wins text will not appear because Fujin has stolen it. Get it? You must turn
all excess digits to 20 to create a blank space and you must leave at least
one 00 between each character's beginning codes or you will bleed into their
text.
Here is a table of ASCII - numerals used in the text editor:
A = 41/61 B = 42/62 C = 43/63 D = 44/64 E = 45/65 F = 46/66
G = 47/67 H = 48/68 I = 49/69 J = 4A/6A K = 4B/6B L = 4C/6C
M = 4D/6D N = 4E/6E O = 4F/6F P = 50/70 Q = 51/71 R = 52/72
S = 53/73 T = 54/74 U = 55/75 V = 56/76 W = 57/77 X = 58/78
Y = 59/79 Z = 5A/7A 0 = 30 1 = 31 2 = 32 3 = 33
4 = 34 5 = 35 6 = 36 7 = 37 8 = 38 9 = 39
Other Symbols:
@ = 40 " = 22 # = 23 $ = 24 % = 25 &amp; = 26
' = 27 ( = 28 * = 2A + = 2B , = 2C - = 2D
. = 2E / = 2F : = 3A ; = 3B = = 3D ? = EF
[ = 5B \ = 5C
<b><i><u><a name="hax0r_wtw">How to hack Walk through walls (WTWs):
(Used by special permission from Code Master)</a></u></i></b>
Information That Is Needed To Know Before Tackling This Code
While your character is walking, or while they are not walking,
there is a value in RAM that tells the CPU whether or not you are
able to walk at all. This value is used to tell the CPU whether or
not to move your character on the screen. I call it the 'Collision
Detection Address', because basically, the game checked to see if
there was any structures or walls that you would 'collide' with and
stores a value to the Collision Detection Address based on if
there was or wasn't an object to collide with in the direction you
are trying to go. The value of this address could be almost any-
thing the developer wants to use. Most common is 0 (Cant Walk),
and 1 (Can Walk). Although with the release of this FAQ,
developers are going to get smarter and use different values.. :(
But oh well, we can deal with it. Now that you know this info,
on to the actual searching methods.
<i>The Actual Searching Method!!</i>
There are 2 ways to go about this, you can do the 'Known' value
search method. Or the 'Unknown' value search method.
1) The 'Known' Value Search Method:
This method, you are assuming the value is 0 for when you cant
walk, and 1 when you can walk. Now, here's the critical part.
This value changes based on whether or not you are moving, or
if you are not moving. So, while you character is currently
walking in a certain direction. (Character HAS to be moving!)
Do a search for values Equal to 1. After that has finished the
game will restart, keep walking in the same direction until you
run into an object/wall. While holding down the direction the
object is. (character will be moving their legs, but not going
anywhere) Do a search for values Equal to 0. You should have
a pretty good size of possibilities. So you do some more
searches. Walk to the opposite direction that you are facing.
While your character is 'Walking', do a search for values Equal
to 1. Walk till you run into an object/wall, and while holding
the direction of the object/wall, do a search for values Equal
to 0. Then walk in the opposite direction till you run into an
object/wall, do a search for values Equal to 0. (Why 0, because
the value should be the same as before, meaning you couldn't
walk then, and you cant walk now.) Keep repeating these methods,
until you get a respectable amount of possibilities to search
for. Once you start going thru the possibilities, your Walk
Thru Walls code, will be the address and the last 4 digits of
0001. And once you put it in shark, it should work.
2) The 'Unknown' Value Search Method:
This method is for use with games that Method 1 did not work in.
This method, you don't assume what the values are, you just know
that they are different based on whether you can walk, or can
not walk. Same as before, do an Initial search when you are
currently walking. (Character HAS to be moving!) Then when you
run into an object/wall, do a different to search. Then walk in
the opposite direction, do a different to search. Walk till you
hit an object/wall, do another different to search. Then walk
back in the opposite direction till you hit an object/wall, do
an equal to search. (Because the value should be the same as
before, meaning you couldn't walk then, and you cant walk now.)
the previous search you took where you couldn't walk.) Keep
repeating these methods, until you get a respectable amount of
possibilities to search for. Once you start going thru the
possibilities, your Walk Thru Walls code, will be the address
and the last 4 digits will be the value the code was when you
were walking. And once you put it in shark, it should work.
<i>3D Game Specification</i>
Due to the nature of this method, it may or may not be possible
to do with a 3D game. The logic behind it all is this: In a 2D
game, you can move at the most in 4 directions, up/down/left/right.
In a 3D game, you can move in 360 Degrees, so the developer has to
cope with this as well, and probably will use different routines.
The above method should still work, provided that when you are
running into an object/wall, you are running into it 'Head On'.
'Head On' means, that while holding the direction of the object/
wall, you're character doesn't turn, face, or go in any other
direction. And in all reality, there's not many places you can do
this. Sometimes, you can just hold 'Up' when you are directly
facing a wall, and sometimes you cant. When you cant, I suggest
trying a corner in a room. :)
<i>Tips &amp; Tricks Of The Trade</i>
Now, there are some key tips to finding this type of code.
1) You found the code that lets you walk thru walls, but only in
left/right or up/down directions!! DOH!!! Here's what you need
to do. Make a Joker Code for the game, and lets just say the code
you made works in the 'Right' direction. Lets say, the Joker Code
for this game was a normal Joker Code and the code was.
D0123456 ????
And the Walk Thru Walls code you made only worked in the
'Left/Right' directions. If you put in these codes:
D0123456 2000
80XXXXXX XXXX &lt;&lt; Walk Thru Walls Code You Made Goes Here.
D0123456 8000
80XXXXXX XXXX &lt;&lt; Walk Thru Walls Code You Made Goes Here.
It will now work in the 'Left/Right' directions, with no lock
ups. And now, you need to find out the Walk Thru Walls code
for the 'Up/Down' directions. So, repeat the searching method
used to find the 'Left/Right' code, but this time, walk 'Up'
and 'Down'.
2) You cant get it down to a lower amount of possibilities. What
I would do, is walk in one direction till I hit an object/wall,
and do the appropriate search, then walk in the other direction
till I hit an object/wall and do an Equal to search. Or even do
an Equal to Search while your character is walking in opposite
directions. Also, another key way to reduce possibilities, is
to do an equal to search in different parts of the map. I.E.
If you walked 'Right' till you hit an object/wall, did the
appropriate search. Walk up some more on the map, and walk
'Right' till you hit an object/wall up there, and do an Equal
to search. (This helps quite a bit usually. Try and make it not
be part of the same object/wall though. If you are walking into
a house, walk around in the town till you get to a different
house, etc..)
3) The above 2 methods didn't work. This means the game probably
changes the value based on what direction you are heading. So,
you need to use search for it in the same direction only. Like
so: Initial search while walking 'Right', do an Initial search.
Walk till you hit an object/wall, while holding 'Right', do a
Different to search. Then walk to the left, and then back to the
right till you hit an object/wall, while holding 'Right', do an
Equal to search. Then walk to the left, and then back to the
right, and while walking 'Right', do a Different to search.
Keep repeating these steps only in the 'Right' direction.
4) Last but not least, the code you found only works in Towns, or
only works in the Overworld Map. Plain and simple almost ALL
Walk Thru Walls codes will be like this. You just have to search
again in the area where the code doesn't work.
<b><i><u><a name="hax0r_speed">How do you hack Speed Modifiers? (Submitted by Bleeding Gums Murphy)</a></u></i></b>
You start by doing a time trial or something you don't have a time limit on.
1) Once you start, keep your speed at 0 and take an Unknown 16-bit search.
2) Now when it's finished, speed up a little bit.
3) Take a Greater than last search.
4) Now speed up a little more and take a greater than last search again.
5) Now speed up completely and take a greater than last.
6) Now slow down to about half speed and take a less than search.
7) Next speed up a little bit and take a greater than search.
8) Then go back to 0 speed(stop) and take a less than.
Repeat steps 2-8 until you get around 10-30 codes remaining margin.
Speed up to the fullest and press the freeze button(the button on your
gameshark itself). Try out each code one at a time until you do not slow
down when you break. This is the speed mod.
Typically, for most racers, a value of around the 4800's is top speed you
can control, but games like Rush 2047 isn't like that.
If one of the codes freezes the game, don't get angry, like I said before,
Speed Mods are reletively easy, you'll just have to start again.
You may also like to know that speed mods can be hacked for non-racing
games, but they don't help you as much as they should.
<b><i><u><a name="hax0r_timers">Hacking Timers (by Viper187)</a></u></i></b>
Timers can be the easiest thing there is to hack, or the biggest pain
in your @$$ since the school bully. It pretty much depends on the game, as
to how much trouble a timer can be, since different games store and read their
timers in different ways.
The easiest timers are usually the ones that are just a set of digits on
the screen counting up or down. I'll give you the steps for a typical countdown
timer. For counting up, just reverse the searches (Less &lt;&gt; Greater).
This can also work for *some* clock type timers (i.e. "4:36:55"); in that case
you'd most likely find one of the left two numbers in that time.
1) Get to the point in the game where the timer is running (duh).
2) Start an Unknown search (16-Bit recommended).
3) Return to the game and let the timer count down just a bit (2 seconds
should be sufficient).
4) Now search Less Than.
5) Return to the game and let the timer countdown a bit more.
6) Search Less Than again.
7) If you can restart the timer somehow, do so, then search Greater Than.
Otherwise just keep goin Less Than -- your call. When you get the possibilities
down to a managable amount, start freezing them and see if your timer freezes.
Note that you may want to write down the possibilities in case you freeze the
entire game instead of just the timer. ;)
8) Did any of the possibilies work? If they didn't, or for some reason you
ended up with none, try this method reversed (search Greater Than where you
did Less THan before).
9) Still nothing? This is where things get intersting.
If you couldn't find the timer with the method
above, then it may be a 32-Bit timer. These appear a lot on Racing games, but
they are seen on other game genres as well. The only way to search for them
using the in-game code generator is by using the method above with a small
twist. Only do your searches in accordance with 1 part of the timer -- minutes
or seconds, never milliseconds. There's a good chance you can find the timer
like this. When you get the possibilies narrowed down in this case, look for
ones ending in 0,4,8, or C and try them first. If one works then you found the
upper 16-Bits of the timer. The part for milliseconds would be the next 16-Bit
address (i.e. if 8104440C freezes the minutes/seconds, 8104440E would be for
the milliseconds).
Now the easier way to find 32-Bit timers is by using the PC utils/GSCC2k2.
What's the advantage? You can actually do 32-Bit searches. You'd just start a
32-Bit Unknown value search and do Greater/Less Than in accordance with the
-whole timer-. By that I mean, "4:44:50" is LESS than "4:45:20" even though
that last part (milliseconds) appears to be Greater.
Think you found your timer code when you stopped the numbers on the
screen from counting down? In a good deal of games, this is the case, but
there are times when the on screen timer and "real" timer aren't the same
thing. When this happens, you basicly have to start at square one and
search for the "real timer" using the any and all methods necessary. Also,
don't take for granted that the "real" timer will be the same type
(32-Bit/16-Bit) or even count in the same direction!! The "real" timer on
Starfox 64 eluded me for years because the on screen timer was 32-Bit and
counted down, while the "real" timer was only 16-Bit and counted UP! Even
the most seasoned hackers need to learn new tricks once in a while, I guess.
If all else fails, you could get creative and start tracing ASM. :-P
Good luck :-)
<b><i><u><a name="hax0r_skipintro">Hacking Quickstart/Skip Intro Codes (by HyperHacker)</a></u></i></b>
As with certain other code types, the search methods for these are not
set in stone. They should work for a lot of games, but do'nt be suprised if
you have to get inventive once in a while.
The easy way is to look for a timer (usually 16-Bit) that counts during
the intro. Keep doing Less Than or Greater Than until it restarts, then do the
opposite once (if you were doing Less Than do Greater Than, then Less Than
again).
The hard way (that works on a lot more games, mind you) only works if the
game uses the same address to tell if it's in the intro or title you need to
find the byte(s) and do the same as the timer method.
Once you find the timer/flag, you could do a simple ASM trace to find
where it writes the intro's value and instead have it do the title, which
probably would work a lot better if you could do it.
If all else fails, and you're into ASM, you could find the intro ASM and
Jump over it.
<b><i><u><a name="hax0r_colormods">Hacking Color Modifiers (by Goldenboy)</a></u></i></b>
Method 1:
Let's say you wanted to modify the crosshair color. Take a screenshot of
the game with your GS. Open the pic up in Paint (or whatever) and get the
value of the color of the crosshair. Now search for the value with a 32 bit
search.
Method 2:
In a game that has the color palette in front of you, like No Mercy...
Put your cursor on the Black color and do a 16-bit search for 0000h. Now put
your cursor on the white color and search for FFFFh. Then turn it into a
3-line 24 bit code (3 8-Bit codes for Red, Green, and Blue), since most games
use 24-Bits for color.
<b><i><u><a name="hax0r_images">Hacking Image Modifiers (Alternate) - by Icy Guy</a></u></i></b>
This method of hacking image modifiers is used when you have the quantity
digits for any image modifier in the game available.
Did that make sense?
If it didn't, read on. If it did, read on anyway.
There are two ways to hack image modifiers - with Unknown Value searches and
with Known Value searches. The Unknown Value method is used when the case is
just that - you don't know what the quantity digits for an image modifier are.
The Known Value search is used when you know the quantity digits for ANY
object's image modifier and you want to hack an image modifier for something
else.
The Known Value method is covered in this tutorial, since I'm not entirely sure
about how to hack image modifiers with the Unknown Value method. I know it
involves searching when the image changes, but I'm not up on the specifics.
Plus, all of the image mods I've hacked involve the Known Value method.
For this tutorial, I'll be using Banjo-Tooie as an example and I'll be hacking
an image mod for Heggy on the Isle 'O Hags.
Here we go...
-Find a list of image modifier values for any object, preferably a complete
list. (You can find a complete list starting <a href="http://www.gscentral.com/codes.pl?dev=gs&amp;sys=n64&amp;game=bt&amp;sub=banjotooie#9">here</a>) Look at the list until
you find the value that will turn an object into Heggy, which is 914 (the list
says 0914, but same thing). Punch this number (914) into a calculator capable
of converting between hex and decimal (e.g. Windows Calculator, in Scientific
Mode), and convert it to decimal. You'll get 2324.
-When you've loaded up 'Tooie go to the Wooded Hollow on the Isle 'O Hags.
Locate Heggy's Egg Shed and march on in.
-When Heggy appears on the screen, hit the GS Button to go to the In-Game Menu.
Select the Code Generator. Do a 16-bit, Known Value search for 2324 (914 in
decimal).
-Check your results. One of these codes SHOULD be the right one. If not, then
the game is doing something crazy, like using random addresses for images. If
that's the case, I can't help you.
-In this case, the code that turns out to be the correct one is 81132F44 ????.
So, to recap:
-Get a list (preferably complete) of image mod quantity digits for any object.
Find the digit that would change the original object to the object you want
to modify. Convert this digit to decimal.
-When the object that you want to modify shows up on the screen, do a 16-bit,
Known Value search for its value in decimal.
-Check/test your results until you find a code that works.
A few parting notes...
-If you know the general location (in the game's memory) of other image
modifiers, you can use those as guides as to where you might find your new
code(s). Knowing this really comes in handy when you check your results, as
it may eliminate almost all of the guesswork involved when you're trying to
find the right code. You should test codes in that general area of memory
first - you may not need to test any others after that.
-The locations of image mods differ between games, even if the games are in
the same series or are made by the same developers. For example:
Banjo-Kazooie stores images in the 803XXXXX area (usually 8035XXXX-8039XXXX),
Perfect Dark stores them in the 801DXXXX (maybe even 801C?) area and up (in
low-res, at least), and Banjo-Tooie stores them in the 8013XXXX area. Due to
this fact, it may be harder to hack a code because the number of results is
above 100, and the area of memory that has your code is too high to be
displayed until more results are eliminated. Unless of course, you're using
an emulator or PC utilities. ;)
-Some objects just can't have their images changed (like the Flibbits in
Banjo-Kazooie). Period.
-You may need to exit and reenter a level to see a code's effect if you altered
a memory address' value in the results screen.
-Sometimes a code won't work if you try to modify a 3D object's image with a 2D
sprite. The reverse also applies.
<b><i><u><a name="n64_enablers">C) Finding N64 Enable Codes</a></u></i></b>
<b><i><a name="n64_mtc0">How To Hack MTC0 Enabler Codes (Used with special permission of Code Master)</a></i></b>
Information That Is Needed To Know Before Tackling This Code
ASM - aka Assembly Language knowledge is good to know, because
these codes that are being written are in fact ASM codes.
Well, let's cut to the chase, what could Nintendo possibly be doing
to cause a problem with the Cheat Device. Not only does it disable the
Code Generator's Button to go to the In-Game Menu, but no codes will
work without an Enable Code either. This means that they are doing
something that disables how the Cheat Device works. Well, here's some
information that not many know, and I have figured this info out
over my time with hacking N64. Cheat Device Pro (Version 3.0 &amp; Higher)
uses WatchLo &amp; WatchHi Co-Processor break points to know when to
activate the codes that have been turned on. Well, obviously, if
they changed the WatchLo &amp; WatchHi Co-Processor registers, it would
make Cheat Device not be able to set its own 'Break Points' to know
when to activate the codes, thus disabling the Cheat Device.
The Actual Searching Method!!
Well, obviously if you can't use the In-Game Code Generator, then
you cant dump memory to the PC, so you ask, how do I search for
this? Well, simple, you must have an Illegal Rom copy of the
cartridge :P (Well, having a 'Backup' copy of an N64 rom is not
illegal in all places if you own the original cartridge, but for
the sake of argument we'll just say it is.) In the rom file, you
need to get yourself a Dissembler, to disassemble the N64 Rom
into R4300i coding. (aka ASM) I recommend either N64PSX.EXE by
Nagr, or Niew by Titanik. Both are good, and can be used to help
find this command. Well, now what is the command that we are
looking for? Obviously, if they want to change a Co-Processor
register, you would just set the register equal to something else
right? Exactly, there is a Co-Processor opcode called 'mtc0',
which means, 'Move To Co-Processor 0'. Well, you need to find an
line that is something like, 'mtc0 $v0,$s2' or 'mtc0 $v0,$s3'.
In this opcode, the first register can be 'anything', $at, $v0,
$v1, $a0, etc.. But the 2nd register must be $s2 or $s3. Why must
it be that register? Simple, the opcode is moving a register to
the Co-Processor registers, which have different names as well.
So, in essence, $s2 is equal to WatchLo, and $s3 is equal to
WatchHi. Make sense now? They are setting WatchLo or WatchHi
with this 'mtc0 xxx,$s2/$s3' line. It also happens that the
Cheat Device needs both WatchLo &amp; WatchHi to function properly. So
they can change either WatchLo or WatchHi to make the Cheat Device
not set its own break point to turn on codes, or check to see if
the GS Button was pressed, etc..
OK, now I know the 'mtc0 xxx,$s2/$s3' line in the ROM, how do I
make that into a Cheat Device code? Simple enough. Write down the rom
address of the line, lets say the line was 0005A278h. Now you need
to go to the rom address 00000008h in your dissembler, this is
where the game's 'Entry Point' is stored. For most games, it will
have 80000400h at this line. So, take this address you just got
from 00000008h in the rom, and add the 0005A278h to it, and your
total is 8005A678h and then subtract 1000h from it and the address
becomes 80059678h. And to make the Final Enable Code, change the
beginning of the code to F1, so you have F1059678h. And last, but
not least add 2400 to the end of that and there you have it,
F1059678 2400, your final 'Enable Code'.
Tips &amp; Tricks Of The Trade
Now, there are some key tips to finding this type of code.
1) None really here, unless u make your own program to disassemble
the rom yourself and check for the 'mtc0 xxx,$s2/$s3' line. If you
can and do this, it becomes very simple to make an Enable Code.
There you have it!! The first EVER N64 Enable Code FAQ on how to
make them. Note that the codes will only work on Cheat Device 3.0
Or Higher because of the F1 at the beginning of the code means
that the Cheat Device activates before the game even starts to run.
<b><i><a name="n64_mtc02">An Easier Way Of Finding "MTCO" Type Enablers via Nemu 0.8</a></i></b>
<b>by Viper187</b>
This can be much easier than the original method by CodeMaster, thanks to
a recently released update of <a href="http://www.nemu.com/">Nemu 64</a> that includes some rather useful stuff.
To do this, as with CM's method, you need to have the ROM for the game you want
to hack the enabler for and Nemu 0.8.
1) Open Nemu and load the game (ROM) you want to hack the enabler for.
2) Once the game begins to run, and you see the intro logo crap, you can Pause
it. That should be far enough for our purposes.
3) Now, open Nemu's "Dump Memory" window. Plugins &gt; Debugger: Dump Memory
4) Set the address range to dump. Start at 80000000 and end at 80400000. Ending
at 80800000 may be needed for hi-res games, but I doubt it.
5) Pick a filename and location for this memory dump.
6) Set the Format to "TEXT -Disassembled + PC"
7) Click "Dump" and it will create a somewhat large text file. Open this file
in the text editor of your choice (I prefer Textpad 3.2.0).
8) Upon loading the file, you'll see all kinds of ASM stuff.
9) Use the Find/Search feature of your text editor to search for "MTC0".
Now, the particular MTC0 line we're looking for is "MTC0 $xx, reserved". I
realize that CM said "MTC0 xx,$s2/$s3" above, but this is how it appears to
work with Nemu's disassembler and the actual RAM. I've looked at the enablers
for several games and each one has been the same so far, right down to the reg.
tip: You may actually just want to search for "reserved"; it might appear less
than "MTC0" itself.
10) Once you've found the MTC0 line, simply take the address beside it, for
example "80023240", and make it into your enabler. Do this by changing the
first 2 digits to F1 and using the value 2400 (hex).
11) Test the enabler on the game and start cheating! :_
<b><i><a name="n64_nonmtc0">Hacking Enabler codes that do not conform to the "mtc0 xxx" search</a>
- by Parasyte</i></b>
To hack most of the newer enable codes for N64, follow the ASM from the
entry point and look for something that reads or writes to an address below
80000400. If you find something, KILL IT! You must do that by either nulling,
that is setting the offset to zero or finding some other suitable offset. You
must do this for every instance you can find. the new GS protection put into
games will read/write to the following addresses -
80000080
80000100
80000180
80000190
go through the entry point and find all instances of "ori/addiu xxxx"
where 'xxxx' is either '0080', '0100', '0180', or '0190'. then search
above those opcodes for an "lui 8000" opcode if you find that lui, just
change the 'xxxx' in the ori/addiu opcodes to '0120' and the protection
will be flawed. some games will also force 8MB mode before actually
checking for the expansion pak. To force 8MB mode, addresses around 80000300
will be written to. many times, you can find the ASM by searching for
"addiu/ori 013x" where 'x' is a value 0-F. you may find some "sb/sh/sw
013x($yy)" opcodes. if $yy is $sp, ignore that entire opcode. Otherwise,
look above that address for "lui $yy,x000" where 'x' is either '8' or 'A'.
An example of one common enabler that can be used to force either high or
low resolution modes and is useful in getting a game to boot and running in
either mode is as follows:
F0000319 00??
?? =
40 - low rez
80 - full hi-rez
78 - trick the game into thinking it's hi-rez, but there's actually 1/8th
of the RAM free... Which the GS uses for it's trainer routines and such.
that address simply specifies the highest address the game is allowed to
use. just don't go above 80.. Since that RAM is reserved and unusable, the
game will crash. But just play around with the values.. you might come up
with better values.
It works for every game. BUT it does NOT force screen resolution!!!!! It
forces the game to use any amount of RAM you want. It does not make the
games any faster, does not give it a higher screen resolution. It's mainly
used to hack games that run with the expansion pak. You can use the PC
Utils. Addresses 80000000 - 80780000 are available in this mode. So the
codes you hack with it may not work in the full 8MB mode.
When modifying the 80000318 address, and it tells you there's no expansion
pak, that generally means the game is reading that address to ensure it's
value is 80800000. This may be defeated by watching reads of 80000318
using Nemu 0.8 or possibly another method of finding them.
<b><i><a name="n64_ffenablers">Finding FF Enable Codes (For Hi-Res Games)</a></i></b>
<b>by Viper187 &amp; Parasyte</b>
FF enable codes tell the GS where to store your active codes. This is
sometimes needed because the shark's default store location is used by a game,
which causes it to crash. FF enable codes can fix this. The only catch is, they
weren't supported til GS Pro version 3.3.
Ok, to do this you need a hi-res RAM dump of the game that needs the enabler.
You can get this in a few ways. The easiest way I've found is Nemu 0.8.
When you have the game running in it, and have started a new game and such, go
to Plugins &gt; Memory. This looks a lot like the Memory Editor in GS Pro. Now
that you're able to view the RAM, either with Nemu as stated or another way,
look for a large block of 00s, 256 bytes minimum. The trick here is finding a
block of 00s that actually stays 00s while playing, meaning the game doesn't
use that area. ever! The address where this block of 00s starts can be your
FF code (i.e. FF266610 0000). You'll just have to try it and see if the game
will load with that and a code or two on.
<b><i><u><a name="n64_emu">D) N64 Emulator Based Hacking - by Viper187</a></u></i></b>
<b><i>Hacking With Nemu</i></b>
Nemu is most useful, as it has a full debugger, memory editor, etc. but
it only has Known Value search and Text search, which come in handy at times.
Luckily, it also has some nice RAM dump options. Now the downside is that a lot
of games have problems on Nemu or just don't run. You can sometimes get
stubborn games to run by trying an alternate <a href="http://viper.shadowflareindustries.com/lib/downloads/nemu64ini.rar">INI file</a> or simply changing an
option somewhere. One of the dumbest little tricks I've found to getting some
games running, was disabling Audio HLE in Nemu's Debug Menu. Another point
of interest is the expansion pack. Some expansion pack games won't seem to run
without the pack enabled, even though they do on the console, so try switching
the pack on (Options &gt; Settings). There are also other Audio/Video plugins
that you can use with Nemu to get games running better. The best ones I've seen
so far are Rice's Daedalous 4.6.0 (5.0.0 and 5.0.1 don't seem as good) and
Jabo's D3D 1.30. To dump RAM using <a href="http://www.nemu.com/">Nemu 0.8</a> or higher, go to the Plugins
Menu, and locate "Dump Memory". Here you can specify how much of the RAM to
dump, where to save it to, and what format. "RAW - Big Endian (N64)" is the
normal N64 RAM dump. This is the format you use with Phantom's program,
Cheater64, etc. Just take a few RAM dumps where you would normally do your
searches with the shark, and plug them into RAM Compare to find some codes.
Hint - Goldeneye 007: I know it's one of those games that everyone
just has to try on here. Well, it's really only worth fiddling with on Nemu
if you want to try to ASM hack it; otherwise use Project64. The only way I've
gotten it to run on Nemu is with that alternate INI file and Jabo's D3D 1.30.
Hint - Perfect Dark: Only seems to boot in hi-res. If you can get it booted,
you'll see a good deal of graphics glitching and such, but with a little luck
you can get into the game. I've noticed it freezes a lot at the Start Mission
screen; getting into Combat Sim was a little easier though.
Hint - Jeopardy: Audio HLE might need to be off (I forget), but once you load
the game it may seem like your controller doesn't work. Turn off Controllers
2-4 before loading and it should be fine. :)
Hint - Turok 2: Runs pretty good, but don't press the L button on your
controller because it'll cause the game to screw up.
Hint - Turok Rage Wars: I know I had this thing run before, but I haven't been
able to get it running since then. If anyone figure out why it keeps crashing
Nemu on me, let me know.
<b><i>Hacking With Project 64</i></b>
Project 64 is about the best N64 emulator there is, at least for playing
games. I've found very few games that won't run on this. "Where's the RAM dump
thing??" There isn't an actual RAM dumper, memory editor, or code generator.
Now here's the good news. The Save States are basicly RAM dumps when
uncompressed; PJ64 zips them by default, but you can turn that off to make
things easier. Now a .PJ file is a RAM dump that has a header and footer, and
each 32-Bit value is reversed. Use Phantom's <a href="http://viper.shadowflareindustries.com/lib/downloads/phantombyteswap.zip">Byteswap program</a> to take care of
this. Then you can either plug your RAM dumps into the comparer program/hex
editor of your choice and go to work.
PJ64 Save States - Specific differences from a RAM dump:
1. The First 75C of the file is an extra header. Beyond that is the RAM.
2. Byteswapping: Every 32-bits word in a PJ file is reversed.
i.e. 80012344: 78 56 34 12 is really 80012344: 12 34 56 78.
3. The last 2000 (hex) of the file is a footer.
<i><u>Phantom's Comparer</u></i>
Phantom's little <a href="http://viper.shadowflareindustries.com/lib/downloads/phantomcompare.zip">RAM Compare</a> program has the basic search options,
plus it can search for Floating Point values, to an extent. It only supports
normal RAM dumps. To use with PJ64 save states, you'll need Phantom's
<a href="http://viper.shadowflareindustries.com/lib/downloads/phantombyteswap.zip">Byteswap Program</a>.
<i><u>Cheater64</u></i>
<a href="http://viper.shadowflareindustries.com/lib/downloads/cheater64.zip">Cheater64</a> is Viper's newest toy. It has all the usual options, with
much needed improvements. It accepts RAM dumps and PJ64 save states (no need
to fix them).
<i><u>VTR Compare</u></i>
<a href="http://viper.shadowflareindustries.com/lib/downloads/VTRCompare.zip">VTR Compare</a> is the mother of all search programs, as far as options go,
but it lacks horribly in speed. When dumping RAM from Nemu, you need to select
"TEXT - 32 Bit HEX Data" (or 16-Bit) to use it with VTR Compare. Once you've
got a few dumps, crack open VTR Compare and go to work. It should be pretty
straight forward, but don't forget to check the ReadMe.
<b><i><u><a name="n64_asm">E) N64 Assembly ("ASM") Hacking - by Viper187</a></u></i></b>
Covered In This Section:
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_intro">Introduction</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_assume">Assumptions</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_basic">Basic Info</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_setbp">Setting Breakpoints</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_regs">Regs &amp; Opcodes</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_niew">Using Niew</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_lemasm">Using LemAsm</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_getstarted">Getting Started</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_wwasmops">Working With ASM OPs</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_hackingmisc">Hacking Some Various Types Of Codes Using ASM</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_writingroutines">Writing Routines, Jumping In And Out, Etc</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_bigrouts">Example Of A Longer Routine</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_usingfpr">Using The COP1 Registers And Instructions</a>
</li></ul>
All my ASM knowledge came from Parasyte, The Phantom, CodeMaster, and
just playing around with it. I'd like to thank Parasyte in particular
for putting up with all the questions I'm always asking him. :-)
<b><i><a name="n64asm_intro">Introduction</a></i></b>
<a name="n64asm_intro"> This guide was written to teach you some basic and intermediate
ASM hacking. This is only a taste of what you can do. ASM, which is
short for Assembly Language, is a low-level programming language.
The standard codes we all know how to hack are merely RAM
addresses that hold a value. You'll soon see that you can do more
than just freeze those values.
It may seem like there's a lot of information here. I try to make it as
easy to understand as I can, but I, like Parasyte have been doing this stuff
for so long that it becomes a little hard to write for total beginners. It
should be evident that this isn't necessarily a beginners kind of hacking
in the first place. Don't be overwhelmed; learn this at your own pace.
The best piece of advice I can probably give you is to get to try setting
Breakpoints, and look at the ASM before you just NOP something for Infinite
Somethin. Get a feel for how it actually works and what you are doing by
NOPing it. See what other ways you could go about getting the same effect.
You can also take apart existing ASM codes that were hacked by people
like Parasyte and myself. By dumping the RAM of a game, opening it in Niew,
and setting the values of some ASM codes that are laying around, you can see
what they change and what that does.
If there's something in here you still don't get, or are having trouble
getting the effect you want, just can't think of how you'd even begin to do
a particular code (i.e. Gravity), etc. you can post on the messageboards here
at </a><a href="http://www.gscentral.com/">GSCentral</a> and one of the more experienced ASM hackers should be able to offer
some help. One of the reasons I say this is that not all games are the same,
different programmers do things different ways; It's more a matter of
learning the basic coding idea behind what is being done, so you'll be able
to hack the same effects for different games.
<b><i><a name="n64asm_assume">Assumptions</a></i></b>
<ul>
<li><a name="n64asm_assume">You have GSCC2k2 installed on your computer and you know how to
use it with a Cheat Device (v3.2 or Higher), OR you're somewhat familar
with </a><a href="http://www.nemu.com/">Nemu 64 0.8</a> if you want to go that route.
</li><li>Obviously, you need to have a DB25 male to female parallel cable
to hook the Cheat Device to your PC as well.
</li><li>You should have at least some knowledge of Hex, and a little
Memory Editor experience wouldn't hurt.
</li><li>To really work with N64 ASM, you'll also need <a href="http://www.gscentral.com/lib/downloads/niew.zip">Niew</a>,
<a href="http://www.gscentral.com/lib/downloads/n64ops.zip">N64 ASM (R4300i) opcode documentation</a>, and <a href="http://www.gscentral.com/lib/downloads/LemAsm.zip">LemAsm</a>.
</li></ul>
<b><i><a name="n64asm_basic">Basic Info</a></i><a name="n64asm_basic"></a></b>
<a name="n64asm_basic"> <i><u>How does this "ASM" hacking work?</u></i>
You can't just search for ASM codes like normal codes, per se. For most
applications, with the exception of enablers and possibly other special
circumstances, you need a normal code to hack an ASM code. What we do is set
a Breakpoint on a code (address) to find the ASM routine that reads/writes it.
<i><u>What are Breakpoints?</u></i>
Breakpoints are used to find the ASM that reads/writes to a specific
address. When you set a BP, you're causing the debugger to watch the address
that you're setting the BP on. When the address is read/written to, the
debugger breaks (halts).
<i><u>What good are they?</u></i>
You can do almost anything with breakpoints.
Some of the more pratical uses are:<br><br>
</a><ul><ul><ul>
<li><a name="n64asm_basic">Getting more of something/causing double damage
</a></li><li><a name="n64asm_basic">Mega Jump
</a></li><li><a name="n64asm_basic">Hit Anywhere
</a></li><li><a name="n64asm_basic">Walk Through Walls
</a></li><li><a name="n64asm_basic">Killing timers
</a></li><li><a name="n64asm_basic">Infinite Health, ammo, etc
</a></li><li><a name="n64asm_basic">Gain ammo when shooting
</a></li></ul></ul></ul>
<a name="n64asm_basic"> <i><u>Are there different types of Breakpoints?</u></i>
Yes, there are 3 types:<br><br>
</a><ul><ul>
<li><a name="n64asm_basic">Read (BPR) - This occurs when ASM reads the value of the address the
debugger is watching. ASM will almost always read the value of your ammo and
such in order to reduce it when you shoot.
</a></li><li><a name="n64asm_basic">Write (BPW) - This is the most common. This occurs when ASM writes a value
to the address the debugger is watching. We'll be using this primarily.
</a></li><li><a name="n64asm_basic">Execute (BPX) - This one is a little different, and we don't use it that
often. In this case, the debugger is watching a part of the ASM to see when
it's executed. This is usually used to find more advanced codes.
</a></li></ul></ul>
<a name="n64asm_basic"><b><i></i></b></a><b><i><a name="n64asm_setbp">Setting Breakpoints</a></i><a name="n64asm_setbp"></a></b>
<a name="n64asm_setbp"> Ok, before you can hack an ASM code, you need to know how to set a BP.
If you're using GSCC2k2:
</a><ul>
<li><a name="n64asm_setbp">Open GSCC2k2
</a></li><li><a name="n64asm_setbp">Go to the RAM Editor
</a></li><li><a name="n64asm_setbp">Click "Set BP"
</a></li><li><a name="n64asm_setbp">In the box that pops up, put in the address to BP on, e.g. 800ACE01. You
only need to enter the address, not the value. Also note, the addres you enter
must begin with '80' and not '81', '88', etc. Just change the address to '80'
when you type it in.
</a></li><li><a name="n64asm_setbp">Choose the type of BP. In most cases, you'll only want "Write" checked, but
there are cases when you'll use "Read" or both.
</a></li><li><a name="n64asm_setbp">Decide if you want the game to auto resume after the BP occurs. Usually,
you can go ahead and auto resume, but sometimes you'll want to leave it so you
can resume manually with Shift + F9. Also note that some games won't resume at
all. You should be used to this. It happens when hacking normal codes too.
</a></li><li><a name="n64asm_setbp">Now when you click "Set BP" on this pop up, it goes away and you get a new
pop up. It asks you to click Yes when the game halts.
</a></li><li><a name="n64asm_setbp">Next, cause the address you set your BP on to be read/written to (e.g. for
ammo, you'd shoot a gun). The game should freeze and you can click Yes now.
</a></li><li><a name="n64asm_setbp">When you click Yes, a Notepad window will open. This gives you valuable
info about the asm that's reading/writing that address.
</a></li></ul>
<a name="n64asm_setbp">If using Nemu64 0.8:
</a><ul>
<li><a name="n64asm_setbp">Open the Memory editor (Plugins &gt; Memory)
</a></li><li><a name="n64asm_setbp">Go to the address you want to BP on
</a></li><li><a name="n64asm_setbp">Decide if you want BPR or BPW ("Watch Type")
</a></li><li><a name="n64asm_setbp">Rightclick the value of the address you want a BP on. It will be
highlighted a different color depending on the Watch Type. You'll notice that
it's going to watch all 32bits.
</a></li><li><a name="n64asm_setbp">Next, cause the address to set the BP on to change (e.g. for ammo, you'd
shoot). The game should freeze and the Commands window with come up (if it's
not already open). The highlighted address is the ASM opcode that wrote to
the address you're watching. open Registers (Plugins &gt; Registers) to see
all the values of the General Purpose regs (like the Notepad in GSCC2k2 shows
you). If you've done this on GSCC2k2 before, you'll notice something cool
about Nemu's Registers window... It has the COP1 regs! We'll get into those
a little later.
</a></li></ul>
<a name="n64asm_setbp"> <i><u>Setting Breakpoints On Execute (BPX)</u></i>
Nemu64 0.8: It's easy to set a BPX on Nemu. Just click beside the address
of the opcode you want to BPX on in the Commands window, and a checkmark will
appear beside it. BPX set :)
GSCC2k2: Now GSCC2k2, on the other hand, doesn't have a BPX option. But, I
found my own way to do it. Originally, Parasyte/CodeMaster came of with a long
routine that did it. My way is easier than that, but requires a little
opcode knowledge. Take the address you want a BPX and check it and the opcode
that follows it to:
LUI $K1, 8000
SW $K1,0060($K1)
Now set a BPW on 80000060 and you have your BPX. What those 2 opcodes do is
set $K1 to 80000000, then store $K1 to 80000060 just to cause your BPW to
occur. $K1 isn't used by the game after boot up, so we don't have to worry
about changing it.
<i><u>What if the game halts when it shouldn't with GSCC2k2?</u></i>
There are some cases where the BP will occur prematurely. If this happens,
look at the Notepad window and get the value of "pc", it'll be the address of
the ASM that read/wrote (e.g. 80021530). Back in GSCC2k2, you'll notice that
your position in the ram editor has changed to the address of the ASM. Click
in there on the address of the ASM (80021530 in this case) and change it to
2400 (Yes, that's 16-bit). Set your BP again (same address as the first time)
and get the game to halt again. If it's premature, repeat the previous steps
till you get it to break at the right time. Note that this is where turning
auto resume off comes in handy. You can leave the game halted, set the
premature BP to 2400, then when you set your BP again to try for the right
one, it will resume and wait for the next break.
<i><u>What if the game halts when it shouldn't with Nemu64?</u></i>
As I mentioned above, there are cases where there is a constant read/write
on the address you're working with. With Nemu, you can try to just resume
("GO") from the commands window, or rightclick the opcode in the commands
window and "--&gt; Memory Debugger" to bring the Memory Editor back up and
bring it to that address. Then you can NOP it by setting it to 0, and go back
to the Commands window to resume ("GO").
<i><u>TLB Mapping</u></i>
TLB mapping is pretty evil in the eyes of ASM hackers. This is the reason
you don't see 1337 ASM codes for Goldeneye and very few for Perfect Dark. It's
like some kind of address aliasing. When you set a breakpoint on Goldeneye,
for example, the PC address returned will be something other than the real PC
address; in Goldeneye's case you'll get an address beginning with something
like '7F' instead of '80'. There's no known way to get around it on the
console, but you can with Nemu 0.8. If you set a Breakpoint on a TLB mapped
game in Nemu, you'll see all the opcodes in the TLB addresses. The trick is
finding the real ones. Rightclick the break address and choose the
--&gt; Memory Debugger. This will bring up the memory editor, but notice the
addresses shown are the same address you saw in the debugger (TLB mapped).
Look at the 32-Bit value of the first (break) address there. Bring up the
Search window and do a 32-Bit search for that value. If you got more than 1
result, you'll have to figure out which one it is by comparing the opcodes
before/after the one you searched for. There you have it, you got around one
of the most evil programming tricks in the book. :)
<b>An In-Depth Look at the Translation Look-aside Buffer (TLB) - by Parasyte</b>
<i>Formats</i>
EntryLo0 &amp; EntryLo1:
00 pppppppppppppppppppppppp ccc d v g
(32-bit: 2.24.3.1.1.1)
p = Page frame number; the upper bits of the physical address.
c = Specifies the TLB page coherency attribute. (See below)
d = Dirty. If this bit is set, the page is marked as dirty and, therefore,
writable This bit is actually a write-protect bit that software can use
to prevent alteration of data.
v = Valid. If this bit is set, it indicated that the TLB entry is valid;
otherwise, a TLBL or TLBS miss occurs.
g = Global. If this bit is set in both Lo0 and Lo1, then the process
ignores the ASID during TLB lookup.
PageMask:
0000000 mmmmmmmmmmmm 0000000000000
(32-bit: 7.12.13)
m = Page comparison mask
EntryHi:
vvvvvvvvvvvvvvvvvvv 00000 aaaaaaaa
(32-bit: 19.5.8)
v = Virtual page number divided by 2 (maps to two pages)
a = Address space ID field. (ASID) An 8-bit field that lets multiple
processes share the TLB; each process has a distinct mapping of
otherwise identical virtual page numbers.
<i>Notes On TLB Page Coherency (c bits)</i>
The TLB page coherency attribute (C) bits specify whether references to the
page should be cached; if cached, the algorithm selects between several
coherency attributes. The table below shows the coherency attributes
selected by the C bits.
TLB Page Coherency (C) Bit Values
0: Reserved
1: Reserved
2: Uncached
3: Cacheable noncoherent (noncoherent)
4: Cacheable coherent exclusive (exclusive)
5: Cacheable coherent exclusive on write (sharable)
6: Cacheable coherent update on write (update)
7: Reserved
<i>Translating Virtual Addresses To Physical Addresses</i>
In order to translate virtual to physical addresses, you must be able to
read each TLB entry, looking for a virtual address hit.
Start by dumping the TLB entries one-by-one. First, load the CP0 Index
register with the TLB entry index you wish to dump. You should start with
0x00, and work your way up to 0x2F. That gives 48 total TLB entries. After
loading CP0 Index with the entry number, call a TLBR instruction. This
will dump the TLB entry to the EntryLo0, EntryLo1, PageMask, and EntryHi
registers in the formats described above.
After the TLB entry has been dumped, begin decoding the data in each
register.
To decode a TLB entry, start with the p bits from the PageMask register.
This value tells the size of a virtual page for the TLB entry. The page
size can be determined by checking the values against the following table.
0x0000: 4KB (0x1000 bytes)
0x0003: 16KB (0x4000 bytes)
0x000F: 64KB (0x10000 bytes)
0x003F: 256KB (0x40000 bytes)
0x00FF: 1MB (0x100000 bytes)
0x03FF: 4MB (0x400000 bytes)
0x0FFF: 16MB (0x1000000 bytes)
If the value is anything other than listed, the page size is
undefined\erroneous. Here is a bit of C which will allow you to
grab the page size and a page mask:
u32 mask = (PageMask &gt;&gt; 1) | 0x0FFF;
u32 pagesize = mask+1;
Next, extract the virtual page number from EntryHi, based on pagesize.
u16 tmp = pagesize &gt;&gt; 12;
u32 vpn = (((EntryHi &gt;&gt; 13) / tmp) * tmp) &lt;&lt; 13;
Then use the virtual page number as a mask to the virtual address. If the
result is the same as the vpn, it's counted as a hit. If not, restart the
process with the next TLB index.
if ((vaddr &amp; vpn) != vpn) continue;
If it's a hit, find out if the virtual address is on an odd or even page,
based on the TLB page size.
u32 odd = vaddr &amp; pagesize;
Now perform a logical AND on EntryLo0 or EntryLo1, depending on the 'odd'
variable. If the result is 0, the page frame is invalid. If successful,
extract the page frame number. If not, restart the process with the next
TLB index.
u32 pfn;
if (!odd) {
if (!(EntryLo0 &amp; 0x02)) continue;
pfn = (EntryLo0 &gt;&gt; 6) &amp; 0x00FFFFFF;
}
else {
if (!(EntryLo1 &amp; 0x02)) continue;
pfn = (EntryLo1 &gt;&gt; 6) &amp; 0x00FFFFFF;
}
Finally, if it gets this far, mask the virtual address with the 'mask'
variable created earlier. Then attach the physical page number, and or
with 0x80000000 to complete the process. Lastly, exit the loop. Checking
the remaining entries for a hit is not required.
u32 paddr = (0x80000000 | (pfn * pagesize) | (vaddr &amp; mask));
break;
And there you have it! Your paddr variable will be a pointer to the
translated address.
<b><i></i></b></a><b><i><a name="n64asm_regs">Regs and Opcodes</a></i></b>
<a name="n64asm_regs"> <i><u>What are Registers?</u></i>
Ok, you set a BP, you have that Notepad window (or you're looking at the
Registers Window in Nemu), and I bet you're wondering what that stuff means.
The Notepad doc is called a reg dump. It lists the N64 registers and their
current value. Registers, or regs as we call them, are variables. ASM uses
these variables to carry out various operations. Here's a sample reg dump...
r0 - 00000000&nbsp;&nbsp; at - 41A00000&nbsp;&nbsp; v0 - 00000008&nbsp;&nbsp; v1 - 80110728
a0 - 00000068&nbsp;&nbsp; a1 - 00000004&nbsp;&nbsp; a2 - 00000000&nbsp;&nbsp; a3 - 00006D60
t0 - FFFFFFFF&nbsp;&nbsp; t1 - 00000004&nbsp;&nbsp; t2 - 00000006&nbsp;&nbsp; t3 - FFFFFFFF
t4 - 00000008&nbsp;&nbsp; t5 - FFFFFFE0&nbsp;&nbsp; t6 - 00680000&nbsp;&nbsp; t7 - 8019E0F4
s0 - 801A7190&nbsp;&nbsp; s1 - 00000000&nbsp;&nbsp; s2 - 80112148&nbsp;&nbsp; s3 - 80199C0C
s4 - 800DC9E4&nbsp;&nbsp; s5 - 00000000&nbsp;&nbsp; s6 - 00000000&nbsp;&nbsp; s7 - 00000000
t8 - 00040000&nbsp;&nbsp; t9 - FFFFFFFE&nbsp;&nbsp; k0 - 80794AEC&nbsp;&nbsp; k1 - 00000AAA
gp - 00000000&nbsp;&nbsp; sp - 80114808&nbsp;&nbsp; fp - 00000000&nbsp;&nbsp; ra - 80073930
pc - 80073948
Each of those regs holds a 32-Bit value. For example, v0 holds the value
00000008. These are referenced in ASM by a dollar sign (e.g. $v0).
Notes:
1. $pc is for our purposes ONLY (it's not an actual reg that you can use in
your routines). It holds the address of the ASM that read/wrote to the
address you set the Breakpoint on.
2. $r0 is also known as $zero. It's ALWAYS zero no matter what you try to
change it to.
3. $k1 is always 00000AAA, but it doesn't have to be. Games doesn't use
it after boot up, so it's a free reg for us to use.
4. $sp is the Stack Pointer. The games uses the address in this reg to store
regs temporarily while doing things. You'll rarely, if ever, want to change
this.
5. Stay away from $gp,$k0, and $fp. Those are used for special things and
changing them usually isn't good.
<i><u>What are COP1 Registers?</u></i>
The COP1 registers, also known as Floating Point (FP) registers, are used
for floating point calculations. These regs are referenced as F0, F1, etc up
to F31. No Dollar signs with them, and Niew doesn't show them, as it doesn't
support COP1 opcodes. Some examples of these would be Size mods, Coordinates,
some Timers, some Health &amp; Ammo, etc. These FP regs can only be viewed when
using Nemu. If you need to know what they are when hacking GSCC2k2, the only
thing you could really do is write a long ASM routine to store the values of
the FP regs to some emtpy RAM. FP numbers in RAM are stored as 32bit values.
If you've ever played with a Bond game, you've seen them. Bond's health
(3F80/42C8) was an FP. You'll notice in the Bond case, that your full health
is 3F80 0000, but obviosly you only need to freeze the upper half (3F80) to
get Infinite Health. What exactly is 3F80? 3F800000 is actually 1.0 and
42C80000 is 100.0. How can you calculate those? Well, I'd really like to know
the actual math operations to convert from hex to float, but since I don't,
I use </a><a href="http://www.gscentral.com/lib/downloads/FloatConvert.exe">FloatConvert</a>. I didn't write that program. It's just something that
Parasyte found floating around the net.
<i><u>What are OpCodes?</u></i>
Operation Codes, or OpCodes as we call them, are the actual lines of
program code within the RAM. ALL OpCodes are 32 bit, but not all ASM codes are
32 bit. ASM codes can be anything from a single 8 bit code, to as many 16 bit
codes as the Cheat Device/Emulator will let you enter. The Opcodes are 32 bit,
as I said, so to change one OpCode completely you need two 16 bit codes. This
is why some ASM codes are so long; it takes 2 lines to change a whole opcode.
<i><u>What are COP1 OpCodes/Instructions?</u></i>
COP1 (Co-Processor 1) handles all the Floating Point calculations. It has
Opcodes/Instructions like SWC1, ADD.S, etc. You'll see these instructions in
Nemu's Commands window, but Niew doesn't support them. That's what LemAsm is
for. We'll get in to this in a little more depth later...
<i><u>What is a NOP?</u></i>
A NOP (No Operation) OpCode does absolutely nothing. Yes, I said NOTHING.
Then why is it so damn useful? Simple. When you want to stop any OpCode from
executing, like to stop the game from taking away health when you get hit, you
change that OpCode to a NOP. There are 2 basic ways to NOP an OpCode:
<ul>
<li>Long NOP - This is a 32 bit NOP, meaning it takes two 16 bit codes to use.
A long NOP is (you guessed it) zero. For Example, to NOP the OpCode at 80023154,
you would enter 81023154 0000 and 81023156 0000 into your Cheat Device.
</li><li>Short NOP - This is a 16 bit NOP, so it's a single code. This is what you
will want to use most times to keep your codes shorter. The value of a Short
NOP is 2400, so to NOP that OpCode at 80023154 this way use 81023154 2400. The
reason Short NOPs work is because they're assembled as ADDIU $zero,$zero,xxxx.
That's why only 1 line is needed. The other 16 bits don't matter since $zero
is always 0 no matter what you try to do to it. hehe
</li></ul>
<i><u>What are Routines?</u></i>
An ASM routine is just a specific piece of code that does something. It
can be any length and do pretty much anything. An example of a routine
would be a piece of code that is executed when you fire a weapon. It would
read your current ammo, subtract 1 from it, and store the new value.
<i><u>What are Jumps and Branches?</u></i>
Jumps are what ASM uses to get from one piece of code (routine) to
another routine. Branches have the same affect, but they are conditional
jumps. This means they only jump when something is true/false (like an IF
in C++/VB6). Both of these opcodes have what is called a Delay Slot. This
means the opcode directly following it is to be executed before the jump.
<i><u>Bytes, Halfwords, Words, and Dwords</u></i>
Opcodes read &amp; write values to the ram in different sizes...
Byte: 8-Bit (00 - FF)
Halfword: 16-Bit (0000 - FFFF)
Word: 32-Bit (00000000 - FFFFFFFF)
Doubleword (Dword): 64-Bit (0000000000000000 - FFFFFFFFFFFFFFFF)
<b><i><a name="n64asm_niew">Using Niew</a></i></b>
<a name="n64asm_niew"> To use Niew, begin by using GSCC2k2/Nemu to get a ram dump of the game
you're gonna edit the ASM of. Dump at least 800 - 802 (GSCC2k2 default), or
dump all 4 megs (800 - 804) if need be. Now put that ram dump in the same
folder as Niew and open a dos window. browse to the directory where niew is
located and type "niew filename.bin" (filename is whatever you named the ram
dump). The program will open and load that ram dump, but it'll look all
garbled. Now press F4 to switch to ASM view. It'll look like this:
<img src="./The Secrets of Professional GameShark(tm) Hacking_files/niew1.jpg">
</a><ul>
<li><a name="n64asm_niew">The first column is the address (duh), the second is the value (32 bit),
and the rest is the ASM.
</a></li><li><a name="n64asm_niew">The "&gt;" on the far left side indicates your current location.
</a></li><li><a name="n64asm_niew">Press F5 and you'll be able to to type in the address column there. Put in
the address of the ASM you want to edit, but make the first 2 digits of the
address 00 instead of 80, then hit Enter.
</a></li><li><a name="n64asm_niew">scroll up and down with the arrow keyes to look at all that ASM in that
area.
</a></li><li><a name="n64asm_niew">Press F3 once and the cursor will move to the value of the specified line.
If you want to see what someone else's ASM code does, you'd type the value into
the proper addresse(es).
</a></li><li><a name="n64asm_niew">To edit the ASM, press F3 a second time. This will put the cursor in the
ASM column. Edit the opcode or type in a new one, then hit Enter to go to the
next line.
</a></li><li><a name="n64asm_niew">You'll notice when you press enter, that the value of that address changes
to the value repesenting the edited opcode. This is the value you'll need to
enter into your cheat device.
</a></li></ul>
<a name="n64asm_niew"><b><i></i></b></a><b><i><a name="n64asm_lemasm">Using LemAsm</a></i></b>
<a name="n64asm_lemasm"> First off, note that this could be considered a more advanced topic. You
*should* familarize yourself with the basic ASM opcodes and Niew first, but
it's up to you. LemAsm, thankfully, is a Windows program instead of a DOS app.
So just open the RAM dump you're gonna work with use File - Open (duh). Now,
you'll need to change to MIPs disassembly mode with Edit Mode and Show Reg
Names. All 3 of these are in the View Menu, or you can hit F6,F3,F7 in any
order. Now just type in the COP1 instruction you want to assemble and hit enter
(like Niew). Now, one note with this program. I've noticed a bug that occurs
sometimes when I try to assemble ADD/SUB instructions. Hit enter and they may
become DIV. You'll notice that the hex is something like 4406 1003. that 03 is
typicly 3 for DIV, 2, for MUL, 1 for SUB, and 0 for ADD. Just plug the value
into Nemu's Memory Editor and look at it in the commands window to see if
you've got it right.
<b><i></i></b></a><b><i><a name="n64asm_getstarted">Getting Started</a></i></b>
<a name="n64asm_getstarted"> Think you're ready to hack your first ASM code? Well, let's do it. I've
always found it easiest to learn by example, so I'll show you how to hack a
code for Infite health, ammo, time, etc.
I'm going to use Infinite Ice for Mortal Kombat Mythologies, Sub-Zero as
our example. Have you ever tried to hack a simple Infinite Health code or
something of that type and found that it only works for that area of the game
or is just completely random? This is one of those games. The RAM address of
your health, ice, etc changes when you get to a checkpoint, get killed, etc.
Despite moving around randomly, it always starts in the same place. When you
boot up MK Myth and start a new game, your Ice is located at 800F0217. So we
set a BPW on 800F0217, throw ice, and the game halts. Click YES for the reg
dump to open. This is what we got:
r0 - 00000000&nbsp;&nbsp; at - 80110000&nbsp;&nbsp; v0 - 00000086&nbsp;&nbsp; v1 - 800EFBC0
a0 - 800EFBC0&nbsp;&nbsp; a1 - 0000FFFF&nbsp;&nbsp; a2 - 800EFBC0&nbsp;&nbsp; a3 - 0000009E
t0 - 00000000&nbsp;&nbsp; t1 - 00000001&nbsp;&nbsp; t2 - FFFFFFFF&nbsp;&nbsp; t3 - 00000004
t4 - FFFF0000&nbsp;&nbsp; t5 - 00000002&nbsp;&nbsp; t6 - 00000009&nbsp;&nbsp; t7 - 000000C5
s0 - 8010BF50&nbsp;&nbsp; s1 - 8010BF50&nbsp;&nbsp; s2 - 8010BF50&nbsp;&nbsp; s3 - 0000001A
s4 - 0000001B&nbsp;&nbsp; s5 - 00000000&nbsp;&nbsp; s6 - 00000103&nbsp;&nbsp; s7 - FFFF8000
t8 - 00000001&nbsp;&nbsp; t9 - 00000001&nbsp;&nbsp; k0 - 80794AEC&nbsp;&nbsp; k1 - 00000AAA
gp - 00000000&nbsp;&nbsp; sp - 800F0138&nbsp;&nbsp; fp - 800F01E0&nbsp;&nbsp; ra - 8004ABB8
pc - 8004AC78<br>
The address of the ASM that wrote to 800F0217 is the address in $pc, 8004AC78.
Now, NOP that address via GSCC2k2's RAM editor to see if it gives us Infinite
Ice. If it doesn't, we need to set the BP on 800F0217 again, cause a break
(throw ice, in this case), get the new regs, and NOP the new $pc. Repeat that
til you find the one that works. The first one worked here, though.
<b><i></i></b></a><b><i><a name="n64asm_wwasmops">Working With ASM OPs</a></i></b>
<a name="n64asm_wwasmops"> This is where it gets interesting. You know that ASM opcode we NOPed above
to make Infinite Ice? Well, if you think that's all you can do with ASM, think
again. To really get into ASM hacking, you'll need to download </a><a href="http://www.gscentral.com/lib/downloads/niew.zip">Niew</a>. It's a small
dos program that's used to view N64 ASM. See the <a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_niew">Using Niew section</a> for instruction
on using it.
For this example, I'm going to use the Ice in MK Myth again. We've got our
regs from the previous example:
r0 - 00000000&nbsp;&nbsp; at - 80110000&nbsp;&nbsp; v0 - 00000086&nbsp;&nbsp; v1 - 800EFBC0
a0 - 800EFBC0&nbsp;&nbsp; a1 - 0000FFFF&nbsp;&nbsp; a2 - 800EFBC0&nbsp;&nbsp; a3 - 0000009E
t0 - 00000000&nbsp;&nbsp; t1 - 00000001&nbsp;&nbsp; t2 - FFFFFFFF&nbsp;&nbsp; t3 - 00000004
t4 - FFFF0000&nbsp;&nbsp; t5 - 00000002&nbsp;&nbsp; t6 - 00000009&nbsp;&nbsp; t7 - 000000C5
s0 - 8010BF50&nbsp;&nbsp; s1 - 8010BF50&nbsp;&nbsp; s2 - 8010BF50&nbsp;&nbsp; s3 - 0000001A
s4 - 0000001B&nbsp;&nbsp; s5 - 00000000&nbsp;&nbsp; s6 - 00000103&nbsp;&nbsp; s7 - FFFF8000
t8 - 00000001&nbsp;&nbsp; t9 - 00000001&nbsp;&nbsp; k0 - 80794AEC&nbsp;&nbsp; k1 - 00000AAA
gp - 00000000&nbsp;&nbsp; sp - 800F0138&nbsp;&nbsp; fp - 800F01E0&nbsp;&nbsp; ra - 8004ABB8
pc - 8004AC78<br>
Now that we have our reg dump, we need to use GSCC2k2/Nemu to get a RAM Dump.
After you dump the RAM to a file, open it with Niew. Now press F4 to switch to
ASM view and press F5 to enter the BP address (8004AC78), but start it with 0
instesd of 8. Scroll up a few lines so you can see what happens before and
after your ice is written to. Here's what it looks like:
<img src="./The Secrets of Professional GameShark(tm) Hacking_files/niew2.jpg">
Now the part we need to look at in this case is 0004AC68 - 0004AC78. I'll
explain what each opcode does...<br><br>
<table border="0" cellpadding="5"><tbody><tr><td><b>lui </b></td><td><b>$v1,802F</b></td><td></td></tr><tr><td><b>lw </b></td><td><b>$v1,CE20($v1)</b></td></tr><tr><td><b>lhu </b></td><td><b>$v0,0656($v1)</b></td></tr><tr><td><b>addiu</b></td><td><b>$v0,$v0,FFE0</b></td></tr><tr><td><b>sh </b></td><td><b>$v0,0656($v1)</b></td></tr></tbody></table>
<table border="1" cellpadding="5" cellspacing="0" width="700"><tbody><tr><td nowrap="nowrap">lui $v1,802F</td><td>LUI - Load Upper Immediate: This puts the hex value (immediate) into the left (upper) half of the reg specified. Meaning $v1 now equals 802F0000.</td></tr><tr><td nowrap="nowrap">lw $v1,CE20($v1)</td><td>LW - Load Word: This loads the word (32-bit) value of the reg in () + the hex offset into the reg on the left. The hex offset is signed though; the means if the offset is higher than 7FFF, the upper 16 bits are made FFFF. So, CE20 is actually FFFFCE20. The 32-bit value at 802ECE20 is "800EFBC0", so $v1 is 800EFBC0 now. Anyone familar with pointers? This is what they're for. hehe</td></tr><tr><td nowrap="nowrap">lhu $v0,0656($v1)</td><td>LHU - Load Halfword Unsigned: This loads the halfword (16-bit) value from $v1 + 0656 hex (signed offset) into $v0. Now $v0 is the amount of Ice you currently have.</td></tr><tr><td nowrap="nowrap">addiu $v0,$v0,FFE0</td><td>ADDIU - Add Immediate Unsigned Word: This adds the 2nd reg listed + the hex value and puts that value into the 1st reg, so $v0 = $v0 + FFE0. Now you're gonna say, "how does that decrease my ice?" Well, let's say your Ice, $v0, is 00000080. Now add FFE0 to it and you get 00010060.</td></tr><tr><td nowrap="nowrap">sh $v0,0656($v1)</td><td>Store Halfword: Same as when you loaded this halfword value 2 opcodes above. Now you're just storing it. So how does it decrease your ice? It's only storing the halfword value in $v0 to the RAM. That means it's only storing the 16 bits (4 digits) on the right, so it's storing 0060. Now your ice was decreased by 20 (hex).</td></tr></tbody></table><br><br>
Pretty cool huh? Info about all the opcodes and what they do can be found in
the R4300i Opcode Documentation (you did download it, right???). You can use
this ASM to get other effects besides infinite ice. Obviously, you can change
the FFE0 so you'll lose less ice, more ice, no ice at all, or even make it
increase your ice. BUT, why stop at Ice? You can make this ASM routine do
just about anything. I'll show you something relatively easy and useful you
can do with this...
Ok, you remember that your ice is stored at 800F0217 initially. Well, your
health is always 2 below your ice (it's stored at 800F0215 initially). So
by making a small alteration to this ASM, you can give yourself Infinite Ice
and cause your health to be refilled when you throw ice. We only need to
change 2 opcodes for this.
We change:
addiu $v0,$v0,FFE0
sh $v0,0656($v1)
to:
addiu $v0,$zero,00FF
sh $v0,0654($v1)
Now $v0 = $zero + 00FF, so $v0 is 000000FF. $zero is just that. It's ALWAYS 0.
You'll notice we barely changed the 2nd line. Health is stored 2 below ice, so
we changed 0656 to 0654. Now what's the code to use for this effect? That's
what the 2nd comlumn in Niew tells you. When you change each of those, the
values in the 2nd column change accordingly. The values that are different are
highlighted since they may or may not all change. Here's what it looks like:
<img src="./The Secrets of Professional GameShark(tm) Hacking_files/niew3.jpg">
Ok, we can see the a few values changed. The code would be:
8004AC75 0002
8104AC76 00FF
8004AC7B 0054
That's your code. You changed the ASM so it makes your health 00FF everytime
you use ice, and your ice never goes down because the asm that was decreasing
it is changed to refill your health instead. We can shorten this code to 2
lines if we want to.
8104AC74 2400
8004AC7B 0054
The first line kills that ADDIU opcode and the 2nd makes it store the value of
$v0 to your health instead of ice, so basicly, it copies the amount of ice
you have into your health.
<b><i><a name="n64asm_hackingmisc">Hacking Some Various Types Of Codes Using ASM</a></i></b>
<a name="n64asm_hackingmisc"> I showed above you how to make Infinite Ammo, Health, etc and Modify you ammo
consumption &amp; such all in pretty much the same way there. Now I'll show you how to
hack some other types of ASM codes. I'll try to start out with easier codes and
progress to more advanced stuff. Always remember, "there's more than one way to
skin a cat." The examples I'm showing you are never the only way of doing
something, and they're by no means the only types of things you can do. The
only limits in ASM hacking are the hacker's mind.
<i><u>Infinite Ammo For All Guns</u></i>
There are times when the method I stated above won't affect all your guns.
Duke Nukem 64 is an example of this. Each gun has its own routine that
decrements your ammo when you shoot. Think the only way to do it is a code for
each gun? Nah. Let's make 1 code do it all.
Set a BPR on the ammo for whatever gun you have currently equipped (Pistol in
my case - 802A5A00). The game should halt immediately.
Breakpoint/PC Address: 8006F8E0.
Opcode: LH $A2,59FE($A2)
What it does:
Loads Halfword value $A2 from $A2 + 59FE. $A2 is 802A0002.
(802A0002 + 59FE = 802A5A00) In this case, the reg that's holding the address
we're going to need to write to is overwritten by the load opcode. This isn't
a problem; it's actually useful in this case. That initial address in $A2
changes depending on what gun you have equipped so it can read the ammo you
have for whatever gun is equipped. It's actually using this to display your
ammo on the screen. Do we care? No, so let's change it and get Infinite Ammo
for all weapons. :)
Since it's a Load Halfword (LH), we want it to Store Halfward (SH) instead.
Sounds good, right? But what do we store? If you can find a reg that always has
a useful value in it (like something between 0001 and FFFF) you can use it;
otherwise you'd have to go through setting the value yourself. For now, we'll
do this the easy way. Remember $K1 is always 0AAA? Well, we'll store it and
always have AAA (2730) bullets for all guns.
Our new Opcode is: SH $K1,59FE($A2)
When you enter that into Niew, you'll notice only 1 16-Bit address changed,
8106F8E0. The value is now A4DB. There's your code :)
<i><u>Modify Initial Stats When Starting A New Game</u></i>
This type of code is reminiscent of the Game Genie<69> era. "Start With X
Lives" was something that was seen for pretty much every game, but we've never
seen that kinda thing on N64, have we? Well, we can now. I'll use Mario 64 as
an example this time.
At the title screen/menu, set a BPW on Mario's lives (8033B21D). Now Start a
new game. The break will occur at 8025500C, but this stores $zero to the
address, so NOP it and try again. Now you'll get the right one.
Breakpoint/PC Address: 8025501C
Opcode: SB $T2,00AD($T3)
What It Does:
Stores Byte value $T2 to the address $t3 + 00AD.
Now we gotta make it store what we want to there. Start looking at the opcodes
that come before it and find what sets $t2. Luckily, this one is actually the
opcode right before it. 80255018: ADDIU $t2,$zero,0005. This is pretty simple.
Just change the 0005 to whatever you want, so your code would be 8125501A ????.
Lets say, for the sake of argument, that you found a Load instead of an Add
opcode there. You'd have 2 options.
1. Change the op to ADDIU $T2,$zero,????
2. Go to the address the Load op is loading $T2 from and change it there.
"But what if there's no load? I wanna modify something that you start with
0 of, and the opcode just stores $zero." This can be a bit trickier. You can
use $K1 and have AAA of that item if you want -- the easy way out. Or you can
find a place before the Store opcode to put an 'ADDIU $K1,$zero,????'. If you
can replace an exiting op without it causing any problems, or find an empty
space (NOP) somewhere there, you're in good shape. Otherwise, you'd need to
Jump out of that routine to an empty area, set the reg, then Jump back. This
may sound a bit complicated, but it's really quite easy once you get the
hang of it. See </a><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64asm_writingroutines">Routines &amp; Jumps</a> for more details.
<i><u>All Scores/Damage Counts For x Player/Team</u></i>
This is easiest on sports type games (i.e. Gretzky Hocky '98); however
it is possible to make player 2/CPU beat themself on a fighting game and is
rather fun to watch. You simply set s BPW on the score, for example. Then
it'll break when the game adds to your score. On Gretzky Hockey (Pal),
you'll get the shots first, since it's watching that too (because the BPW
covers more than 16-Bits). NOP that and get actually score to get it to break
again. This will be the score asm. Gretzky's is at 8005ABCC.
opcode: SH $T8,3440($A2)
What you need to is look through the opcodes that come before it and find a
suitable one to replace, preferably the opcode that sets $A2 in the first place
(or a nice NOP to make use of). In this case we find a NOP at 8005ABA0. Now
let's say we want i tto always add to team 1's score. That's 800EA870. Split
that into 2 16-Bit halves, 800E and A870. Now because ASM uses signed values
we need to take in account the value of the 2nd half of the address. If it's
more than 7FFF, which it is, we need to add 1 to the 1st half. So 800E becomes
800F. Now we use 'LUI $A2,800F' in that NOP and change both the LH and the SH
opcodes there to add A870 instead of 3440.
Before:
8005ABA0: NOP
8005ABAC: LH $T7,3440($A2)
8005ABCC SH $T8,3440($A2)
After:
8005ABA0: LUI $A2,800F
8005ABAC: LH $T7,A870($A2)
8005ABCC: SH $T8,A870($A2)
So our code is:
8105ABA0 3C06
8105ABA2 800F
8105ABAE A870
8105ABCE A870
You can do that same thing on fighting games, but P2/CPU won't actually
beat themself up, so it's less entertaining. I've never actually accomplished
this myself, but the way it's done starts out the same way as this, but then
requires tracing through the ASM to find where it determines what player is
actually being hit. This has been done for Mortal Kombat Trilogy if you'd
like an example code to look at on your own.
<i><u>Invcincibility</u></i>
Using an Infinite Health code but tired of getting banged around? Here's
your solution. I'll use Turok Dinosaur Hunter as an example on this one. If
you know me, you had to know that'd be coming eventually, considering I hacked
over 30,000 codes for that game. hehe
This starts out the same as most things. BPW on Health address and, get
hit by an enemy, game halts. The address of the breakpoint here is 80071494,
but that's a Branch. The actual opcode that wrote it is the next one down,
80071498. NOPing that will stop your health from being decremented when hit,
but doesn't make you untouchable. To do that, you need to scroll down through
the OPs til you find a 'JR $xx'. Look at 80071654. Bingo! JR $RA
JR is a "Jump Register." This jumps to the address stored in $RA. Now, is there
something loading $RA just before that? Yep, 8007164C. We need a BPX after
that loads to find out what it is. On Nemu, this is easy, I mentioned above.
On GSCC2k2, yo'ull have to set it up...
This is what I recommend for GSCC2k2 users:
80071498: LUI $K1,8000
80071658: SW $K1,0060($K1)
In GS code form:
81071498 3C1B
8107149A 8000
81071658 AF7B
8107165A 0060
What that does is set $K1 to 80000000 (the game won't using $K1 for anything,
remember?) and stores it to 80000060, which you'll set a BPW on. Now why did
I pick those addresses? Well, 80071498 is that opcode that stores helath, we
don't what it does and we don't really care about it, so we can change it. Now
80071658 is the opcode directly after JR $RA. Lucky for us it's a NOP, so it
works out well. Now when you get hit again, it'll break. This time, we know
what the break address is going to be, no suprise there. What we wanna know is
what $RA is at the time. In this case, it's 80060A24. Now when you look at the
ASM here, you'll see that it immediately loads $RA from somewhere else and
does another JR $RA. This is not always the case, but it is this time, so BPX
again. Change 80071658 back to NOP, if you didn't didn't already, and put your
SW $K1,0060($K1) at 80060A30 (the NOP following the new JR $RA). Now this time
we get the breakpoint and $RA is 80061D4C; go there. Look up 2 opcodes and you
should se a JAL (Jump And Link). Yep, 80061D40 is JAL 800609A4. That jumps to
800609A4, which appears to be the start of the routine that causes Turok to
take damage. NOP it and see if you become Invincible. Yep, Turok is now a God.
What you just did was trace some ASM. In some games, you'll have to repeat
those steps and trace back even further.
<i><u>Modify Jump Height (Mega Jump!)</u></i>
This one's rather hard to explain. You basicly have to find your own way
of doing this, but I'll give you the general concept here. You have to find
the ASM the writes the Moon Jump address when you first press the jump button.
That's harder than it sounds because there are usually multiple constant
writes on the Moon Jump addy, and one of those could be the one you're looking
for so you can't just NOP them. I've found it possible with Nemu64 to keep
resuming and get my charater to jump between breaks, but this can be a bit
tricky. I don't know if it's XP or what, but sometimes I can move and such on
the game when the Commands window is highlighted instead of the main game
window, and other times I can't. One way I've found to get this to happen is to
load the Mario 64 rom, then immidiately click onto whatever window is behind
Nemu; odds are, you'll be able to press whatever keys you've assigned for the
controller and you'll hear Mario's face getting trashed (The little *doing*
you hear when you click his face). Then you'll know this is working and you can
go ahead and load the game you wanna hack. If you can, get that far, then open
the Registers window (Commands window should already be open) and go to the
"COP 1" tab. Now keep resuming and tryin gto jump, as I said, and everytime
time it breaks look at the reg being stored (F4,F6, etc) and see what the value
is. You're usually looking for the one that's 4xxxxxxxx when being stored to
the jump address. Get that far? Good for you. The hard part is over. Now
there are 2 ways you can change the jump height.
1. You can search for that value in the RAM. This is the easy way out, however
you might need to do it more than once if the game has different types of
jumps (i.e. Banjo has normal jump and backflip).
2. Change the ASM. To change COP1 regs though, you can't just use ADDIU. You
have to set a normal reg (like $k1) to the value you want to use with LUI then
use MTC1 to put it in the COP1 reg that the game is storing. In most cases,
you could also stick with the regular ops and change the SWC1 to an SH/SW. For
example sake, I'll show you the way to do it with COP1:
LUI $K1,???? - Load Upper Immediate will set $K1 to ????0000
MTC1 $K1,Fx - Move To COP1 moves the value in $K1 to Fx (x can be 1-31, in
our case it should be the reg that's being store to the Moon
Jump address.
I know this description is a little rough. Imagine trying to write it up. ;)
If you really want to do this with GSCC2k2, I'd suggest setting up the BPW as
HyperHacker describes for his Anti-Gravity How-To below, but jumping up
instead of falling. This is just a theory on my part, as I don't have a working
shark anymore.
<i><u>Anti-Gravity Codes (by HyperHacker)</u></i>
You will need GSCC for this. Knowing some ASM may help but isn't required.
1) Find the character's Y Speed. If there's an L Button To Levitate or Moon
Jump code for the game, chances are it works by setting the character's Y
Speed to a constant value. (Also in some cases making them jump - if there's
more than one line besides the activator, remove some until the code only
works when you're in the air - that's the Y Speed.)
2) Open GSCC, go into the RAM editor and start the game.
3) Go into the breakpoint window, and create a Write BP on the character's Y
Speed. Don't enable the BP yet, but use the Tab key to make sure the Set BP
button will activate when you press Enter.
4) In the game, fall off something. (Don't jump, you have to be moving down.)
While in the air, press Enter on the PC to enable the BP.
5) The game should halt immediately. Clear the message box that appears and
GSCC should go to the BP address. (Check the N64regs.txt file it opens to be
sure, since sometimes it goes to the wrong place. The number beside "PC" is
the BP address.)
6) Write down the 16-bit value at this address. Change it to 2400 and the
gravity should be disabled! (You may still slowly fall, some games do that.)
If not, repeat the process (don't change this value back) until you find it.
7) Make a code out of it!
Note: No gravity may get annoying and make the game hard to play. I suggest
you set it up like my Mario 64 codes, this way:
[Activator]
[Anti-gravity code]
[Activator]
[Enable Gravity code*]
[Activator]
[Y Speed = Positive code**]
[Activator]
[Y Speed = 0 code**]
[Activator]
[Y Speed = Negative code**]
Each activator should be different of course.
*The Enable Gravity code is simple. Take the Anti-gravity code and change
the value back to what it originally was.
**These are codes to set the character's Y Speed to any positive value, 0,
and any negative value, allowing the player to move up and down. Play around
to find a nice speed. Also, some games crash when setting the speed to 0, in
which case I recommend about 3000 for most games (which isn't stopped, but so
super slow you wouldn't notice).
(C) 2003 HyperHacker
<i><u>Walk Through Walls (General Theory Only)</u></i>
I haven't done a great deal of looking for WTWs yet, but I thought I'd
share the general concept of how you'd find them with ASM because they've
always been such a hot topic.
Theory 1:
On games where you take damage from hitting walls (i.e. certain racing
games) you could BPW on healh/energy and hit a wall to cause the break. Then
start backtracing the ASM a bit and NOPing the Jumps. I did this with F-Zero X
and was able to pass through the walls, althrough you plummit to your death if
you slow down. lol
Theory 2:
Now what about the typical games, where you just bounce your head off the
walls but nothing happens? This may be a little tricky. The idea here would
most likely be to BPW on your X/Z coordinate and find the ASM that causes you
to move. Then look around for branches that skip it when you hit a wall, or
an opcode that stores your X/Z again when you hit something. I don't imagine
this will be easy, but I know someone will want to try it. :)
<i><u>Breaking Limits</u></i>
Ever wanna carry more than 100 bullets, but the game wouldn't let you?
I'll show you why and how to get around it. Let's use Turok Dinosaur Hunter
v1.0 for this one. Get near a clip with something other than the pistol
equipped (to avoid extra breaks). Now set a BPR and BPW on the pistol ammo.
You'll get an immediate break on this one. The ASM that breaks is actually
what tells if you're allowed to equip the pistol or not (this is how I made
the weapons shoot without ammo). NOP that and set the BPs again. Now you can
walk over the clip to cause a break. You'll find yourself at 80057DB4, which
is a Branch; the Load Word is in it's delay slot. Now if you look through
the next few opcodes, you'll see these:
80057DC0: SLTI $at,$t0,00C8
-Set On Less Than Immediate.
-if $t0 is less than 00C8, $at is 1, otherwise $at is 0
80057DC4: BNEL $at,$zero,80057F68
-If $at is Not Equal To $zero, then jump to 80057F68
80057DD8: SLTI $at,$t0,0064
-Set On Less Than Immediate.
-if $t0 is less than 0064, $at is 1, otherwise $at is 0
80057DDC: BNEL $at,$zero,80057F68
-If $at is Not Equal To $zero, then jump to 80057F68
C8 (200) is the maximum pistol ammo when you have a backpack and 64 (100) is
the max without the backpack.
If you look at 80057DB0 and B4 you'll see it loads the word (32-Bit) value from
80128D28 (the backpack's on/off address) and branches accordingly. You can NOP
the Branch there to force the pistol to always have the packpack available, or
force the Branch so the backpack is never avilable to the pistol. Now, we can
do a couple different things with the opcodes I showed you above. You probably
noticed by now that you can change the values on the SLTIs to whatever you want
to mod the maximum pistol ammo with/without backpack. Now how bout killing the
limit entirely? Easy. Just force the branch. We can do this by changing it to a
Jump, but that'll make it a 2 line code to replace each Branch. Instead, we'll
change the branch to BEQ $zero,$zero,80057F68. I use this just like I use Short
NOPs. 1000XXXX is BEQ $zero,$zero,XXXX address. :)
Wait, we're not done yet. That will allow you to pickup ammo no matter how much
you have, but if you try it, you'll see you're still capped at 64/C8. This is
because there's another check where it actually adds the pickup to your total,
so when you have 99 bullets and pickup 10 you still end up with 100. When you
get the next breakpoint (you can NOP the LW here or just resume), you'll get a
useless one at 8009269C. NOP it and go again. Now you'll be at 80057B14. See
anything interesting?
80057B28: SLTI $at,$t6,00C9
80057B2C: BNE $at,$zero,80057D10
80057B30: ADDIU $t9,$zero,00C8
80057B40: ADDIU $t1,$zero,0064
80057B44: SLTI $at,$t0,0065
80057B48: BNE $at,$zero,80057D10
and again you'll see it check for the backpack and Branch accordingly.
With This group, notice the ADDIUs. You can change just these and make it so
when a pickup would bump you over 100/200 bullets, it'll give you like 500
instead. You could change both the SLTI and ADDIUs to change the max ammo
with/without backpack. Lastly, you can break the limits entirely by forcing
the Branches like I showed you.
So from 3 breakpoints, we can make all these codes, and probably more that I
haven't even thought of... like adding bullet pickups to other weapons instead.
Max Bullets Modifier (Without Backpack)
81057B42 ????
81057B46 ????
81057DDA ????
Max Bullets Modifier (With Backpack)
81057B32 ????
81057B2A ????
81057DC2 ????
Pistol Can Shoot Without Ammo
810583F8 1000
Pistol Can Shoot Without Ammo (Alternate)
810583F4 240A
810583F6 0001
Break Max Bullets (Without Backpack)
81057B48 1000
81057DDC 1000
Break Max Bullets (Without Backpack)(Alternate)
81057B44 2501
81057DD8 2521
Break Max Bullets (With Backpack)
81057B2C 1000
81057DC4 1000
Break Max Bullets (With Backpack)(Alternate)
81057B28 25C1
81057DC0 2501
Always Have Backpack For Bullets
81057B20 2400
81057DB4 5400
Always Have Backpack For Bullets (Alternate)
81057B18 240F
81057DB0 2419
Always Have Backpack For Bullets (Alternate 2)
81057B22 0001
81057DB6 0001
<i><u>Copy Bytes Codes</u></i>
You might've noticed that PSX and all the newer systems have a code type
called "Copy Bytes." What this does is copy values from one location in RAM to
another. You can use ASM to do this on N64 if you want, since Datel didn't
bother to include the code type in the N64 shark.
First, find an ASM routine to 'hook' into. You'll probably want something
that's always executing, but there may be cases where you want something else.
The easiest way I've found to do a Copy Bytes that's always copying is to find
a routine that reads the button/stick activators for the game. I'll use Super
Mario 64 as our example in this one....
We'll do a BPR on the button activator (00367054). We got 80323B58 as our
break address. Now if we look a few opcodes down, we'll see that we can safely
use $t2, $t3, $t4, and $t5. You could jump from 23B58, but I'm going from
23B54 instead -- just my preference. Now, let's jump to 80400000 so we have
plenty of room to work, and I'll show you how to copy the value of one address
to another.
80323B54: J 80400000 - the Jump (duh)
routine now begins at 8040000
LUI $t2,8020
ADDIU $t3,$t2,7702
ADDIU $t2,$t2,7772
LH $t4,0000($t2)
SH $t4,0000($t3)
J 80323B5C
SW $at,0000($t8)
That loads the 16-Bit value in 80207702 into $t4, then stores it to 80207772.
The Store Word (SW) at the end is just the opcode that the Jump replaced from
80323B54.
Now here is an example routine that copies a lot. This will copy 80207700 -
8020776C (Star &amp; Coin Records for File 1) to 80207770 - 802077DC (Star &amp;
Coin Records on File 2).
80323B54: J 80400000 - the Jump (again)
routine begins at 80400000
LUI $t2,8020
ADDIU $t3,$t2,7770
ADDIU $t2,$t2,7700
ADDU $t5,$zero,$zero
LW $t4,0000($t2)
SW $t4,0000($t3)
ADDIU $t2,$t2,0004
ADDIU $t3,$t3,0004
SLTIU $k1,$t5,006C
BNE $k1,$zero,80400010
ADDIU $t5,$t5,0004
J 80323B5C
SW $at,0000($t8)
Ever used a For Loop in other types of programming? Same concept here. If $t5
is less than 6C $k1 is set to 1. If $k1 is Not Equal To $zero then it jumps
back to the LW opcode and proceeds through again.
<b><i><a name="n64asm_writingroutines">Writing Routines, Jumping In And Out, Etc</a></i></b>
<a name="n64asm_writingroutines"> Ok, I bet you're wondering what you can do when you want to change
something but there's no room to do it within the current routine (no NOPs
or useless ops to change). This is where Jumping comes in. Remember in my
Invincibility code example, I showed you how to make Turok Invincible? Well,
what about if we want to do somethin ga little different? Like make him take
Double or Half Damage? Multiply the damage? Well, first you need to find the
opcode that subtracts from Turok's health when he's hit. We found the the
opcode that actually writes the new helath value (80071498), so it should be
a few opcodes or so before that. Look at 80071490. SUBU $V0,$T6,$V1. This
means "$V0 = $T6 - $V1" so $V1 would be the amount of damage taken. We need
to find a play to jump out of this routine now, so we can manipulate $V1 a
bit. This has to happen after $V1 is loaded, but before it's subtracted from
$T6. Also, You can't have 2 consecutive Jump or Branch opcodes because jumps
and branches all have that Delay Slot and putting another Jump/Branch in there
will crash the game. With that Delay slot you also need to take into account
the opcode you're replacing with a Jump. I'll show you what I mean...
80071478: LW $V1,003C($SP)
8007147C: BEQ $V1,$ZERO,80071538
80071480: NOP
80071484: LH $T6,01DC($T0)
80071488: LUI $A0,8010
8007148C: ADDIU $A0,$A0,9E60
80071490: SUBU $V0,$T6,$V1
80071494: BGEZL $V0,800714A8
80071498: SH $V0,01DC(T0)
Ok, see 80071488 and 8007148C? Those need executed in that order, so if you put
a jump at 80071488 that next opcode that uses $A0 would be in the Delay Slot.
We don't want that. 80071484 looks good here. That loads Turok's current health.
Write that opcode down before you change it because you want it to still get
executed at some point in your routine, so you're not losing anything. Ok, we
picked our address to Jump from. Now where do we jump to? You can jump to any
part of the RAM that the game doesn't use. Most games don't use the following
areas after boot up (so they're free for us to play with):
80000058 - 8000007C
80000090 - 800000C0
and typicly you'll find a good amount of space somwhere in the area between
800002B4 and 800003F0
Also, if you're hacking a game that doesn't require the expansion pack, but
you have it anyway, then you've got plenty of RAM to play with (804-808!).
Ok, in this example, we'll Jump to 80000060. The Opcode we'll use is:
J 80000060
That amounts to
81071484 0800
81071486 0018
as our Jump code.
The routine itself is going to double, multiply, or divide $V1. I'll show you
3 ways of accomplishing this, but there are more.
Double:
ADDU $V1,$V1,$V1 - pretty self explanatory, I think $V1 = $V1 + $V1
Multiply: (This is where it gets a little more interesting)
ADDIU $K1,$ZERO,00?? - We set $K1 to the amount we want to multiply by
MULT $V1,$K1 - Multiply $V1 by $K1. The result is stored in "LO"
MFLO $V1 - Move the result from LO to $V1. LO and HI are used for some special
calculations (like MULTU and DIVU). If used with a DIV opcode, LO is the
division result and HI is the remainder.
Divide:
ADDIU $K1,$ZERO,00?? - We set $K1 to the amount we want to divide by
DIV $V1,$K1 - Divide $V1 by $K1. The result is stored in "LO"
MFLO $V1 - Move the result from LO to $V1.
Let's say you've decided on Dividing by 2 so Turok takes Half Damage. Next, we
need to know where we're Jumping back to. This is normally the address of the
Jump plus 8 (we need to skip the Delay Slot since it'a already done). So...
ADDIU $K1,$ZERO,0002
DIV $V1,$K1
MFLO $V1
J 8007148C
Wait a minute. What comes after the Jump? The Delay slot needs to have a valid
ASM opcode (Like a NOP). Oh, what about that opcode that loads health? :)
ADDIU $K1,$ZERO,0002
DIV $V1,$K1
MFLO $V1
J 8007148C
LH $T6,01DC($T0)
That's more like it. Note that in some cases, you may want that opcode to
execute first (like if you needed the health value for something there), but
for this purpose we don't need to. When you can, I recommend putting the last
opcode of your routine in the Delay Slot. If you wanted that health load first
then you'd do it like this:
LH $T6,01DC($T0)
ADDIU $K1,$ZERO,0002
DIV $V1,$K1
J 8007148C
MFLO $V1
That would work just the same. Only difference here is that the LH is done
first instead of last.
Once you get done typing that into Niew, you'll see your code is:
81071484 0800
81071486 0018
81000060 241B
81000062 0002
81000064 007B
81000066 001A
81000068 0000
8100006A 1812
8100006C 0801
8100006E C523
81000070 850E
81000072 01DC
There you have it. "Turok Takes Half Damage"
<i><u>Tip: Jump And Link</u></i>
Once you get used to jumping and jumping back, you may want to do it the
easy way. Jump And Link (JAL) works like J but it stores the return address in
$RA for you. Note that you can't always do this because the game may not
load $RA again before it uses it. If you look down through the opcodes in the
routine you're jumping out of, you should be able to fins a JR $xx at the end.
If this is something other than $RA or it loads $RA from somewhere first, then
you're in good shape. Otherwise you'd have to back up that reg somewhere if
you're going to do it. A quick way to tell if you can do this other than
lookin for the JR $xx is to see if you notice a JAL right in the area. If the
game uses JAL there, then you can pretty well bet it's gonna load $RA before
it uses a JR $RA. So to do the above code the way I like to do them....
81071484 becomes JAL 80000060
and
8100006C becomes JR $RA
The new code would be:
81071484 <b>0C00</b>
81071486 0018
81000060 241B
81000062 0002
81000064 007B
81000066 001A
81000068 0000
8100006A 1812
8100006C <b>03E0</b>
8100006E <b>0008</b>
81000070 850E
81000072 01DC
<i><u>Tip: Using Regs Other Than $K1</u></i>
If you need more than just 1 free reg to use in a routine, you'll have to
look for ones that aren't in use. The safest thing to do, is use regs that you
you will be set right after your routine. In the Tutok example, you could use
$T6 since it's set at the end of your routine anyway. You could also safely
use $V0, $T7, $AT, and $T8 in this example (look at routine to see why).
<b><i></i></b></a><b><i><a name="n64asm_bigrouts">Expample Of A Longer ASM Routine</a></i><a name="n64asm_bigrouts"></a></b>
<a name="n64asm_bigrouts"> Well, you've seen some of the things you can do here already, but just
for good measure I'm going to show you a couple longer, slightly more advanced
routines that I wrote for WWF No Mercy.
Example 1: Universal P1 Ultra Code.
Ever play a game where the player &amp; CPU codes can become switched because
of how the game is setup? The breakpoint for this was a BPR on P1's
Health/Spirit. The general idea here to to find which wrestler is human
controlled and keep giving that wrestler Special, Full Spirit, Full Health,
Max Health, and Full Health For All Body Parts (so you don't submit).
800FE770: JAL 80400000 -Jump to 80400000 And Link, $RA is now 800FE778
80400000: LB $V0,00E9($A0) -Load's the value of the CPU/Human address
80400004: ANDI $V0,$V0,000F -$V0 = $V0 AND 000F, if this is 0, it's human
80400008: BNEZ $V0,80400038 -Branch On Not Equal, skip to addy if $V0 != 0
8040000C: ADDIU $V0,$ZERO,0004 -$V0 = 0 + 0004
80400010: SB $V0,00EE($A0) -Store Byte $V0 to $A0 + 00EE
80400014: ADDIU $V0,$ZERO,0064 -$V0 = 0 + 0064
80400018: SH $V0,00AE($A0) - Store Halfword $V0 to $A0 + 00AE
8040001C: SH $V0,00AC($A0) - the rest of this is the same way: set, store
80400020: SH $V0,00AA($A0)
80400024: ADDIU $V0,$ZERO,4248
80400028: SH $V0,02C4($A0)
8040002C: SH $V0,02C8($A0)
80400030: SH $V0,02CC($A0)
80400034: SH $V0,02D0($A0)
80400038: SH $V0,02D4($A0)
8040003C: JR RA -Jump Register: Jumps to address stored in $RA
80400040: NOP -We'll use a NOP as a Delay Slot since we don't
always want that SH to execute.
In this example, we used $A0, which the game sets to a different wresters'
pointer each time it goes through. So we load the CPU/Control info for
whichever wrestler the game is looking at and check if that wrestler is
human. If it is, we go through our routine of writing that wrestler's stats.
If not, we Branch (skip) over it and just Jump Back.
<b><i></i></b></a><b><i><a name="n64asm_usingfpr">Using The COP1 Registers And Instructions</a></i><a name="n64asm_usingfpr"></a></b>
<a name="n64asm_usingfpr"> If you've gotten the hang of this stuff and maybe tried finding some more
advanced types of codes, or even stopping timers on some games, you've probably
noticed COP1 instructions. COP1 has its own set of opcodes and registers for
working with floating point values.
<i><u>How do values get into and out of the floating point registers (FPRs)?</u></i>
They can either be loaded just like we typicly see, using LWC1, or by
moving values from the main regs.
Loading from RAM:
LUI $V0,8014 -Load Upper Immediate, we already know. $V0 = 80140000 now.
LWC1 F2,5420($V0) -Load Word COP1 works just like LW but puts the value into
an FPR, F2 in this case.
LUI $V1,8014 -Load Upper Immediate. $V1 = 80140000
LDC1 F4,5420($V1) -Load Doubleword COP1. Same as above. Used to load a 64bit
value as a double precision floating point value, I guess.
Moving from the main regs:
MTC1 $V0,F2 -Move To COP1. F2 = $V0
Another example:
LUI $V0,3FAB -Load Upper Immediate. $V0 = 3FAB0000
ORI $V0,22D1 -OR Immediate performs a bitwise logical OR on $V0. If you
haven't used OR before, it sets any bits that aren't set.
Since the lower bits aren't set (3FAB<b>0000</b>), this is
just like adding 22D1 to $V0. If $V0 is 3FAB2200 and you
OR it by 22D1, then it'll be 3FAB22D1, as this only sets
what wasn't already there.
MTC1 $V0,F2 -Move $V0 to FPR 2.
Getting values out of FPRs:
SWC1 F5,5420($V0) -Store Word COP1. The usual method of writing the value to
a RAM location.
MFC1 F5,$V1 -Move From COP1. Moves the value from an FPR reg to a main
reg. Thus, $V1 would now be set to the value in F5.
<i><u>How do I do math operations with FPRs?</u></i>
Again, this is the same basic concept as you do normally, it's just more
confusing. COP1 supports both single precision floating points and double
precision floating points. You should have a fair idea of what the 2 mean, if
you've programmed much.
Adding:
ADD.S F1,F4,F8 -Floating Point Add, Single Precision. F1 = F4 + F8.
ADD.D F1,F4,F8 -Floating Point Add, Double Precision. F1 = F4 + F8.
Subtracting:
SUB.S F1,F4,F8 -Floating Point Subtract, Single Precision. F1 = F4 + F8.
SUB.D F1,F4,F8 -Floating Point Subtract, Double Precision. F1 = F4 + F8.
Multiplying:
MUL.S F1,F6,F8 -Floating Point Multiply, Single Precision. F1 = F6 * F8
MUL.D F1,F6,F8 -Floating Point Multiply, Double Precision. F1 = F6 * F8
Dividing:
DIV.S F3,F9,F16 -Floating Point Divide, Single Precision. F3 = F9 / F16
DIV.D F3,F9,F16 -Floating Point Divide, Double Precision. F3 = F9 / F16
I like multiplication and division better in COP1 because it doesn't require
you to use the extra OP to extract the result. There are also some other neat
COP1 OPs like NEG, ROUND, FLOOR, CEIL, etc. This was more of a basic
intro to using COP1.
<b><i><u></u></i></b></a><b><i><u><a name="hacking_gs33">F) Hack Your Shark!? - by HyperHacker</a></u></i></b>
It's actually possible to hack an N64 Gameshark/AR v3.3. You can use these
codes with any game and hack the GS! Sweetness!
81791DF6 ????
81791E02 ???? Lowest Goto Address (normally 80000400)
81791E06 ????
81791E12 ???? Highest Goto Address (normally 803FFFFF)
81791E32 ????
81791E36 ???? Lowest Scroll To Address (normally 80000400)
81791E3A ????
81791E3E ???? Highest Scroll To Address (normally 803FFFFF)
81791E42 ????
81791E4A ???? Address Returned To When Attempting To Go To Invalid Address
(normally 80000400)
807FFDE7 000? Is Controller Active
817FFDE8 ???? Button Pressed Data
817FFDEA ???? Joystick Data (if you can find any use for these last 3, tell me!)
817E9C98 ????
817E9C9A ???? Cursor X Coord
817E9C9C ????
817E9C9E ???? Cursor Y Coord
817E9CA0 ????
817E9CA2 ???? Cursor Mode
807E9D34 - 807E9D44 Text Searched For
You can use this to turn the Text Search into a string search for almost any
number, but beware - If you enter a number between 41h and 5Ah, it will also
search for numbers 20h higher. This is to allow strings to be found in caps or
lowercase. Also, if you enter a number lower than 20h, it will crash
everything, as these are special control bytes rather than text.
I've also hacked the active code list! Using this along with the codes to goto
any RAM, you can alter active codes on the fly. Plus, if you know N64 ASM, you
can create your own types of codes! The list starts at 807C0000. Basically,
it's just a bunch of ASM that is executed several times per second. The formats
are as follows:
80 Code Type (constant 8-bit write)
Format: 3C1A XXXX 375A YYYY 241B ZZZZ A35B 0000
ASM: lui $k0,XXXX
ori $k0,k0,YYYY
addiu $k1,$zero,ZZZZ
sb $k1,0000($k0)
81 Code Type (constant 16-bit write)
Format: 3C1A XXXX 375A YYYY 241B ZZZZ A75B 0000
ASM: lui $k0,XXXX
ori $k0,$k0,YYYY
addiu $k1,$zero,ZZZZ
sh $k1,0000($k0)
88 Code Type (8-bit write, G$ Button triggered)
Format: 3C1A BE40 375A 0000 875B 0000 0000 000F 337B 0400 1760 0004, then
normal 80 code type format
ASM: lui $k0,BE40
ori $k0,$k0,0000
lh $k1,0000($k0)
sync
andi $k1,$k1,0400
bne $k1,$zero,00000028
Then normal 80 code type ASM
89 Code Type (16-bit write, G$ Button triggered)
Format: 3C1A BE40 375A 0000 875B 0000 0000 000F 337B 0400 1760 0004, then
normal 81 code type format
ASM: lui $k0,BE40
ori $k0,$k0,0000
lh $k1,0000($k0)
sync
andi $k1,$k1,0400
bne $k1,$zero,00000028
Then normal 81 code type ASM
D0 Code Type (8-bit activate if equal)
Format: 3C1A XXXX 375A YYYY 835A 0000 241B ZZZZ 175B 0004, then code to be
activated
ASM: lui $k0,XXXX
ori $k0,$k0,YYYY
lb $k0,0000($k0)
addiu $k1,$zero,ZZZZ
bne $k0,$k1,00000024
Then code to be activated
D1 Code Type (16-bit activate if equal)
Format: 3C1A XXXX 375A YYYY 875A 0000 241B ZZZZ 175B 0004, then code to be activated
ASM: lui $k0,XXXX
ori $k0,$k0,YYYY
lh $k0,0000($k0)
addiu $k1,$zero,ZZZZ
bne $k0,$k1,00000024
D2 Code Type (8-bit activate if not equal)
Format:
ASM:
D3 Code Type (16-bit activate if not equal)
Format:
ASM:
THE LIST MUST END WITH THE FOLLOWING CODE:
3C1A 8000 375A 0120 0340 0008 0000 0020
IF IT DOES NOT, THE GAME WILL FREEZE AS PROCESSING WILL NOT RETURN TO THE GAME
PROGRAM.
<b><i><u><a name="hacking_ps2_codes">G) Hacking Playstation 2 Codes</a></u></i></b>
There are no trainers, code gens, etc publicly available for PS2 as of
right now, and according to CodeMaster doesn't look promissing. This is because
it's so hard to get things like this working on the system. So how are some of
us doing it?
<b>WARNING: Either of these methods could potentially cause damage to your
system if you enter bad codes! This isn't a common occurence, but you have
been warned! The authors are not responsible for any damage you may cause
to your PS2!</b>
<b><i>Guess &amp; Check</i></b>
Yeah, the old "Guess &amp; Check" methods are usuable on PS2. This can be
done with encrypted codes, but it's recommended that you play with RAW codes
and encrypt them yourself. The Codebreaker PS2 actually has the ability to
accept RAW codes, I think. This can make things easier. Still, you're left
with a problem: There's too much RAM to play with, and constatly rebooting
with a CD based cheat device is a real pain. The only shortcut I've found if
you're really looking to find a specific effect is to use patch codes to
conver a certain amount of the RAM at a time til you get the desired effect.
Then narrow down the patch a little at a time til you lose the effect and
you'll know where the code is. <i>NOTE: To pretty well eliminate the risk of
messing up your PS2 with a faulty code, stay in the same area of the RAM as the
existing codes for thew game you are hacking.</i>
<b><i>Using PS2DIS - Courtesy hellion (<a href="http://hellion00.thegfcc.com/">hellion00.thegfcc.com</a>)</i></b>
<!--Begin hellion's PS2DIS guide-->
<table border="0" width="700"><tbody><tr><td font="" face="COURIER NEW"><ol><li>Introduction <p>First things first. Using PS2DIS to home-hack GameShark codes is NOT easy (for the most part). It helps out a lot, but still requires a fair amount of programming knowledge to get the really good codes. I will try to show you in this guide how to make the best use of it you can. You will soon see why it is almost useless for a lot of (or most) games, but also why we were so successful with GTA3.</p><p>The FAQ assumes that you have a basic knowledge of the hexidecimal number system and some key programming concepts (functions and variables).</p><br></li><li>Getting Started <p>Here's what you'll need in order to use it:</p><ol type="a"><p></p><li>Download the program from <a href="http://www.gscentral.com/lib/downloads/ps2dis099_23.zip">HERE</a> and extract it to your harddrive.
(Hanimar's (the creator of PS2DIS) site is here: <a href="http://www.geocities.com/SiliconValley/Station/8269/ps2dis/">http://www.geocities.com/SiliconValley/Station/8269/ps2dis/</a>)<p></p><p></p></li><li>Using the DVD drive in your computer (or a friend that has one), copy the SLUS file off of the game. If the game is in CD-ROM format (instead of DVD), a normal CD drive will work fine. The SLUS files usually have a name like "SLUS_###.##". For example, the GTA3 SLUS file is named "SLUS_200.62". Some start with SCUS, and PAL format discs have ones that start with SLES. There are other variations out there, but that should cover the majority of them.<p></p><p></p></li><li>Once that file is on your harddrive, open up PS2DIS (by running the ps2dis.exe exectutable) and use File-&gt;Open to open the file you copied off the disc.<p></p></li></ol><p>You are now ready to start your hacking. :)</p></li><li>Display <p>This is what you should be looking at on your screen now:</p><p>Top Part (Grey):</p><blockquote>This shows you the data as it appears in memory. I don't use this too often, but it gives you the addresses, hex values, and corresponding alphanumeric values of those hex bytes.</blockquote><p>Bottom Part (Blue):&gt;</p><blockquote>1st column: This is the address of the current line of code. Since the PS2 instructions are 32-bits, it only shows you every 4th address (this can be modified, as you'll see later).</blockquote><blockquote>2nd column: This is the 4 bytes of data that is stored at the address in column 1.</blockquote><blockquote>3rd column: This column is for labels (more about them later). This column is blank for most lines.</blockquote><blockquote>4th column: This shows you the disassembled instruction that corresponds with the data in column 2 (read more about instructions in the MIPS guide).</blockquote></li><li>Navigation Controls <p>Getting around in the DIS is fairly easy once you get used to it. You can move between lines of code using the Up and Down arrows. The Page Up and Page Down keys do exactly what you'd expect them to do. Using Ctrl+Page Up or Ctrl+Page Down will jump up or down by a large number of addresses (+/- $00001000). Also, by holding Shift while using the Up and Down arrows, you can scroll up or down while keeping an address you want highlighted. This is handy just in case you tend to lose it when you scroll.</p><p>Occasionally, you will see a line of code where the disassembled code has an up or down arrow in it. This indicates a Jump or a Branch (more on these instructions in the MIPS guide). If you highlight that line of code and press the Right arrow, it will take you to whatever line of code that instruction was jumping or branching to. This is extremely useful in tracing sections of code to see what it does.</p><p>If you use the Right arrow to get to a Jump or Branch's destination, you can use the Left arrow to go back to the original instruction. Be careful though, because if you use it too many times, it will take you back to the address it started at when you opened the file and you'll lose the place that you were at.</p><p>If you know exactly what address you want to go to, you can press the G key. This will bring up a dialog where you can type in an
8-digit address and it will take you right there.</p><p>One of my favorite features of PS2DIS is the Label Listing. Press Ctrl+G to bring it up. It will allow you to jump to any of the labeled lines in the SLUS. It is very handy for jumping directly to certain functions or variables that are labelled.</p></li><li>Labels <p>Labels are the key to whether or not PS2DIS will be extremely helpful in hacking a game. There are basically three types of labels:</p><ol type="a"><p></p><li>Labels for strings of text - These are most common. Every game I have seen has string labels in its SLUS. These are also the most useless types of labels (in most cases). Rarely will the strings give you a good idea of what a function does or where variables are stored. String labels begin and end with the double-quote character (").<p></p><p></p></li><li>Labels for variables - These labels rarely appear in SLUS files. Making cheats with these labels is a relatively simple process of setting a value at that address. The hard part is knowing what value to set in order to make the cheat effective.<p></p><p></p></li><li>Labels for functions - These labels also very rarely appear. These labels appear at the beginning of a section of code that represents a function. The name will often (though not always) give you a fairly good idea of the purpose of that function. These labels are helpful in making cheats that either disable functionality (e.g. Disable Water For Cars), or change which functionality is used (e.g. Boat Guns On Cars)<p></p></li></ol><p>As I said, most SLUS files do not contain variable or function labels. This makes it very difficult to hack games without the tools that the guys that work at GameShark have (the expensive stuff). However, GTA3 just happened to have tons of labels in it, which gave us lots of stuff to work with.</p></li><li>The Analyzer <p>This is probably the most useful tools that PS2DIS has to offer. When you invoke the Analyzer (Analyzer-&gt;Invoke Analyzer), it runs through then entire code segment and figures out all the places that each address is referenced from. This process could take a while on slower PCs, so be patient. Once it's finished, you can "mark" any line of code and cycle through all the addresses that reference that line.</p><p>To "mark" a line of code, simply highlight the line and press the Space Bar. The selected line will turn grey instead of blue.</p><p>To cycle through all of the "referers" for that line, press F3 to go forward and Shift+F3 to go backwards. Finding referers is usually only effective for a variable's address, the first line of a function, or the first byte in a string.</p></li><li>Miscellaneous <p>Finding Patterns - If you have a certain hex value that you want to search for, you can do that by clicking Edit-&gt;Find Patern. Click the "As Hex String" checkbox and put in what you are looking for. Remember though, that MIPS stores the data in Little Endian format (the bytes are reversed). For example, if you were trying to search for a value that would look like this in the 2nd column: "2403003d", you would want to search for the following hex string: "3d 00 03 24". It takes a while to get used to, but once you get used to it, it's easy.</p><p>Changing Address Display - You can make the DIS display all four bytes at an address individually instead of all at once by selecting the line and pressing the B key. You can change it back by selecting the first line in the group of four and pressing the C key. This is mostly useful in finding and editing string data.</p></li><li>Resources <p>Use the resources below to learn more about the hexadecimal number system and the MIPS Assembly Language. MIPS is the assembly language that appears in PS2DIS when disassembling the SLUS files. Some of our best codes have come from modifying what the code actually does. In order to do this, you need to know how MIPS works.</p><p>Hex Resources:<br></p><ul><li><a href="http://vwop.port5.com/beginner/bhextut.html">Binary/Hexadecimal Tutorial (not a very good one :\ )</a> </li></ul><p></p><p><b>MIPS Resources:</b><br></p><ul><li><a href="http://www.compapp.dcu.ie/~ray/CA225b.html">CA225b MIPS Assembly Language Programming </a></li><li><a href="http://chortle.ccsu.edu/AssemblyTutorial/tutorialContents.html">Programmed Introduction to MIPS Assembly Language</a> </li><li><a href="http://taurus.ubishops.ca/ljensen/asm/notes/">CSc 116 Notes (another MIPS class)</a> </li><li><a href="http://www.cs.unibo.it/~montreso/courses/arch01-02/AssemblyLanguageProgDoc.pdf">MIPS Assembly Language Programmer's Guide</a> </li></ul><p></p></li><li>Examples <p>The examples below required the GTA3 SLUS file (<b>SLUS_200.62</b>). We can't put it up here for download, so if you don't have the game or a DVD drive, you need to get it from somewhere else. :\</p><ul><li>Labeled Variables </li></ul></li></ol><p>Disclaimer: Very few SLUS files have the proper labels for this kind of code. Don't be disappointed when this strategy doesn't work for most other games.</p><br><p>Open the GTA3 SLUS in the DIS. Today, we're going to be looking at a couple of simple variable-setting codes. The first thing we need to do is open the Label Listing (Ctrl+G) and see if we can find anything interesting.</p><p>Now, there are lots and lots of labels in the GTA3 SLUS, and most of them just aren't helpful at all. It takes a lot of patience to look through them to find the ones that are useful. To save you some time and to facilitate the learning process, I'll go ahead and point out a couple of them for you.</p><p><b>Example #1</b></p><p>With the Label Listing open, type <b>Lives</b> in the text box at the top. The selection will automatically move to the first label that starts with what you typed. If you press <b>Enter</b>, the DIS cursor will move to the line of code that has the selected label. You should now have selected the address for "LivesSavedWithAmbulance__6CStats". As you can probably guess from the label, this stores the number of people you have saved in the Paramedic Missions.</p><p>Now that we have an address (<b>00416EE8</b>), we need to figure out what value we want to use. Remember that this value needs to be in hexadecimal form. Let's say we want to have 1000 people saved. Converting 1000 to hexadecimal gives us <b>3E8</b>. (Windows Calculator in Scientific Mode converts between decimal and hexadecimal easily)</p><p>With an address and value in hand, we need to figure out what GameShark command we want to use. Since 3E8 is larger than 8 bits (2 hex digits), we can't use the 8-bit Write. 3E8 is smaller than 16 bits (4 hex digits), so we can use the 16-bit Write. The format for that is <b>1aaaaaaa 0000dddd</b>, where <b>a</b> is the address and <b>d</b> is the value.</p><p>Putting it all together, we have: <b>10416EE8 000003E8</b> (dropping the first zero from the address to make it 7 digits, and adding a zero to the value to make it 4 digits).</p><p>Last, you need to encrypt the code. The encryption you use depends on the game you are hacking. GTA3 GameShark codes use the 1456E7A5 encryption, so we will use that as well.</p><p>Using the converter to encrypt the code gives us:</p><p><b>1000 People Saved<br>4CD8F110 1456E4FD </b></p><p>Example #2</p><p>Open the Label Listing again and type <b>Respray</b> in the text box. It should bring you to the label "RespraysAreFree__8CGarages". Press <b>Enter</b> to go to that address.</p><p>The name of this variable implies that this is a yes or no question. Are resprays free or not? In programming, this is known as a Boolean variable (stores True or False). True is normally represented by a 1, and False is represented by 0. Taking this into account, it would make sense that if we set this variable to 1, then resprays would be free.</p><p>So, we take the address (<b>00416F90</b>) and the value (<b>1</b>, 1 converted to hexadecimal is still 1) and figure out what command we need to use. Since 1 is less than 8 bits, we can use the 8-bit Write. The format for that is <b>0aaaaaaa 000000dd</b>.</p><p>Filling in the address and value, we have: <b>00416F90 00000001</b> (again, dropping the zero off the address and adding a zero to the value to make it two
digits).</p><p>Encrypting with the 1456E7A5 encryption gives us:</p><p><b>Free Resprays<br>3CD8F0B8 1456E7A6 </b></p></td></tr></tbody></table>
<!--end hellion's PS2DIS guide-->
<b><i><u><a name="hacking_dc_codes">H) Hacking Sega Dreamcast Codes</a></u></i></b>
The only known way to hack Dreamcast codes at this point is the old
"Guess &amp; Check" method. The Dreamcast Xploder (or cracked shark) is your
best bet for this, as it doesn't require encrypting codes. If you really
must use a shark, then you'll have to use <a href="http://www.gscentral.com/lib/downloads/DCCrypt.zip">DCCypt</a> to decrypt/encrypt
codes. Patch codes are a big help, as they'll save you from hours on
end of entering 1 code at a time to try. Use a patch code to cover a
certain amount of RAM your want to change to see the effects and see
what you get. If you get an effect you like, just narrow down your
patch a few addresses at a time til the effect stops showing up. Then
you'll know what addresses to try individually.
<b>WARNING: Trying codes at random could potentially cause damage to your
system if you enter bad codes, so stay in/near the area where other codes
have already been found! This isn't a common occurence, but you have
been warned! The authors are not responsible for any damage you may cause
to your DC!</b>
-----------------------------------------------
<b><i><font size="+1"><a name="gameboy_hacking">XI) How-to Guide - Gameboy Hacking</a></font></i></b>
-----------------------------------------------
<b><i><u><a name="hacking_with_vba">A) How to hack GameBoy Advance codes: (By Tolos)</a></u></i></b>
You will need an emulator (I use VisualBoy Advance 9.1), and a GBA ROM to
hack. DO NOT ASK ME FOR ROMS!
Before you begin, make sure the game and ROM are the same versions, and there
is no "extra stuff" in the ROM -- usually an opening sequence by the rippers.
Ripping the game yourself solves these problems.
Here's an example of finding infinite lives:
- Start VisualBoy Advance, and load your ROM.
- After it boots, start the game.
- Take note of how many lives you have.
- (Pause the game)Select the menu Cheats -&gt; Search for Cheats.
- Click on Start, enter the number of lives (e.g. 3) into the text box
near the bottom, and press Search.
- You should come up with quite a few results. Click OK, and continue the game.
- Die once, and press CTRL+C or open the Search for cheats menu again.
- Enter the number of lives you now have (e.g. 2) and press Search, without
clicking on Start.
- If you still have a large amount of results, repeat the above three steps.
Otherwise, click on one of the addresses, then press Add Cheat. Change the
value. If your lives didn't change, try dying. Sometimes codes aren't
immediately
obvious. If that wasn't the code, try the others.
If none of the codes worked, you may need a different approach.
- Press start, and enter a number well greater than the number of lives, then
then press Search.
- Lose a life, then do a Search for Cheats.
- In the Search Type box, select old value; in the Compare Type box, select
Less or Equal, then press search.
- Repeat the above two steps.
- Select an address and click Add Cheat. Change the value, and die. If your lives
didn't change, try the other addresses. You should find the code.
Basically, the same techniques that work for other games can be used for
finding codes.
<b><i><u><a name="gba_size">B) Gameboy Advance Size Modifiers How-To - by Icy Guy</a></u></i></b>
<b>What you need:</b>
-A ROM of a GBA game (find one on your own)
-An emulator (VisualBoy Advance is highly recommended - any version will work)
-AR Crypt
For this guide, it is assumed that you are using VisualBoy Advance ("VBA").
It's also recommended that you assign a keyboard combination in VBA that will
let you open the "Search for cheats..." menu quickly (Tools &gt; Customize;
click "CheatsSearch" and assign your keyboard combo - I use Ctrl+C).
<b>Unknown Value Method:</b>
This method is good for objects that normally change shape. In this example,
we'll be hacking a size mod for your racer in Mario Kart: Super Circuit.
(Hacking by example is a great way to learn.)
-Start VBA and load the MK:SC ROM.
-Once in the game, select "Time Trial" from the main menu. (If, like in this
case, you're hacking a racing game, choosing a time trial is a good idea,
because, depending on the game, you won't have to contend with other racers
and the clock.)
-Choose your racer, and then select Bowser Castle 1 from the tracks menu.
-Now follow the normal track route until you reach the Thwomps.
-Go to the "Search for cheats..." menu (Cheats &gt; Search for cheats...). Under
"Search type," choose "Old value," under "Data size," choose "16 bits," under
"Signed/Unsigned," choose "Hexadecimal," and, under "Compare type," choose
"Equal." Put a check in the "Update Values" box.Now hit the "Start" button,
and then "Search." It will tell you that there are too many results. Hit
"OK," and then the "OK" in the search menu.
-Back in the game, go and get yourself flattened by a Thwomp. Now, while your
character is still flat, go to the cheats menu, choose "Less than" as your
compare type, and search. It will probably still say that you have too many
results, but then again, it may not.
-Go back to the game and move out from under the Thwomp. When your character
returns to normal size, go back to the cheats menu and do a Greater than
search (the menu actually says "Greather than," but same thing). Now you'll
get some results. But there are too many to handle, so go back to the game.
-Get flattened, and do the Less than search while flat. Go back to the game,
and when your character pops back to normal size, do a Greater than search.
-Drive around the next couple of turns until you reach the next set of Thwomps.
Do an Equal to search.
-If you were lucky (like me), the amount of search results will have been
reduced drastically. Look at your results. If you checked the search menu
while your racer was full size, one of the results will have a value of 0100.
In this case, the address with that value is 03003D2E. So your raw,
unencrypted code is 03003D2E 00000100, if you want to give people a code
where your character is full size. That's pointless, so give the code a
smaller value, like 000000C0 or something. Now we end up with 03003D2E
0000C000 (you must put most significant byte first, if I recall), which makes
your racer 3/4 their normal size. Now punch that into AR Crypt and encrypt
as you normally would.
-Sure, we have THAT code, but that's just the code for the X coordinate! Since
GBA games are 2D (even if the game has 3D-style graphics, it's still 2D),
there are two codes involved in a "complete" size modifier: the code for the X
coordinate and the code for the Y coordinate. In this how-to, we have hacked
the X coordinate, so let's hack the Y coordinate.
-One way to do this is by viewing the memory. So, in VBA, while your character
is still on the screen, go to Tools &gt; Memory viewer. Make sure the radio
button next to "16-bit" is filled in. Type the address of the X coordinate
(03003D2E) into the box next to "Go" and then hit "Go." It will take you to
that part in the memory. If your character was full size when you did this,
the view will look something like this...
<img src="./The Secrets of Professional GameShark(tm) Hacking_files/gbasizemods1.jpg">
See those "0100"s in the upper-left? The first one is the X coordinate size
(which you just hacked) and the second one is the Y coordinate size. In this
case, the address for the Y coordinate is 03003D30, just two addresses higher
than the X coordinate size.
This is usually the case: the X coordinate and Y coordinate size modifiers are
close like this. So if you find one, you've practically found the other.
Let's do a general recap:
-Start the search process and move somewhere else (or even change the area you
are in, if you're hacking a code for your character). Do an Equal to search.
-Make the object get squished, smashed from the sides, or shrink. Do a
Less than search. (If you can make the object get larger, do a
Greater than search.)
-When it reverts/grows to normal size, do a Greater than search. (Less than
if the object had grown.)
-Move around a bit and/or change other stuff and do an Equal to search. Do NOT
make the object you want to modify get destroyed or go to an area where that
object is not present.
-If you don't have a manageable number of results (less than 20), repeat.
-Look for codes with the value 0100. Check the area of memory around
that/those code address(es) to find the size modifier for the other
coordinate, if it didn't show up in your search.
-Encrypt the code(s) as needed.
Now what if the object you want to hack DOESN'T change shape? Then what?
<b>Known Value Method:</b>
This method is good for hacking size modifiers for objects that do not normally
change shape. For this example, I'll be hacking a size mod for one of the
computer racers, again in Mario Kart: Super Circuit.
-Load the ROM and select a new file.
-Select "Mario GP," any cup, any racer, and any track.
-Now, when the characters are waiting behind the finish line, open the cheat
search menu, and do a 16-bit search for 0100. (I'm assuming you know how to
configure it to your liking, since I'm assuming you followed along in the
previous section of this guide.)
-You'll get a load of results. Check the results for a pair of addresses in
which the second address is two addresses higher than the first
(1st address + 2). There are several, so start testing them out, using the
value C000.
-If a code doesn't work, go back to your results and start checking again. If
any values are NOT 0100 or C000, search for 0100 again to get rid of them.
-Elimination will eventually lead you to 03003ECE, which is the X coordinate
size modifier for the first CPU player. You can check out the memory to get
the code for the Y coordinate, but here, you don't have to. The very next
result is 03003ED0, which just so happens to be two addresses higher than the
X coord code. Now we have the complete code set for CPU 1.
-Encrypt your code(s) as needed.
To recap, all you have to do is just search for 0100 (256 in decimal). As of
now, this is the only value I have seen used for GBA size mods, but I have a
feeling that programmers may use different values in the future.
So that's how to hack size modifiers for your Game Boy Advance games. Be
warned that not all of them will be as easy to hack as they were in Super
Circuit - I just used Super Circuit as an example because it's easy to hack,
and I feel that the best way to learn to hack (aside from example) is to hack
an easy code/game first. Three closing tips:
-Some objects are seemingly "unhackable," so you feel that you may be forced
to give up hacking a code. Don't let this discourage you.
-Some games, such as racing games, may have "patterns" that you can follow.
In Super Circuit, for example, you can add 1A0 to each memory address to get
the address of the next racer's size mod.
<b><i><u><a name="hacking_gameboy_advance_enabler_codes">C) Finding GameBoy Advance Enabler Codes
- By Parasyte (Used with Permission)</a></u></i></b>
Required Software:
GameBoy Advance ROM to hack (find on your own)
Mappy Virtual Machine - <a href="http://www.bottledlight.com/">www.bottledlight.com/</a>
GameShark Advance Code Encryption Program
GameBoy Advance Enablers are comprised of two parts, the first part is the
hook routine. It overwrites some assembly in ROM/RAM with a jump to the GSA
code handling routines. This jump must be executed many times per second. So a
good place to hook would be the controller reading routine.
The Second part is an ID Code, it's not needed, but it's good to have if you
like the GSA auto-detecting your game.
<b>Hacking the hook code:</b>
(this method only works on Thumb assembly in ROM)
1) Load up the rom in Mappy, then goto View -&gt; Disassembler
2) Goto File -&gt; Export -&gt; Disassembly
3) Pick a destination txt file to save
4) Near the bottom you see three text boxes, leave the first one blank, type
08000000 into the second, and 200000 into the third
5) Select "Thumb" in the drop down list box
6) Click the Add button
7) Click the OK button, and wait a few seconds to a minute for the disassembly to
complete.
8) Open the new txt file in a text editor, the file will be around 7MB
9) Text search for 04000130
10) You may find more than one place with this info, so be sure to write down
ever address with that text string.
11) Going through all addresses, find two opcodes that might work. They can be
anything BELOW the "04000130", and ABOVE any opcode beginning with a "B". The
two opcodes you choose must be right next to each other, and they cannot have
an "=" sign in any part of the line. Example of USABLE opcodes -
080002D2 add r1, r4, #0
080002D4 add r1, #24
080002DE ldrh r0, [r0]
080002E0 mvn r0, r0
Example of NON-USABLE opcodes -
080002E8 bne #$080002F2
080002EA ldr r0, =$03000540
12) Once you find an address that can be used, put the "F" code type on it, and
use the value 00000101. Encrypt the code, and try it with any known codes, just
to make sure it works. Example: F80002DE 00000101
13) If the game crashes, try using a value of 00000102. If the game still crashes,
you will need to find another area to hook. The easiest method to do this
envolves running the game in an emulator (VisualBoy Advance-SDL) and halting the
game anywhere during execution. You should almost always end up in a piece of
ASM that is executed many, many times. So just use the rules above and find a
new address to use.
<b>Hacking the ID Code:</b>
1) Load the ROM into a hex editor
2) Jump to address 000000AC
3) Copy the 4 bytes at this address, then reverse all bytes. Example: "41424344"
becomes "44434241"
4) Encrypt this as an address with a value of 001DC0DE using the Game Shark Advance
encrypter. Example: 44434241 001DC0DE
5) GameShark Advance should autodetect the game with this code in your(M) code
<b><i><u><a name="ar3_with_arcrypt">D) Creating AR V3 Codes Using AR Crypt - by Kenobi</a></u></i></b>
{Special Acknowledgement: This program is based on the original AR Crypt
algorithm by Parasyte.
You will need the AR Crypt program by Kenobi.
Get it <a href="http://www.gscentral.com/lib/downloads/ARCrypt%20Final%202_2.rar">here</a>
GS Central is currently the only authorized site to host this program.
As such, neither the program creator or GS Central will not
be held responsible for un-authorized web sites carrying this program.
Authorization to host this ptogram is soley up to the program creator and
that authorization is final and binding.
Check "Expert Mode" in the Main menu, and check "AR V3" in the "Create..." Menu.
You can either choose the "Code Type" in the combobox or you can enter the
"numbers separated by periods" found in this document in the "Data Size",
"Code Type", "Code Subtype", "Special" and "Unused" spinedit boxes.
Then Type in the 1st line of the left memo your RAW codes on ONE LINE with
SPACES between the 32bits numbers.
Press the "Create" Button.
<b><u>Example</u></b>
<b><u>Example</u></b>
<b>11) 2 Lines Special Codes (= starting with '00000000' and padded (if
needed)
with "00000000").</b>
To add the 0s automatically, check the "pad with 0s" checkox of ARCrypt.
Type z09
1.2.0.x.x
XXXXXXXX : (02024EA4 -&gt; 14224EA4)
0000ZZZZ : Writes Halfword ZZZZ to address XXXXXXXX."
You can either search the "Type z09" code type in the combobox, or you can
do everything manually :
-set "Data Size" to 1, "Code Type" to 2, "Code Subtype" to 0, "Special" to x
(=any value, for exemple 0) and "Unused" to x (=any value, for exemple 0),
and finally check the
"pad with 0s" checkbox.
Type in the left memo your RAW address (for exemple "02024ea4") and your
value
(8 digits, padded with 0es at the start if needed ; for exemple "00001234").
(That gives 02024ea400001234).
Now press the Create button. Ar Crypt will compute the ARV3 Raw (=
unencrypted)
code, will display it on the 2nd line of the left memo, and will encrypt it
in
the right memo.
Left memo : Right memo:
02024ea0 00000001
00000000 12224EA0 A81467EF C2D5BB2A
00000001 00000000 7FD49BC1 DBCF6C10
The good ARV3 Code is :
A81467EF C2D5BB2A
7FD49BC1 DBCF6C10
(One day, AR Crypt will pad the codes with 0es automatically. Until then,
you'll have to do it manually).
<b><i>WARNING!!!!!!</i></b>
All addresses obtained by decrypting V3 codes are in V3 RAW Format.
Let's say the decrypted V3 code is : XXXXXXXX YYYYYYYY
"Data Size" = (XXXXXXXX &gt;&gt; $19) AND 3
"Code Type" = (XXXXXXXX &gt;&gt; $1B) AND 7
"Code Subtype" = (XXXXXXXX &gt;&gt; $1E) AND 3
"Unknown 2" = (XXXXXXXX &gt;&gt; $18) AND 1
"Unknown 1" = (XXXXXXXX &gt;&gt; $12) AND 3
"Unknown 1" seems to never be used. It's not even calculated by the AR.
The data is just trashed. But it isn't useless. It might be used to create
codes that will have some kind of signature, so you might know if someone steal
your codes...
Morevover, you an also change the "x" to any allowed value to create even more
"signatures".
For exemple :
0.0.0.x.x will give you 4*2=8 different encryptions for the very same code.
x.1.0.x.x will give you 4*4*2=32 different encryptions for the very same code.
Then, to get the the real RAW address, you need to do :
XXXXXXXX = (XXXXXXXX AND $01FFFFFF)
RAW address = ((XXXXXXXX &lt;&lt; 4) AND $0F000000) + (XXXXXXXX AND $0003FFFF)
<b><i><u><a name="gba_non_standard_master">E) Tutorial: Hacking Non-Standard Master Codes</a></u></i></b>
this is several posts from the gscentral vb - courtesy parasyte
--------------------------------------------------------------------------------
There are a few GBA games out there for which a master code cannot be found by
any of the 'standard' methods, such as using Kenobi's AR Crypt. The two
examples I will cover here are Baulder's Gate: Dark Alliance, and Phantasy
Star (a part of Phantasy Star Collection).
Baulder's Gate is an easy one. Just about anyone with the ROM and VBA-SDL can
hack the master code for it. Not a whole lot of assembly knowledge is required.
You just have to know what to look for.
If you load the game in AR Crypt and attempt to search for a master code,
you'll come up empty handed (be sure to use on the latest version of AR Crypt).
So to make our master code, we'll have to use a process which is a bit more
involved.
Load up the game in VBA-SDL, and get into the gameplay part of the game. (By the
looks of the damn intro, I thought it was an interactive novel, bah! Developers
need to stop forcing lame intros like that upon us gamers.) Once you are in the
game, and ready to go, open the ROM in a hex editor. Run a hex search for
"0047C0460847C046" -- this is the beginning of what I like to call the "Long
Branch Routines." Almost every game will have one, so take notes!
I found the long branch routines at file offset 006A9888. This, of course,
translates to GBA ROM address 086A9888. Knowing this, go back to VBA-SDL and
press F11 to bring up the debug console. In the debug console, type "dt
086A9888" This will disassemble the long branch routines into thumb assembly.
All games that have these long branch routines will look exactly the same, so
you probably won't ever have to disassemble it again. Just notice where all
the 'bx' instructions are:
086a9888 4700 bx r0
086a988a 46c0 mov r8, r8
086a988c 4708 bx r1
086a988e 46c0 mov r8, r8
086a9890 4710 bx r2
086a9892 46c0 mov r8, r8
Etc! You can easily spot the pattern. The bx instructions will rest on a 4-byte
boundary, followed by 'mov r8,r8' which is the official Thumb instruction for
NOP. (No Operation)
Anyway, these bx instructions are what you will use to find a long branch type
master code. Let's start with the first one - 'bx r0.' Set a thumb breakpoint
on that address using the command "bt 086A9888" then use the command "c" to
continue running the game.
What we are looking for is one of these bx instructions which execute many times
per second. After I set the breakpoint on 'bx r0,' I did not get any hits when I
ran the game. So this one will not do! Press F11 again, and delete the
breakpoint using command "bd 0". Now set a thumb breakpoint on the next bx
instruction using command "bt 086A988C" and run the game with the "c" command.
Now here's where it starts to get interesting. Immediately after running the
game, my breakpoint was hit, meaning the 'bx r1' instruction is used. Now what
we want to do is copy down the value of the r1 register as reported by VBA. (We
copy the value of r1, because we set a breakpoint on the 'bx r1' .. see how
that works?) The register used by the bx instruction will always contain an
address at this point. The bx instruction is used to branch\jump to the address
contained in that register.
As of now, the r1 register contains value '03003ef8' which we know is a RAM
address. I just temporarily wrote that into notepad, and now I am going to just
run the game again, and let the breakpoint pause it once more. This time, I get
the same address... I've already written that address down, so I will continue
running the game (at least 20 times, if needed) to see if any other addresses
are run.
About 5 runs later, r1 contains '0869fc05' -- a ROM address. This is a good
start. I'll write this address down and simply continue running the game quite
a few more time, recording every address, until I believe I have written all of
the different addresses into notepad.
And here is my list, so far:
03003ef8
0869fc05
0869e145
02000634
02000514
0869e3d5
0869e0d9
Now that I believe I have all of the addresses which are used here, I will
delete the breakpoint using "bd 0" and run the game. Then I'll move on to
another area... Since I'm in the tavern, I have to go into the cellar.
Once there, I'm going to push F11 and set the breakpoint on the 'bx r1'
instruction again, and repeat the process of writing down addresses. Make
sure you keep your list of addresses clearly seperate.
Now I've got this for my second list:
0869e3d5
0869d5a1
0869d165
0869c881
03003ef8
0869fc05
0869d81d
0869cf61
What you want to do at this point is find addresses between each list that
match. So based on my lists, here are the common addresses so far:
03003ef8
0869fc05
0869e3d5
Now, just to be safe, I am going to continue through the cellar and kill
everything so I can exit the tavern.
Once I'm outside, I'll set the breakpoint again, write down more addresses,
and update my common addresses list... And funny that! My list of common
addresses matches exactly the address list I made while outside of the
tavern. Good enough, let's make us a master code!
We've got only three common addresses, as listed above. To make the master
code, we need to search for these addresses in the ROM. When searching for
32-bit values in a GBA ROM, you have to 'byte swap' the value, and search
for that. As an example, the first common address is '03003ef8.' If we split
that into bytes, we get '03 00 3e f8.' Then we reverse the order of the
bytes to byte swap it, and we get 'f8 3e 00 03.' Now search for 'f83e0003'
in the rom. Well, our first minor snag. This pointer is not present in the
ROM at all. So remove that address from the list, and move on.
Searching for the next pointer (05fc6908) turns up four possible locations.
Our second minor snag -- any one of those four could be the correct one, or
they could each be used for four different parts of the game. This is not
good. For the sake of simplicity, set that address aside, and use it only
in the emergency that our 3rd address is also no good.
Searching for the third pointer in the rom (d5e36908) we are left with a
grand total of only one possible location! Success! We now have the location
of our master code. The pointer rests at offset 007EF48C. So attach the
normal 'C4' master code codetype to it. Then append a 'value' of 000084x3 to
it, for a standard long branch type master code, where 'x' is the register
number that is used by the bx instruction. In this case, it would be 1,
for r1.
Baulder's Gate: Dark Alliance
(m)
C47EF48C 00008413
Pretty simple, eh?
If that third common address had been no good, you could have either gone back
to test all 4 possibilites from the second pointer, or just move on to 'bx r2'
and record the addresses from the r2 register. Usually after about r7, they
stop getting used so often.
That about does it for now. I'll continue the tutorial with Phantasy Star
later tonight, or tomorrow some time.
--------------------------------------------------------------------------------
rrr. Getting back on track, here's how you hack a master code for a game like
Phantasy Star within Phantasy Star Collection.
The first thing I'm going to say is that Phantasy Star Collection contains
four executables. So this is one reason that hacking this particular game is
so difficult. You got three executables -- one for each of the three games
within the collection -- and the fourth executable is the initial loader\game
selector.
The loader executable does not need any hacking, and two of the three game
executables have easily reached master code locations. But, after doing a
little research, it's plain to see that the Phantasy Star executable lies at
ROM address 08738000. The problem here should be obvious; a standard bl-type
master code absolutely CANNOT be used on any address above 0840001C. It is an
impossibility.
If you begin to hack the Phantasy Star master code like we did with Baulder's
Gate, you run into a HUGE problem right off the bat.... There are no long
branch routines in the Phantasy Star executable. Bummer.
What we do to resolve this issue is take a completely different approach. We
will start with the interrupt handler. Interrupts will occur several times
per second, so they are perfect for our needs.
To find the interrupt handler, load up Phantasy Star. The title screen will
work just as well as anywhere. If you're using VBA-SDL, (my emulator of
choice for master code hacking) bring up the debug console, and use the 'mw'
command to display the contents of the interrupt vector. The GBA interrupt
vector is always at address 03007FFC, so use command "mw 03007FFC". The first
value displayed will be [should be] a pointer -- this is the pointer to the
interrupt handler. Mine is displaying '020207d0.'
This is an ARM address. You can tell, because the pointer is an even number.
An odd number means it is a Thumb address. (For example, if it where
'020207d1' that would indicate Thumb assembly) Disassemble to ARM, starting
at 020207d0. (Command "da 020207d0") And search for the first bx instruction
you can find. Here is what I found:
02020884 e59f1010 ldr r1, [$0202089c] (=$02000070)
02020888 e0811002 add r1, r1, r2
0202088c e5910000 ldr r0, [r1]
02020890 e12fff10 bx r0
This assembly loads pointer 02000070 into register r1. Then it offsets the
register by adding the value of r2 to it. Finally, it loads a pointer from
the resulting address into register r0, and branches to the pointer in r0
using the bx instruction. This is a prime example of a "jump table." A jump
table is a fairly large table of pointers stored in RAM. One of the pointers
will be loaded from the table, and that pointer is jumped to, hence the name:
jump table.
So let's start by dumping the jump table from address 02000070 using the
command: "mw 02000070"
02000070 087384a1 0873a9fd 0873aa01 0873a9fd
02000080 0873a9fd 0873aa21 0876ca91 0873a9fd
02000090 0873a9fd 0873a9fd 0873a9fd 0873a9fd
020000a0 0873a9fd 0873a9fd 00000000 00000000
Looking good, eh! You can tell these are all ROM pointers, so maybe one of
these will be something of importance that can be used as a master code.
All of these pointers are odd numbers, and as we know, that means they are
all pointers to Thumb assembly!
This jump table contains a total of five different pointers:
087384a1
0873a9fd
0873aa01
0873aa21
0876ca91
Let's disassemble a little bit from each of these addresses, and compare
notes later. (Notice! Before you will be able to disassemble, you must
'convert' each pointer to an even number. Do this by simply subtracting 1
from the pointer. As an example with the first pointer, you will disassemble
is using command: "dt 087384a0". Then the next using "dt 0873a9fc")
087384a0 b5f0 push {r4-r7,lr}
087384a2 4a2b ldr r2, [$08738550] (=$020004e8)
087384a4 482b ldr r0, [$08738554] (=$04000130)
087384a6 8801 ldrh r1, [r0, #0x0]
087384a8 4b2b ldr r3, [$08738558] (=$000003ff)
087384aa 1c18 add r0, r3, #0x0
087384ac 4041 eor r1, r0
...
0873a9fc 4770 bx lr
0873aa00 4904 ldr r1, [$0873aa14] (=$0400000c)
0873aa02 4a05 ldr r2, [$0873aa18] (=$00004409)
0873aa04 1c10 add r0, r2, #0x0
0873aa06 8008 strh r0, [r1, #0x0]
0873aa08 3908 sub r1, #0x8
0873aa0a 4a04 ldr r2, [$0873aa1c] (=$00007028)
0873aa0c 1c10 add r0, r2, #0x0
0873aa0e 8008 strh r0, [r1, #0x0]
0873aa10 4770 bx lr
0873aa20 4770 bx lr
0876ca90 4906 ldr r1, [$0876caac] (=$02000052)
0876ca92 8808 ldrh r0, [r1, #0x0]
0876ca94 2800 cmp r0, #0x0
0876ca96 d008 beq $0876caaa
0876ca98 8808 ldrh r0, [r1, #0x0]
0876ca9a 3801 sub r0, #0x1
0876ca9c 8008 strh r0, [r1, #0x0]
0876ca9e 0400 lsl r0, r0, #0x10
0876caa0 2800 cmp r0, #0x0
0876caa2 d102 bne $0876caaa
0876caa4 4902 ldr r1, [$0876cab0] (=$02000054)
0876caa6 2001 mov r0, #0x1
0876caa8 7008 strb r0, [r1, #0x0]
0876caaa 4770 bx lr
Now then... The second and fourth addresses only contain a "bx lr" instruction,
meaning both routines simply return, doing absolutely NOTHING. I would not trust
either of those. Of the remaining three, the first one looks very familiar...
it's a joypad read routine! This is VEEERRRRRRY promising. So let's take the
pointer to this joypad routine (087384a1) and do the byte swap trick. Hex search
the Phantasy Star Collection rom for the value (a1847308), and wouldn't you know
it! There's only one match, and it is definitely inside the Phantasy Star
executable.
The pointer to the joypad routine is located at offset 007383FC... This means we
get to make us a master code and test it out. Attach the C4 codetype, and append
the 000084x3 value! If you remember the ARM assembly we disassembled in the
interrupt handler, the first bx instruction we came across was 'bx r0'. So of
course we are going to use the value of '0' to replace the 'x' in our new master
code. (Again, this 'x' is used to select which register was originally used to
branch to the original address.)
Phantasy Star Collection
Phantasy Star (m)
C47383FC 00008403
If you give her a test, you'll find that she sure works like a champ. Another
difficult-to-hack master code solved. Case closed.
P.S. You may be wondering why you can't just use the interrupt handler pointer
that you pulled from address 03007FFC. This is a great question. When the
interrupt handler is run, the BIOS is what loads the pointer to jump to. But,
the whole reason for telling the master code which register is used to run the
original address is an important factor, here. After the AR is finished doing
it's thing, it MUST run the original address. If it does not, you'll be left
with nothing more than glitches and crashing. When AR runs that original
address, it does so by executing a bx instruction.... By having that bx
instruction use the same exact register which the original used, you eliminate
any possible register corruption.
This leads us back to the original question; why can't I just use the pointer
to the interrupt handler? Simply put, the best explanation is because a bx
instruction is NOT used to run the interrupt handler. So you would only run
the risk of corrupting registers by doing so.
I hope you enjoy these technical explanations. They are fun to write, and
educational for everyone! It's a win-win situation.
--------------------------------------------------------------------------------
dlong: How many rom patches does the long branch master code use up?
--------------------------------------------------------------------------------
Long branch type master codes only use 2 of the 3 rom patches allocated for
master codes. What the long branch type master code actually does is replace
the pointer at the master code address with a pointer to 08000021 -- the place
where AR keeps it's code engine entry point.
<b><i><u><a name="gba_asm">F) Gameboy Advance ASM Tutorial - by Kenobi</a></u></i></b>
The following is a hands on tutorial in using VBA SDL in hacking rom patch codes.
The game used for this lesson was IronMan for GBA.
There are two examples given:Item never decreases code and invincilibity.
This tutorial is used with permission of Kenobi who generously gave of
his time to prepare and walk thru this tutorial with macrox.
Game info: In IronMan there is a blue orb that gives him advanced blast powers against
his enemies. There are two levels to this power. The first is like a giant ray blast
which destroys most of his enemies in a direct line of action, while the second level
destroys all the enemies on screen.
<b>ASM GBA Hacking - 1st Part Example #1 - Item Never Decreases</b>
- Blue Orb Quantity never decreases code.
What you will need :
VBA (normal).
VBASDL.
The rom file. (Neither the authors nor GSC support the method of obtaining
this file).
A save state at the very start of level 03, with the blue orb on Iron Man.
The address of the blue orb quantity. [0202CCF4]
Optional but essential info: GBA Tech document.
http://www.work.de/nocash/gbatek.htm
You will need to study this document to be able to understand the call
functions and thus make the most out of VBA SDL hacking.
- Load the game in VBA (normal). Load the save state, and remove ALL the cheats
(even if they are off).
Take the blue orb if you didn't took it already, then save the save state.
- Now load the game in VBASDL, load the save state, then press F11 to enter the
debugger.
- Type "BPW 0202CCF4 2" in the DOS window to set a break on write on address
0202CCF4 for 2 bytes.
- Type "c" in the DOS window go go back to the game.
- Use the blue orb power (press L). The game will freeze because the break on
write did happen.
(the quantity of blue orb decreased).
- Look in the DOS window. You'll see that :
Breakpoint (on write) address 0202ccf4 old:00000001 new 00000000
R00=00000000 R04=00000000 R08=0202cb00 R12=00000001
R01=0202ccf4 R05=00000001 R09=0202cbd0 R13=03007ba4
R02=0202cb84 R06=0202cbd0 R10=0202cbcc R14=0802c5fd
R03=080365bf R07=0202cbcc R11=00000000 R15=0802c63e
CPSR=6000003f (.ZC...T Mode: 1f)
0802c63c 9004 str r0, [sp,#0x10]
- The address of the very last line is what we need : 0802c63c.
- Go back to VBA (normal). Make "Tools" then "Dissassemble", click
the "THUMB" button, and enter the address we just found.
- You'll see a lot of stuff. The 1st line will be :
0802c63c 9004 str r0, [sp, #0x10]
- Go up one line. You'll see that :
0802c63a 6008 str r0, [r1, #0x0]
- This should be the line that changed the value of the blue orb
quantity, and that triggered the breakpoint.
- We'll make sure this line is the one we are looking for.
Go back to VBASDL, load the save state, and press F11.
- Type in "bt 0802c63a" (this will set a THUMB breakpoint on address
0802c63a. That means when the asm code stored at address 0802c63a
is executed, the game will freeze).
- Type "c", then use the blue orb power. The game will freeze.
- Type "mw 0202CCF4". You'll see a lot of numbers, the very fist one
(top left) will be the blue orb quantity. It should be "0001"
- Type "n", then type again "mw 0202CCF4" (you can use the up/down arrows
to select a line you already typed in). You'll see that the number has
changed.
Now, it's "0000". That means the line 0802c63a is where the game saves the
new value of the blue orb when you use one.
- Now we have 2 choices. We could just remove the asm code of line 0802c63a, so
that the game never updates the quantity of the blue orb.
The THUMB asm code that "deletes" a line (it's called "noop" which should mean
no operations)is 46C0.
--------------------
How did I know it? Well, look at the GBA tech document http://www.work.de/nocash/gbatek.htm
click on "Pseudo Instructions and Directives".
You'll see :
THUMB Pseudo Instructions
nop mov r8,r8
ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field
add Rd,=addr add Rd,r15,disp
adr Rd,addr add Rd,r15,disp
mov Rd,Rs add Rd,Rs,0 ;with Rd,Rs in range r0-r7 each
Look at the 1st like.
The document tells me that, in THUMB Asm, nop = mov r8,r8. I just followed
what it said :)
And that's how I use 46C0, because it means "MOV R8, R8".
--------------------
To check that everything will be allright, select "Tools" then "Memory
Viewer". Choose "16 bits", then enter the address "0802c63c". Type 46C0
(that'll patch the game "on the fly"), then use the
blue orb within the game : it's quantity won't decrease.
So the raw AR V1/2 code could be :
6401631D 000046C0
- We could also try to find the line where the games decrease the quantity of
blue orbs, and remove it.
The only way in THUMB asm to decrease a number is to subtract 2 values. So we
need to find a instruction
that looks like "sub rx, ry" (x and y being 2 numbers) or "sub rx, #0xYY" (YY
being a number).
- Go back to VBA (normal), and go up one line until you find the "sub"
instruction (shouldn't be hard to find :) ).
If you create a code that NOOP this line, the quantity of blue orb will never
decrease.
- Even funnier. We could change this line with an instruction that does anything
else to the value !
For exemple, we could put any number we want (between 0 and 255).
Or we could increase the number instead of decreasing it !
Let's look at it to have some fun... :)
- Lets say you want to set the quantity of blue orb to 255 ($FF) when the player
uses it.
1st, look at the precise instruction of line 0802c638 (where the "sub"
instruction lies).
You see : 3801 sub r0, #0x1
This instruction means "Remove 1 from the value stored in r0".
- In asm, the instruction that put a number in a register is called MOV (=move).
To set the quantity of blue orb to 255, we need to change the instruction to :
mov r0,#0x255
You could try to find how to create the MOV instruction in hexadecimal in the
gbatech documents...
But MOV is one of the easier instructions to learn, and you can find it very
easily by yourself.
To create a MOV in hex, do this :
- Put a "2" at the start.
- Then put the # of the register you want to write to. We want to write to
register 0. That makes "20"
- Now put the value you want to write (in hexadecimal). 255 is $FF. The hex
code will be "20FF".
To check that everything will be alright, select "Tools" then "Memory
Viewer". Choose "16 bits",
then enter the address "0802c638". Type 20FF (that'll patch the game "on the
fly"), then use the
blue orb within the game. The 1st time you use it it'll be "normal", then
it'll be "powerful" (because it's
quantity/power will be 255). The code is working :)
(btw : the gfx will be messed up because the max value of the blue orb should
be 2).
- Now let's say you want to add 1 to the quantity of blue orb each time the
player uses it.
We need to change the "sub" instruction to an "add" instruction. Look at the
GBA tech document.
Click on "THUMB Instruction Set", then click on "THUMB.3:
move/compare/add/subtract immediate".
You'll see that :
Opcode Format
Bit Expl.
15-13 Must be 001b for this type of instructions
12-11 Opcode
00b: MOV Rd,#nn ;move Rd = #nn
01b: CMP Rd,#nn ;compare Void = Rd - #nn
10b: ADD Rd,#nn ;add Rd = Rd + #nn
11b: SUB Rd,#nn ;subtract Rd = Rd - #nn
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned Immediate (0-255)
ARM equivalents for MOV/CMP/ADD/SUB are MOVS/CMP/ADDS/SUBS same format.
Execution Time: 1S
Return: Rd contains result (except CMP), N,Z,C,V affected (for MOV only N,Z).
- Start to look at the "Opcode" lines. You have :
00b: MOV Rd,#nn ;move Rd = #nn
01b: CMP Rd,#nn ;compare Void = Rd - #nn
10b: ADD Rd,#nn ;add Rd = Rd + #nn
11b: SUB Rd,#nn ;subtract Rd = Rd - #nn
- This is what we need : ADD Rd, #nn. Rd will be R0, and #nn will be 1.
- Now open 2 windows calculator in scientific mode. Choose "bin" for the first
one, and "dec" for the second one.
- Lets start to create the instruction :
Bit Expl.
15-13 Must be 001b for this type of instructions
+ That means you have to type "001" in the first windows calculator (the 1st 0es
won't appear).
12-11 Opcode
00b: MOV Rd,#nn ;move Rd = #nn
01b: CMP Rd,#nn ;compare Void = Rd - #nn
10b: ADD Rd,#nn ;add Rd = Rd + #nn
11b: SUB Rd,#nn ;subtract Rd = Rd - #nn
+ We want the "ADD" instruction, so you have to enter "10" in the first windows
calculator (it'll show "110").
10-8 Rd - Destination Register (R0..R7)
+ Destination register will be R0 (which means "0"). So type "000" (for bits 10,
9 and 8) in the first windows
calculator (it'll show "110000").
7-0 nn - Unsigned Immediate (0-255)
+ Now enter the value you want to add in the second windows calculator ("1"),
then click on the "bin" button.
It'll show "1". So type "00000001" (for bits 7-0) in the first windows
calculator
(it'll show "11000000000001").
+ Choose "hex" in the 1st windows calculator, and it'll show "3001". It's the
hexadecimal form of "ADD r0, #0x1".
To check that everything will be allright, select "Tools" then "Memory
Viewer". Choose "16 bits",
then enter the address "0802c638". Type 3001 (that'll patch the game "on the
fly"), then use the
blue orb within the game : the more you use it, the more powerful it'll
becomes. The code it working !
<b>ASM GBA Hacking - 2nd Part Example #1 - Item Never Decreases</b>
You'll need :
either to install MAPPY VM :
http://www.bottledlight.com/tools/mappyvm_0.9d.zip
or
to get a good hexeditor (I use Winhex).
- Now let's try to find something way more difficult : a code that will make the
game think you always have the blue orb. Use the dissassembler of VBA (normal),
and go back at the that was subtracting the blue
orb value (0802c638).
- Scroll up the lines until you find an instruction "bl..." or "bx...".
You'll find a "bl $08040c44" at line 0802c5f8.
Look at the line just under this one : 0802c5fa.
- Use VBA sdl (load the game, the save state, press F11) and type "bt 0802c5fa".
Type "c", then use the blue orb : the game will freeze.
- Now the tricky part. You know where you are, but you don't know where you came
from (and we need to find that out).
There are a lot of way to find out where you came from, so I will only explain
the way that works for Iron Man.
- Press "n" and look at all registers until you find something interessing.
After about 27 "n", you'll see "0202ccf4" in R1...! It's the address of the
blue orb quantity!
- Now look at the line just up. (0802c634) :
441 add r1, r8
- That means the game computed the value 0202ccf4 by doing r1 = r1 + r8. Now
look at the values of r1 and r8 for
the line 0802c634 : R01=000001f4, R08=0202CB00
- That means that 0202CB00 is something like the base address for all the blue
orb quantities addresses, and 1f4
is the "modifier" than, once added to 0202CB00, gives the blue orb quantity
address for this particular level.
*If you use MAPPY !
- Now launch MAPPY VM, and load the Iron Man rom with it.
- Then make "File", "Export dissassembly". Change "ARM" to "THUMB",
enter "08000000" in the middle input box,
and enter "200000" in the input box close to "THUMB". Click "Add",
then choose a destination
(click the "..." button), and finally click "OK". Now open the file
that has been created in wordpad.
- Search "0202CB00". You'll find nothing :(... That's not a big deal.
Look back in VBASDL dos window.
Scroll up, until you see that R01 value is different to 000001f4, and
look the line just above.
- You'll see that :
0802c630 21fa mov r1, #0xfa
0802c632 0049 lsl r1, r1, #0x1
- Translate $fa to decimal (gives 250), then go back to worpad, and
search "mov r1, #250".
- You'll find :
0802B2EE mov r1, #250
0802C630 mov r1, #250
0802CDD4 mov r1, #250
- As you can see, we already know for the second line (0802c630). So the
place where the game checks
that you have enought blue orb must be either near 0802b2ee, or 0802cdd4.
*If you use Winhex!
- Open the rom file in winhex.
- Search this hex value : "00CB0202" (= 0202CB00 reverted). You'll find
nothing :(... That's
not a big deal.
- Look back in VBASDL dos window. Scroll up, until you see that R01
value is different to 000001f4,
and look the line just above.
- You'll see that :
0802c630 21fa mov r1, #0xfa
0802c632 0049 lsl r1, r1, #0x1
- Take the 21fa and the 0049, and write them like this : fa214900. Seach
this number in winhex.
- You'll find one at 2B2EE, one at 2C630 and one at 2CDD4. Add 08000000
to these numbers to convert them into addresses. That gives :
0802B2EE
0802C630
0802CDD4
- As you can see, we already know for the second line (0802c630). So the
place where the game checks that you have enought blue orb must be either near 0802b2ee, or
0802cdd4.
- Go back to VBASDL. Quit the game (press esc if you are in the game, or type
"q" then "y" in the dos window).
- Reload the game and the save state, use the blue orb power (so you have none
left), press F11,
then type "bt 0802b2ee", "bt 0802C630", "bt 0802cdd4", then "c".
- Use the blue orb power : then game will freeze, and you'll be at address
0802b2ee. As you don't have any
blue orb power left, that means we found the place where the game will check
if you have one left...
- Press "n" 5 times. You'll see that :
0802B2EE 21fa mov r1, #0xfa
0802B2F0 lsl r1, r1, #0x01
0802B2F2 add r0, r4, r1
0802B2F4 ldr r0, [r0,#0x0]
0802B2F6 cmp r0,#0x0
0802B2F8 ble $0802b2fc
- The three 1st lines will "create" the value 0202CFF4 in R0.
- The fourth line load the value that is in the address stored in R0 to R0 (that
mean it'll load the quantity
of blue orb you have to r0).
- The fith line compare this value to 0. And the last line will jump to address
0802b2fc if the result of
the comparison is "less or egal".
- So we have different choices to make the game think you always have the blue
orb :
+ We could change the "ldr r0, [r0, #0x0]" to something like "mov r0, #0x1" or
"mov r0, #0x2".
Then the result of "cmp r0, #0x0" will always be false... The only problem is
that this doesn't let you choose
which power you use...
+ So I'll use a trick. I'll change the instruction that read the blue orb
quantity with an instruction that writes
to the blue orb quantity. And as the content of r0 won't be destroyed by my
instructions, it'll stay "0202CCF4",
and when the game will compare it to 0 (thinking it's the quantity of blue
orb), it'll always find that it is
superior to 0, hence it'll think I always have blue orbs...
The hard part is that you can't do much with only one asm instruction. You can
only use something like "str Rx, [Ry, #0xZZ]".
That means you can't choose the value you will write, and the address where you
want to write HAS to be in in the registers
(and btw in THUMB we can only access registers 0-7 directly!)
Hopefully, this is the case : R0 has the address of the blue orb values.
Now I need to find what value I'm going to write. Let's look at the registers
R0-R7 (the only one we can use) for line 0802D2F4 :
R00=0202ccf4 R04=0202CB00
R01=000001f4 R05=00000000
R02=00000200 R06=00000000
R03=0802e615 R07=0202CBD4
R00 is the address for the bue orb quantity for this level. We'll write there,
but we can't use this as the value we'll write,
because it'll change for every level (we won't have a stable result).
R01 and R04 are "linked" to R00 (R01+R04=R00). So here too, we can't use them
as the value we'll write,
because it'll change for every level (we won't have a stable result).
R03 could be safe (not change with the level). Same thing for R05 and R06.
R07 seems close to R04 (R07=R04+$D4), which means it might change with the
levels, and won't give a stable result.
+ We can use, as data : R03=0802e615, R05=00000000, R06=00000000. R05 and R06
are 0es. If we write 0es to the blue orb
quantity, the game will launch the 1st power. And R03 is &gt;1, so writing this
value to the blue orb quantity will make
then game launch the 2nd power (I discovered this by testing the values).
+ So we'll create 2 instructions :
str r5, [r0, #0x0] (that will write the value of register r5 at address r0+#0x0)
and
str r3, [r0, #0x0] (that will write the value of register r3 at address r0+#0x0)
+ Lets look at the GBA tech documents. Click on Click on "THUMB Instruction
Set", then click on
"THUMB.9: load/store with immediate offset". You'll find that :
Opcode Format
Bit Expl.
15-13 Must be 011b for this type of instructions
12-11 Opcode (0-3)
0: STR Rd,[Rb,#nn] ;store 32bit data WORD[Rb+nn] = Rd
1: LDR Rd,[Rb,#nn] ;load 32bit data Rd = WORD[Rb+nn]
2: STRB Rd,[Rb,#nn] ;store 8bit data BYTE[Rb+nn] = Rd
3: LDRB Rd,[Rb,#nn] ;load 8bit data Rd = BYTE[Rb+nn]
10-6 nn - Unsigned Offset (0-31 for BYTE, 0-124 for WORD)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
Return: No flags affected, data loaded either into Rd or into memory.
Execution Time: 1S+1N+1I for LDR, or 2N for STR
+ We need to use the 1st opcode, "0: STR Rd,[Rb,#nn] ;store 32bit data
WORD[Rb+nn] = Rd"
+ Open the 1 windows calculator, and click on "bin".
15-13 Must be 011b for this type of instructions
-&gt; Type "011" (calculator will show "11")
12-11 Opcode (0-3)
0: STR Rd,[Rb,#nn] ;store 32bit data WORD[Rb+nn] = Rd
-&gt; Type "00" (calculator will show "100")
10-6 nn - Unsigned Offset (0-31 for BYTE, 0-124 for WORD)
-&gt; Type "00000" (calculator will show "11000000")
5-3 Rb - Base Register (R0..R7)
-&gt; R00 is the base register : type "000" (calculator will show "11000000000")
2-0 Rd - Source/Destination Register (R0..R7)
-&gt; R05 will be the source register. 5 is 101 in binary, so type in "101"
(calculator will show "11000000000101")
+ Now click on the "HEX" button, and the calculator will show "6005". This is
the hex value of the instruction :
str r5, [r0, #0x0]
+ Redo these steps to create the second instruction, but at the end enter "011"
for R03.
The hex value will be "6003", which is the hex value for :
str r3, [r0, #0x0]
Now you just have to create the V1/2 raw codes using the address 0802d2f4 and
these values 6005 and 6003.
1st code :
6401597a 00006005
2nd code :
6401597a 00006003
We could also use a joker code to select which power to use. In GBA, all the key
events are stored
at address $04000130.
Go back to VBA (normal), open the memory editor, select 16 bits, and go to the
address 04000130.
Check the "Automatic Update" box.
The first number will be 03FF.
Now press start. The number will change to 03F7.
Let go start, and press select. The number will change to 03FB.
That means we can create our codes that way :
D4000130 000003F7 ( = "If the value at 04000130 if equal to the 03F7 (= start
button pressed), execute the next code")
6401597a 00006005
D4000130 000003FB ( = "If the value at 04000130 if equal to the 03FB (= start
button pressed), execute the next code")
6401597a 00006003
Here is the V3 version of it (it's working, I tested it myself!) :
4A400130 000003F7
00000000 1801597A
00006005 00000000
4A400130 000003FB
00000000 1801597A
00006003 00000000
<b>Explanations on Type 6 ('rom patching') Codes</b>
Start the game, and press L : nothing will happen, because you don't have blue
orbs.
Now press Start (twice to exit the menu). The code 6401597a 00006005 will be
executed.
Press L : Iron Man will always use his 1st power.
Here is how it works :
The code will make the AR write the values 0401597a and 6005 at the special
place in the action replay.
I'll call this place the 'rom patching register'.
Then a special chip, called the 'FPGA' (thanks to Parasyte for the info), will
"patch"
the address 0802b2f4 (=2*0401597a) with the value 6005.
That will replace the instruction 'ldr r0, [r0,#0x0]' with 'str r5, [r0, #0x0]'.
Now the trick with the Type 6 codes (or rom patch codes) if that they are always
active,
until another code "erase" them (change the value of the 'rom patching
register').
That's why if you press Select, then L, Iron Man will always use his 2nd power.
Because the code 6401597a 00006003 will write the values 0401597a and 6003 to
the 'rom patching register'.
It'll replace the old '6005'. That means that now the 'FPGA" patches the address
0802b2f4 wirh the value '6003'
That will replace the instruction 'ldr r0, [r0,#0x0]' with 'str r3, [r0, #0x0]'.
One of the conclusion of this last explanation is that Type 6 codes are really
unlike the other one.
They need to be excuted only ONCE to be active until something changes the value
of the 'rom patch register'.
Finally, here is something even better (only for v3) :
1st set of codes:
48400131 00000003
(insert your invincibility
code, raw v3, here)
2nd set of codes:
4A400130 000001FF
00000000 1801597A
00006003 00000000
3rd set of codes:
4A400130 000001BF
00000000 1801597A
00006005 00000000
Here is what will happen during the game :
1st set of codes:
If the 8 bits value at address 04000131 if egal to 03 (= if you don't press L or
R),
the invincibility code will be enable.
2nd set of codes:
If the 16 bits value at address 04000130 if egal to 1FF (= if you press L),
Iron Man will use its 2nd power.
3rd set of codes:
If the 16 bits value at address 04000130 if egal to 1BF (= if you press Up and
L),
Iron Man will use its 1st power.
I know this is a bit useless on a 'real AR V3', that should handle multiple rom
patching codes.
But on an AR2 upgraded to AR3, that can not handle multiple rom patching codes,
it can be really
useful.
Finally, it's kinda hard to make this exact codes for AR2, because AR2 doesn't
handle the
'If the 8bits value...' type of code. Only the 16bits value.
So to make a code that is activated if you don't press L or R, you'll have to do
a lot of codes,
like that :
D4000130 00003FF (if no button are pressed)
(invincibility code)
D4000130 00003EF (if only Right is pressed)
(invincibility code)
D4000130 00003DF (if only Left is Pressed)
(invincibility code)
...
That means you have to write one set of code for every key combinaison you want
the invicibility
to be active... Usually, that means : no button, Up, Down, Left, Right, A, B.
But you could also create code for Up+A, Down+A, Left+A, Right+A, Up+B, Down+B,
Left+B, Right+B...
For this exemple, you could have to write 30 lines of codes to have the desire
effect.
And you could also want to write codes for Up+Right, Down+Right... Or
Up+Right+A... !
That could make up to 64*2 lines of codes, for something that is handled in 3
lines with the AR3 !
It's really stupid... So AR V3 rules ! :)
note:
BTW for assistance in making activator codes, the value of the GBA buttons are this:
at address 04000130, just remember to replace the first zero with D, that is D40000130.
So for an activator calling A D40000130 000003FE. Here are the other values.
Button A - 03FE
Button B - 03FD
Button L - 01FF
Button R - 02FF
Start - 03F7
Select - 03FB
Up - 03BF
Down - 03EF
Left - 03DF
Right - 037F
No buttons pressed - 03FF
All buttons pressed - 0000
For other combos just use the normal VBA. Load VBA, load any game, halt game, open mem viewer,
goto address 04000130 at 16 bits, choose auto update, then start pressing buttons
and hold and watch the value change.
<b>ASM GBA Hacking - Example #2 - Invincibility</b>
Using Break Point Read (bpr) to find Invincibility (from IronMan GBA level 1)
We will assume the reader has a basic knowledge of hacking health codes in the
normal code generator of VBA.
We will also assume we have found the code for infinite health for level 1 which
is 020200ed 00000064. We will also assume the reader has already saved a slot
for level 1 for ease on hacking the code at hand. (The reader will be required
to reset the game in the normal VBA several times in the exercise to follow.)
Now it is told to the reader to take on faith that using a break on read is
easier to find than a break on write. It is also to be made clear that a study
of ASM thumb calls is mandatory to understand to get anywhere in using SDL VBA
as a tool in hacking codes. This study is not done overnight but will be an
ongoing journey which if done with dedication will
reward the reader with the ability to hack some very cool codes.
The goal here is to find an address that will "kill" the call of IronMan losing
health and replace it with
an address that will trick the game into thinking nothing is happening to
IronMan and hence becoming
invincible. The reader is to understand that he will need to have both the SDL
and normal versions of VBA on hand and will use both programs to hack the code shown.
To begin we drag the IronMan rom over to the SDLk.exe file. This will
start the SDL VBA graphics screen and the Dos Window that will be used
to type commands and view call results. A special adaptation that must be used
in this example is <a href="http://www.gscentral.com/~macrox/Dev_SDL/devSDL/VBASDLk.rar">SDL VBA 1.4.1 with bpr support</a>. The authors will not
support the reader in obtaining the rom and leave the reader to his own devices
for doing so.
Next we enter the 1st level of the game...
So load the game, enter the 1st level, and press F11 to enter the debugger.
Now we type bpr 020200ed 1 (this is the address where the health is stored, and
the health takes one byte.
Now type c and resume the game. Now let IronMan take a hit.
The game will freeze and yield the following info
in the Dos Window of SDL VBA. "080399da 9200 str r2, [sp, #0x0]"
which is called when IM is hit. (IM = IronMan)
Next open the normal VBA program now. Do not close the SDK VBA.
Then open the dis-assembler on the tool bar and go to address "080399da", and
check the thumb button.
This address is the same we found when called in SDL VBA when IM got hit.
Leave the debugger window open.
Now also open the memory editor of vba (normal), select 16 bits and go to
"080399da" address too.
Now look at the dis-assembler of the normal vba, and scroll up one line
you see "Ldr r2, [r4, #0x0]".
That's where the break on read happened.
And that's where the game loads your life from memory.
Now look back at SDL VBA, after the break on read
you see r0=0, r1=03007c90, r2=00006400 (= your life), r3=0, r4=020200ec
(= address where the life is stored in memory),
r5=02020ff4...
What we'll try to do is to make the program not load your life value as it would
normally and replace it with another value. The way we'll do this is to take the
value in r4, and put it in r2.
Value in r4 is the address where your life is stored, and will always be a "big
number", so it should make you invincible.
So go back to the memory editor of normal vba, go to address 080399d8, and
change the value to 1c22. This is the same as "mov (r2, r4)", which means it'll
put the value of r4 in register r2 (instead of loading IM HP to r2).
Once it's done, play a bit of the game in vba normal...at this point you will
observe that both IM and the enemy are invincible. The code is working, but not
the way we want. That's because at this address, the choice between "enemy HP"
and "IM HP" has already be done, and the game is just executing a "script" that
remove the damages to the HP. So we need to go "back" to find the place
where the choice between "enemy is hit" and "IM is hit" is done (and we'll try
to make the game never choose "IM is hit").
Go back to SDL VBA, and type "last", now type "c", and get hit again you'll see
a lot of registers now.
Look at the first R15 = 08000838
R15 is VERY important. It'll ALWAYS is the address of the VERY NEXT INSTRUCTION
that will be executed. When you know R15, you know the address you are at.
So before going to 080399da, the game was something near 08000838 (I say
somewhere near because the "last" call is a bit buggy. it doesn't give the
real r15, but a value close to it).
So look at address 08000838 in the dis-assembler of normal vba.
Scroll a bit up until you find a "bl", a "bx" or a "mov pc, ..." and you'll see...
"bl $080399c8".
Ok, that's where the program jumps to 080399c8, which is near the place where
the break on read happened.
Now scroll up in vba dis-assembler, until you see a "bl ..", a "bx .."
or a "mov pc, ...".
that will be "0800820 bl $08049880"
now look at the instructions between the 2 bl's
(between 08000820 and 08000832), and find any "cmp".
You'll see "0800082a cmp r6, #0x0", and after that "0800082c beq $08000830".
That means that the game will compare the value of R6 and 0. And if they are equal,
it'll jump to the address 0800082c.
Now open the memory editor of vba normal, go to the address 0800082c (the
address of the beq), and change the value to d100, also reset the game and
reload level 1 save. This will change the "beq" (= if equal) to
"bne" (= if not equal)).
So once you've changed the value to d100, play a bit the game, and see what
happens. You'll see that neither you nor the enemies are invincible... This is
not a good choice to set the code we want. Go back to vba dis-assembler,
and go back to address 08000820 (the 2nd bl we found).
So do the same thing as before from 08000820, scroll up until you
find a "bl ..." (or a "bx ...", or a "mov pc, ..."), then scroll down until
you find a "cmp".
You will see a "cmp" at 0800080c
and under if, at 0800080e, you'll see "beq ...".
So go back to the memory editor, go to address 0800080e, and change
"d0.." to "d1.."
Remember to reset the game and then reload level 1. Now play the game and
observe that IM is now invincible but the enemies die. This is what we had
set out to do!
Although the reader would expect the hack is done and the code determined we
must advise that we are "almost there"<22>
Because changing d0 to d1 isn't good enough. It only "inverts" the condition
("if equal" becomes "if not equal"). It could seem good, but it may create some
bugs (for example, if an enemy was hit, IM could loose its HP). I know it's not
the case, but you never know what can happen. We need to create something that
is "always true", so chances of bug will be 0%. That's what we'll do in the
following lines.
To be 100% sure the code is working, we'll do it another way.
above the "beq", you see :
lsl r0, r0, 18
then
cmp r0, #0x0"
what we want, is either the cmp r0, #0x0 to be always true, or to be always
wrong (we don't know that yet), so that the "beq" (=if equal) always
(or never) executes.
"lsl r0, r0, #0x18" is not an important operation. It'll shit the value of
r0 #0x18 bits to the left (00000001 becomes 01000000). That mean we can edit
it to create our code.
We'll start to change the "lsl r0, r0, #0x18" with "mov r0, #0x0" (we do that
to make the "cmp r0, #0x0" always true).
So go to address 0800080a in the memory editor, and change 0600 with
2000 (= mov r0, #0x0).
Note about creating a simple MOV code :
2 0 00 : 2 = MOV ; 1st 0 is the destination register (0 to 7);
2nd and 3rd zeroes are the values (0 to FF).
So 25FF is "mov r5, #0xff"
2365 = "mov r3, #0x65"
and 2000 = "mov r0, #0x0"
-Reset the game and reload level 1.
It should make you invincible, and only the enemies will die.
So we have your code : put 2000 at address 0800080a
And the "raw rom patch code" is :
0800080a 00002000
Question : why do we have to go up some lines in the dissassembler?
Answer : because, as you saw, the very first code we found
(with the break on read) makes the player and the enemies invincible.
That means, the choice between enemies HP and player HP is made before
this place So we have to backtrack from the place the break on read happened.
That's why we kept going up in the addresses but the search down the chain
is the same.
So the rule is to repeat the search inspection as noted until we find a stable
address to do exactly what we wanted in the first place. The reader might be
thinking that this is a lot of work. The motivation for using. This method is
simple. You see, in IronMan the health code changes in address from level to level.
This means you would have to hack a unique code for each level.
Tedious at best and boring at worst in actually using the codes to play the game.
The ASM method gets to the heart of the problem by finding the address that holds
the true call on IronMan health and this one code is good for all levels.
The added plus is that IronMan is more than with inf. health...the code make him invincible.
That is, HP never decrease!
We hope these 2 examples serve as a beginning for the reader to explore further
the endless possibilities and power of ASM hacking for GBA and indeed in
any ASM hacking process for any platform.
<b><i><u><a name="gameboy_30_hacking">G) Hacking with the ProAction Replay/GameShark PRO 3.0 for Game Boy
-submitted by Curly8od</a></u></i></b>
How To Hack For Action Replay Pro For Gameboy
Table of Contents
Inf Lives 1
Inf Ammo 2
Inf Money 3
Have an Item 4
Walk through walls 5
Capture The Pokemon You Want 6
All Weapons 7
Bullet Mod 8
Character Mod 9
Cut Scene Mod 10
Activate In Game Cheats 11
Text Mod 12
Some F.A.Q 13
Updates Since version 1.2
Added How To Hack Character mod,Cut Scene Mod And Activate In Game Cheats
Added another question in the F.A.Q
1.
Inf Lives
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:In code gen select start generator
Step 4:Start the game and lose a life
Step 5:Press the button on the action replay. Go to code gen and select
less and a number will appear at the bottom
Step 6:Do step 1 again then select code gen
Step 7:Select greater than a number with maybe letters will appear.
They mean: 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15
Step 8:Keep on doing steps 4-7 until you get 10 or less
Step 9:Go to view cheats and write down the number of codes you got
closest to ten
Step 10:Try the codes
2.
Inf Ammo
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:In code gen select start generator
Step 4:Start the game and use some ammo
Step 5:Press the button on the action replay. Go to code gen and select
less and a number will
appear at the bottom
Step 6:Do step 1 again then select code gen
Step 7:Select greater than a number with maybe letters will appear.
They mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15
Step 9:Go to view cheats and write down the number of codes you got
closest to ten
Step 10:Try the codes
3.
Inf Money
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:In code gen select start generator
Step 4:Start the game and spend some money
Step 5:Press the button on the action replay go to code gen and select
less and a number will
appear at the bottom
Step 6:Do step 1 again then select code gen
Step 7:Select greater than a number with maybe letters will appear.
They mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15
Step 9:Go to view cheats and write down the number of codes you got
Closest to ten
Step 10:Try the codes
4.
Have An Item
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:In code gen select start generator
Step 4:Start the game and as soon as you can move press the button on
top of the action replay
and go to code gen and select less and some numbers will apear
Step 5:Then start the game again and get the item that you want then
press the button on the
action replay
Step 6:Go in to code gen and select greater than. go to view cheats and
write down 15 codes
Step 7:Try the codes you wrote down
5.
Walk Through Walls
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:in code gen select start generator
Step 4:Start the game and move one step then press the button on the
top of the action replay
Step 5:Select less then a number with maybe letters will appear. They
Mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15
Step 6:Keep on doing steps 4-5 until 10 codes or less are found
Step 7:Go to view cheats and write down how many codes were found
Step 8:Try the codes
6.
Capture The Pokemon You Want
Step 1:Start the game and as soon as you can move press the button on
top of the action replay
Step 2:Select code gen
Step 3:In code gen select start generator
Step 4:Start the game and get in a wild battle with the pokemon you
want then press the button on top of the action replay
Step 5:Go to code gen and select less then a number with maybe letters
will appear thy mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13
e=14 f=15
Step 6:Keep on doing steps 4-5 till you get about 10 codes found
Step 7:Go to view cheats and write down how many codes were found
Step 8:Try the codes
7.
All Weapons
Step 1:Start the game and get a weapon then press the button on top of
the action replay
Step 2:Then go to code gen and select start gen then start the game
again and get a different
weapon
Step 3:Press the button on the action replay and go to code gen and
select different
Step 4:Start the game again and get the same weapon as last
Step 5:Then press the button on the action replay and select different
and numbers with maybe letters will appear they mean
1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15
Step 6:Keep on doing steps 4-5 until around ten codes are found
Step 7:Then view cheats and write down how many codes were found
Step 8:Try the codes you wrote down!
8.
Bullet Mod
Step 1:Start the game and as soon as you can move press the button on
top of the action replay.
Step 2:Select code gen.
Step 3:In code gen select start generator.
Step 4:Start the game again and get a gun and fire it then press the
button on the top of the action replay.
Step 5:Go to code gen and select different.
Step 6:Start the game again and get a different weapon then fire some
bullets the press the button
on the top of the action replay and go to code gen and select different
and some numbers maybe letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7
8=8 9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 7:Keep on doing steps 4-6 till around ten codes are found.
Step 8:Go to view cheats and write down how many codes where found.
Step 9:Try the codes!.
9.
Character Mod
Step 1:Start the game and as soon as you can move press the button on
top of the action replay.
Step 2:Select code gen.
Step 3:In code gen select start generator.
Step 4:Start the game again and change charcter and press the button on
the top of the action replay
and go to code gen
Step 5:Select same and some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 6:Start the game and chose a different character then press the
button on the action replay
and go to code gen
Step 7:Select different and some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 8:Keep on doing steps 4-7 until around 10 or less codes are found
Step 9:Go to veiw cheats and write down how many codes where found
Step 10:Try the codes!
10.
Cut Scene Mod
Step 1:Start the game and as soon as you can move press the button on
top of the action replay.
Step 2:Select code gen.
Step 3:In code gen select start generator.
Step 4:get in to a cut scene and then press the button on top of the
action replay and go to code
gen and select different. Some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 5:Play the same cut scene and press the button on the top of the
action replay. Go to code gen
and select Equal. Some numbers maybe
letters will appear thay mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 6:Dont play a cut scene and press the button on the top of the
action replay. Go to code gen
and select different. Some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 7:Keep on doing steps 4-6 until around 10 codes are found.
Step 8:go to view cheats and write down how many codes where found.
Step 9:Try the codes!
11.
Activate In Game Cheats
Step 1:Start the game and as soon as you can move press the button on
top of the action replay.
Step 2:Select code gen.
Step 3:In code gen select start generator.
Step 4:start the game again and put a code on and press the button on
the action replay. Go to
code gen and select greater. Some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 5:start the game again and don't put a code on then press the
button on the top of the
action replay and go to code gen and select less and Some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 6:Keep on doing steps 4-5 until around 10 codes are found.
Step 7:Go to view cheats and write down how many codes where found.
Step 8:Try the codes!
12.
Text Mod
Step 1:Start the game and as soon as you can move press the button on
top of the action replay.
Step 2:Select code gen.
Step 3:In code gen select start generator.
Step 4:Start the game again and talk to some one then talk to someone
different and press the button on the top of the action replay
Step 5:Go to code gen and select different and some numbers maybe
letters will appear they mean 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8
9=9 0=0 a=10 b=11 c=12 d=13 e=14 f=15.
Step 6:Keep on doing steps 4-5 untill you have 10 or less codes!
Step 7:Try the codes!
13.
Some F.A.Q
Q. What Dose A Bullet Mod Do
A. Changes The Type Of Bullets Like If I Had A Shotgun And I Wanted It
To Shoot Pistol Bullets.
Q. Where Do I Find The Numbers And maybe Letters.
A. At The Bottom Of The Screen In Code Gen Your Action Replay Will
Freeze While You Press The Button And Then Numbers With Maybe Letters Will Appear
At The Bottom.
Q. What do the numbers and maybe letters tell you?
A. How many codes where found.
Credits: Omegakid,Pichu
Written by Aaron
Nickname curly8od
Email <a href="mailto:aaronjod@hotmail.com">aaronjod@hotmail.com</a>
Version 1.3
Official site <a href="http://www9.50megs.com/curly8od">www9.50megs.com\curly8od
</a>
------------------------------------------------------------------------
<b><i><u><a name="code_porter">F) Online code porter</a></u></i></b>
You can convert a code from one version of the game by knowing the
difference in offsets one version of a game has from another version. Please
see the FAQ section for more info on how to do this. GSCentral has an
automatic code porter that the reader is welcome to try. The authors would
like to thank Crocc for permission to use the code porter found at GSCentral
<a href="http://www.gscentral.com/port.pl">www.gscentral.com/port.pl</a>
<hr width="800">
<center><b><font size="+1"><a name="section_3">Section 3 : Reference</a></font></b></center>
<hr width="800">
-----------------------------------------------
<b><i><font size="+1"><a name="downloads">XIII) Downloads</a></font></i></b>
-----------------------------------------------
<table border="1" cellpadding="7" cellspacing="2" width="700">
<tbody><tr><td style="text-align: center;"><b>Name</b></td><td style="text-align: center;"><b>Description</b></td><td style="text-align: center;"><b>Author</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/gscc2k2.zip">GSCC2k2</a></td>
<td>Game Software Code Creator 2002 supports both N64 and PSX Gameshark Pro, older PSX GS versions, and Caetla. Has tons of options including Breakpoints (N64).</td>
<td>CodeMaster</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/FloatConvert.zip">Float Convert</a></td>
<td>Used for converting 32-Bit hex values to IEEE-754 Floating Point and vice versa.</td>
<td>???</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/unpatcher.zip">Patch Code Unpatcher v1.1</a></td>
<td>Expands N64/PSX Patch ('50') codes.</td>
<td>Viper187</td>
</tr>
<tr><td colspan="3" style="text-align: center;"><b>Gameboy/Gameboy Advance
Utilities</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/ARCrypt%20Final%202_2.rar">ARCrypt Final 2_2</a></td>
<td>Gameboy Advance Gameshark &amp; AR code encryptor/decryptor</td>
<td>Kenobi &amp; Parasyte</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/CBAcrypt.exe">CBA
Crypt</a></td>
<td>Gameboy Advance Codebreaker code encryptor/decryptor</td>
<td>Parasyte</td>
</tr>
<tr><td colspan="3" style="text-align: center;"><b>Gamecube Utilities</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/GCNcrypt-1_2.zip">GCN Crypt v1.2</a></td>
<td>Encrypt/Decrypt Gamecube Action Replay Codes!</td>
<td>Parasyte</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/cthelper.zip">GCN AR Code Type Helper</a></td>
<td>Puts codes into proper decrypted AR format for you.</td>
<td>Parasyte</td>
</tr>
<tr><td colspan="3" style="text-align: center;"><b>Playstation 2 Utilities</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/ps2dis099_23.zip">PS2DIS 0.99</a></td>
<td>PS2 Disassembler, used for finding codes via SLUS files</td>
<td>Hanimar</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/ps2_code_decoder-beta2.zip">PS2 Code Decoder - Beta 2</a></td>
<td>Code Encryptor/Decryptor</td>
<td>iN tHE mIND</td>
</tr>
<tr>
<td><a href="http://viper.shadowflareindustries.com/lib/downloads/MAXcrypt_v1_0.zip">MAXcrypt v1.0</a></td>
<td>Encrypts/decrypts Action Replay MAX codes</td>
<td>Parasyte</td>
</tr>
<tr><td colspan="3" style="text-align: center;"><b>N64 Utilities</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/n64_hack_utilities3_2.exe">Official N64 Hack Utilities 3.2</a></td>
<td>The official PC tools for GS Pro 3.2</td>
<td>Datel</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/n64gameshark_pro_v3_3.zip">Official N64 Hack Utilities 3.3</a></td>
<td>The official PC tools for GS Pro 3.3</td>
<td>Datel</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/Patch_N64_Utils.exe">N64 Utils Patch</a></td>
<td>N64 Utils patch that allows dumping ROM.</td>
<td>???</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/phantomcompare.zip">RAM Compare v1.2</a></td>
<td>DOS app for comparing RAM dumps that you can get from certain N64 emulators.</td>
<td>The Phantom</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/phantombyteswap.zip">Byteswap v1.0</a></td>
<td>Can convert Project64 save state files to regular RAM dumps. They must be .pj (uncompressed) save states!</td>
<td>The Phantom</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/VTRCompare.zip">VTR Compare 0.99 Beta</a></td>
<td>Viper's Text Ram Comparer uses text format RAM dumps from Nemu64 for searching comparisons. This baby has options even GSCC2k2 doesn't :)</td>
<td>Viper187</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/ram2text.zip">RAM 2 Text v1.0</a></td>
<td>Converts normal RAM dumps to text format for use with VTR Compare.</td>
<td>Viper187</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/cheater64.zip">Cheater64 v2.1</a></td>
<td>This is about the best comparer for hacking N64 with emulators thus far. It supports RAM dumps and PJ64 save states.</td>
<td>Viper187</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/niew.zip">Niew</a></td>
<td>Assembler/Disassembler (DOS) typicly used for ASM hacking - COP1 instructions aren't supported.</td>
<td>Titanik</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/LemAsm.zip">LemAsm</a></td>
<td>Assembler/Disassembler - Windows - supports COP1 Instructions</td>
<td>Lemmy</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/n64ops.zip">R3400i Documentation</a></td>
<td>Wanna learn N64 Assembly language?</td>
<td>N/A</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/xpl64.exe">Xploder64</a></td>
<td>Official upgrade/codelist Utils for Xploder64</td>
<td>Fire International</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/GSProN64Crypt.zip">GSProN64Crypt</a></td>
<td>A program that can decompress the .enc (GS ROM) file included with the official utils.</td>
<td>CodeMaster</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/ge007ttcalc.zip">Goldeneye 007 Target Time Calc v1.0</a></td>
<td>Use to calculate values for Wreck7's 'target time modifiers' on Goldeneye.</td>
<td>Viper187</td>
</tr>
<tr>
<td><a href="http://www.nemu.com/">Nemu</a></td>
<td>Nintendo 64 emulator</td>
<td>nemu</td>
</tr><tr>
</tr><tr>
<td><a href="http://viper.shadowflareindustries.com/lib/downloads/nemu64ini.rar">Nemu INI (Alternate)</a></td>
<td>Unofficial INI file for Nemu</td>
<td>???</td>
</tr><tr>
<td><a href="http://www.pj64.net/">PJ64</a></td>
<td>Nintendo 64 emulator</td>
<td>PJ64</td>
</tr>
<tr><td colspan="3" style="text-align: center;"><b>PSX Utilities</b></td></tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/psx_hack_utilv320.exe">Official PSX GS Pro Hack Utilities v3.20</a></td>
<td>The official utils from Datel for use with GS Pro v3.20 or upgrading from 3.0</td>
<td>Datel</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/cdxutils.zip">Official PSX CDX Hack Utilities v3.20</a></td>
<td>The official utils from Datel for use with GS CDX</td>
<td>Datel</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/XplorerButtonCalc13.zip">Xplorer Button Value Calculator v1.3</a></td>
<td>Calculates button values for Xplorer Joker Codes</td>
<td>???</td>
</tr><tr>
<td><a href="http://www.gscentral.com/lib/downloads/caetla.zip">Caetla</a></td>
<td>An <i>unofficial</i> cheat rom for flashing to older cheat device hardware. PC Comms Link required.</td>
<td>???</td>
</tr>
<tr>
<td><a href="http://www.gscentral.com/lib/downloads/undatel3.zip">Undatel 3</a></td>
<td>A program that can decompress the .enc (GS ROM) file included with the official utils.</td>
<td>???</td></tr>
<tr><td colspan="3" style="text-align: center;"><b>Sega Dreamcast Utilities</b></td></tr>
<tr><td><a href="http://www.gscentral.com/lib/downloads/DCCrypt.zip">DCCrypt</a></td>
<td>Encrypt/Decrypt Dreamcast GS codes</td>
<td>Parasyte</td>
</tr>
</tbody></table>
-----------------------------------------------
<b><i><font size="+1"><a name="gameshark_gameshark_pro_faq">XIV) GameShark / GameShark Pro FAQ</a></font></i></b>
-----------------------------------------------
Many parts of this text originally appeared on GS Central.
Revised 11-11-00
Quick Links:
<ul><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gs">What is Gameshark?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gs_pro">What is Gameshark Pro?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gs_lite">What is Gameshark Lite?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gs_pro_psx">Gameshark Pro for PSX</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gs_pro_n64">Gameshark Pro for N64</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gs_gb">Gameshark for Gameboy</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gs_cdx">Gameshark Pro CDX for PSX and Dreamcast</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_cb">What is a Code Breaker?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_xp">What is an Xploder/Xplorer?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whats_different">What are the differences between the Game Genie, GameShark,
GameShark Pro &amp; Pro Action Replay?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#nintendo">Are these products authorized by Nintendo?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#get_gs">Where can I get a GameShark? GameShark PRO? GameShark PRO CDX?
Code Breaker? Xploder?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#now_what">I have a GameShark or GameShark Pro, now what do I do?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#fried_shark">Help! My GameShark or GameShark Pro isn't working now!</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_led">What is the LED Indicator?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#keycodes">What are KeyCodes?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gsbutton">What's the GS Button?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#add_codes">How do I add new codes?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#make_codes">Can I make codes?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#XXX">What do these 'XXX' and so on represent?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_memcard">What is a Memory Card Manager?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_smartcard">What is a SmartCard/Port?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#new_shark">How can I get a GameShark / newer GameShark?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_sharklink">What is the difference between the GameShark Pro and the Shark Link Trainer?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_n64pc">What is required to connect my PC and Game Shark PRO for N64?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#n64_reflash">REFLASHING the BIOS of a defective N64 GameShark</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#gb_reflash">REFLASHING the BIOS of a defective Gameboy 3.0 GameShark</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_gscc2k2">What is GSCC2k2?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#non_working_codes">A code doesn't work for me for the other levels, what can I do?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#tough_games">What games are easy or difficult to hack with a GameShark?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#theory">Have there been any theories made for hacking with a GameShark?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#whatis_porting">What does the term "Porting Codes" mean?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#versions">How can I tell what version I have of a game?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#jap_games">Does the GameShark support Japanese games?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#play_jap">Can I play Japanese games on the GameShark?</a>
</li><li><a href="https://macrox.gshi.org/The%20Hacking%20Text.htm#game_copying">What are the Z64 and V64?</a>
</li></ul>
<a name="whatis_gs"></a>
<b><i><u>What is a GameShark?</u></i></b>
A GameShark is a cheating and game enhancement device made by Datel.
Interact was a North American distributor for Datel. Interact is now a
memory and MadCatz owns the Gameshark(tm). It is similar to the device
called a Game Genie made by Galoob Toys, that were made for the NES, SNES,
Genesis, and Game Boy systems several years ago. It can be used to cheat in
any game, e.g. allows players to do anything from being invincible to having
infinite lives to having unlimited amounts of money. The GameShark can also be
used to do some cool tricks, such as alter the color of objects such as your
gun in GoldenEye 007, or even give you all of the weapons listed under the
"All Guns" cheat which would normally be unavailable in Multi-Player!
Codes of this nature although are not cheating the game can be worth while
as they make the game more fun and allow the player to actually, temporarily
alter the game and in effect make different variation of the game as
originally created. The first thing that you learn about the GameShark
is that it can open many interesting possibilities with games.
It is also called a Pro Action Replay in the United Kingdom and
GameBuster in Germany.
<a name="whatis_gs_pro"></a>
<b><i><u>What is a GameShark Pro?</u></i></b>
The GameShark Pro is a new device made by InterAct that can do what its'
predecessor the GameShark can do, and also has the capability to allow you
to create your own GameShark codes by using the built in code generator. It
comes with a bonus 'Hack Like A Pro' tutorial video.
<a name="whatis_gs_lite"></a>
<b><i><u>What is a GameShark Lite?</u></i></b>
The GameShark Lite is in essence a GameShark PRO without the PC
connector port. A good example is the GS PRO 3.0. There are some other
differences from the standard GS PRO but these details are not available
at the time this text was being updated.
<a name="gs_pro_psx"></a>
<b><i><u>GameShark Pro for PSX</u></i></b>
Some of the features are:
Built-in Code Generator: allows you to create your own GameShark codes.
Memory Editor: allows you to view the memory of your game and search for
text.
V-Mem: Virtual Memory holds up to 120 blocks worth of game save data.
Explorer: It can play game soundtracks and view hidden Full Motion
Video(FMV) sequences. You can store GameShark codes on a standard
PlayStation Memory Card.
It comes with a bonus 'Hack Like A Pro' tutorial video.
<a name="gs_pro_n64"></a>
<b><i><u>GameShark Pro For N64</u></i></b>
Some of the features:
Built-in Code Generator: allows you to create your own GameShark codes.
Memory Editor: allows you to view the memory of your game and search for
text.
Memory Card Manager: can copy game saves from a memory card or a N64 game
cartridge. You can store GameShark codes on a standard N64 Memory Card.
It comes with a bonus 'Hack Like A Pro' tutorial video.
<a name="whatis_gs_gb"></a>
<b><i><u>GameShark for Game Boy</u></i></b>
Some of the features:
Built in Code Generator: allows you to create your own GameShark codes.
The Code Generator can only search for unknown values, not exact. There
is no memory editor nor text editor. New added codes can be stored only in
version 3.0 and higher (GameShark Pro), older versions do not store new codes.
You must reboot game after every code search with versions 3.0 and less. The
new 4.0 version works in the same manner as its big brother, the N64 GameShark
Pro where you can resume play after you perform searches and therefore no game
reboot is needed. You can also take "snapshot", which is a quick save state, that
can be loaded later, or saved on your computer. This device works with Game
Boy Pocket and Color. This device does not work with the Original Game Boy.
<a name="whatis_gs_cdx"></a>
<b><i><u>GameShark PRO CDX for PSX and Dreamcast</u></i></b>
These devices are similar to the above in that they are cheat devices. They work by
first loading the device by using a boot GameShark CD from which codes can be loaded
prior to loading and running the game. They are somewhat limited as compared to the
GS PRO non CDX versions above as in the case of the GS for Dreamcast as there is as
yet no code generator available.
<a name="whatis_cb"></a>
<b><i><u>What is a Code Breaker?</u></i></b>
A Code Breaker is a cheating/hacking device that is made by Pelican
Accessories for use with Game Boy Pocket and Color. This device
does not work with the Original Game Boy. This device is more complex
than the GameShark in that it has more functions. It has a Code Generator
that searches for unknown and exact values with no rebooting needed,
stores and sorts new codes and game listings, uses Code Breaker and
GameShark format codes, Slow Mo speed select, rumble pack built in,
real time save and restore, ram saves, message writer, word scout to find
passwords in games, memory and text editor, copy and erase game saves,
supports Game Boy Printer and has more robust secure game holder.
<a name="whatis_xp"></a>
<b><i><u>What is an Xploder/Xplorer?</u></i></b>
An XploderXplorer (the name varies by country, is another cheat/hacking
device that is made by Fire International (Blaze USA). The Gameboy version has
very similar properties as the Game Shark such as the exact and unknown code
search generator. The unique property of the Gameboy Xploder is its ability to
alternate between exact and unknown searches. The other plus it has is its
ability to offer several warning as changes are made to its code database. A
blessing for any of us who are too fast with the fingers. It can store 1 real
game save at a time. The Gameboy version has no memory or text editor. The N64
and PSX versions have memory viewers but no memory or text editors. The PSX
version has an available PC utilities program for advanced hacking and is similar
to the Game Shark utilities program. Little wonder both the Game Shark and the
Xploder are the brain child of Wayne Beckett
<a name="whats_different"></a>
<b><i><u>What are the differences between the Game Genie, GameShark, GameShark Pro &amp;
Pro Action Replay?</u></i></b>
The Game Genie was manufactured by Galoob, the GameShark is manufactured
by MadCatz, and the Pro Action Replay is manufactured by Datel. You had to
keep inputting codes into the Game Genie every time you wish to use them and
the number of codes you may input was very limited. Both the Pro Action
Replay, the GameShark and the GameShark Pro have a battery-backup that can
save codes. One major difference between the three device is evident in that
only the GameShark Pro has a code generator that can search for codes in the
games RAM, whereas the others cannot.
<a name="nintendo"></a>
<b><i><u>Are these products authorized by Nintendo?</u></i></b>
The GameShark, GameShark Pro and Pro Action Replay aren't authorized,
endorsed, or supported by Nintendo. Special thanks goes to Avid Gamer for
telling me that Nintendo filed many lawsuits against Galoob trying to
prevent the Game Genie from being marketed in North America. Galoob did win
the court case and did go on to selling the Nintendo version. However, a
interesting fact is that Sega did not oppose the Game Genie, and instead even
gave it a official license.
<a name="get_gs"></a>
<b><i><u>Where can I get a GameShark? GameShark PRO? GameShark PRO CDX? Code
Breaker? Xploder?</u></i></b>
In the U.S. try stores such as Software Etc, Babbages, and Electronics
Boutique and FuncoLand (GameStop). In Canada I've only been able to find them
at Electronics Boutique. Expect to pay about $39.99 to 49.95 U.S., and that
roughly translates to $69.99 Cdn. U.K. gamers can get a Pro Action Replay from
Datel. Check the MadCatz and Pelican web pages for further information:
<a href="http://www.gameshark.com/">http://www.gameshark.com/</a> , <a href="http://www.pelicanacc.com/">http://www.pelicanacc.com/</a> , <a href="http://www.blaze-gear.com/">www.blaze-gear.com/</a>
or <a href="http://www.xploder.net/">http://www.xploder.net/</a>, and <a href="http://www.codejunkies.com/">http://www.codejunkies.com/</a> .
<a name="now_what"></a>
<b><i><u>I have a GameShark or GameShark Pro, now what do I do?</u></i></b>
Place your game cartridge onto the Game Shark's top. You can easily tell
which is the top by noticing if the GameShark sticker on the GameShark is
readable. Then insert your GameShark (that has the cartridge placed onto it)
into your system system and turn the console power on. If you are using a CDX
GameShark, insert the GameShark, select any codes wanted, and choose start game.
It should ask you to insert the game CD, which you should do. After pressing a
button, the game should load.
<a name="fried_shark"></a>
<b><i><u>Help! My GameShark or GameShark Pro isn't working now!</u></i></b>
There are a few reasons why your GameShark didn't work. Either you
didn't follow the procedure listed, or you have a placed a game into your
N64 that requires a Key Code to boot the game. Also you may not have pushed
the GameShark (or cartridge) down far enough for it to fit in snugly. There
is a very slight possibility that your GameShark is defective. Also beware
not to switch the power off and on quickly as the GameShark might freeze on
the title screen, with the LED Indicator displaying an 8 all of the time. If
this should occur, please try the following as it may help reset the
GameShark.
First make sure the console is off. Then remove the GameShark
from the console and then remove the game from the GameShark. Next insert
the game into the GameShark and then the GameShark into the console. Turn
the console power on and the GameShark should again begin its' boot up and
count down. If the GameShark still does not boot try the following:
First make sure the console is off. Then remove the GameShark from the
console and then remove the game from the GameShark. Now gently wipe the
edge connector of both the GameShark and the game cart with a soft cloth to
dissipate any static charge there. Next insert the game into the GameShark
and then the GameShark into the console. Turn the console power on and the
GameShark should again begin its' boot up and count down. If the GameShark
still does not boot it could mean that it is waiting for a game with a
required matching key code to be inserted.
Another thing to try is to again start with the console power off and
with both the shark and game already seated, to pull ever so slightly upward
on the shark to lift it SLIGHTLY from the console pocket. (Sometimes the
console socket is too deep for the shark connector board and this helps
establish the proper seat to get the shark booted.) Try turning the power
on again.
Review your situation and act accordingly. If this is the first time you are
using a new GameShark I would seriously advise returning it to the store
where it was bought for an exchange for a new GameShark.
Another possibility is that you have somehow corrupted the GameShark
BIOS. In this case you can try to reflash (reinstall the BIOS) the GameShark.
You will need access to a working GameShark, you defective GameShark, Shark Link
(PC link cable), Hacking Utilities Software(available on the MadCatz and Datel
websites, and a PC. Next, goto the section below on how to connect the PC and
GameShark up together.
<a name="whatis_led"></a>
<b><i><u>What is the LED Indicator?</u></i></b>
The LED Indicator is merely the number inside the small glass piece on
the front of your GameShark that counts down upon boot-up.
<a name="keycodes"></a>
<b><i><u>What are KeyCodes?</u></i></b>
Certain games such as Diddy Kong Racing, Yoshi's Story, 1080
Snowboarding, F-Zero X and The Legend of Zelda: The Ocarina of Time cannot
be used normally like Mario 64 can with your GameShark. They have chips to
block out illegal copying of the game, and also, unfortunately, prevents the
GameShark from accessing them. You require a version 1.08 of the GameShark
or higher (depending on which game) to use your GameShark with these games.
Games such as The Legend of Zelda: The Ocarina of Time must be used with a
GameShark 2.2 or higher due to the 32 bit write change of it's key code.
There is a new 32-bit input on the key codes in GameShark V2.2+, this new
'block' is the essential instruction code that tells the GameShark, "this
instruction is '80 20 10 00'!" When using any of the "original key codes",
the instruction will be "80 20 10 00". When using the Zelda key code, the
instruction will be "80 19 00 00". Since you cannot change the instruction
code on GS 2.1 and lower, there is no way to add the Zelda key code(on these
GameSharks, the instruction is always '80 20 10 00'). InterAct is used to
replace older GameSharks up to version 2.1 for a 2.21 for free. This late
in the game, though, your only options is to find a newer version for sale
somwhere. Gamestop, EBworld, and Ebay would all be good places to try.
<table border="0" cellpadding="1" cellspacing="0" width="558"><tbody><tr><td colspan="2" height="40" valign="top" width="49%"><p align="center"><font color="#00eeff"><u>KeyCodes:</u></font></p></td></tr></tbody></table>
<b>Gameshark Version 1.08</b>
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest: 4E F8 4D D6 0A B3 D6 0A B8
Yoshi's Story
Cruis'n World
F-Zero X: Unknown
<b>Gameshark Version 1.09</b>
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest: 59 A6 31 F5 13 B3 DA 50 FA
Yoshi's Story
Cruis'n World
F-Zero X: 05 63 14 98 D5 E4 CF CD 1A
<b>Gameshark Version 2.00</b>
Super Mario 64 &amp; Others: 6334 F161 A72C 201C 2E
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest: 50 F2 49 08 7C 07 EE 6C 25
Yoshi's Story
Cruis'n World
F-Zero X: 8D 9A 8C DA F5 F2 B6 07 92
<b>Gameshark Version 2.10</b>
Super Mario 64 &amp; Others: EB 03 0C 2C D2 3A AF C3 CE
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest: 78 69 4F BD AC EF E9 DD 79
Yoshi's Story
Cruis'n World
F-Zero X: 85 A2 B3 44 44 4C F1 C1 E4
<b>Gameshark Version 2.21</b>
Super Mario 64 &amp; Others: 3E 75 22 68 00 99 BE BE F6 - 80 20 10 00
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest
Paper Mario: 2C 48 29 16 D4 3E 90 61 47 - 80 20 10 00
Yoshi's Story
Cruis'n World
F-Zero X: 94 CB D4 8E 52 9A 30 89 E7 - 80 20 10 00
The Legend of Zelda: Ocarina of Time
The Legend of Zelda:Majora's Mask
Perfect Dark
Conkers Bad Fur Day
Jet Force Gemini: 14 A8 3B CA CD F8 11 BE 50 - 80 19 00 00
<b>Gameshark Pro Version 3.0 and 3.1</b>
Super Mario 64 &amp; Others: 70 14 FF AB 1A 91 14 49 B4 - 80 18 00 00
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest
Super Smash Bros.
Paper Mario: 5B E5 5F CE 93 89 D7 11 9F - 80 20 00 00
Yoshi's Story
Cruis'n World
F-Zero X: 33 31 66 BD 04 ED E3 62 DF - 80 20 04 00
The Legend of Zelda: Ocarina of Time
The Legend of Zelda:Majora's Mask
Perfect Dark
Conkers Bad Fur Day
Jet Force Gemini: 56 72 19 E1 9D 62 82 28 C9 - 80 19 00 00
<b>Gameshark Pro Version 3.2</b>
Super Mario 64 &amp; Others: AF FA 90 67 C2 49 22 D0 12 - 80 18 00 00
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest
Super Smash Bros.
Paper Mario: BD B8 AF 1A E9 C2 8B 3B 30 - 80 20 10 00
Yoshi's Story
Cruis'n World
F-Zero X: B6 F4 6A E1 8B 0F C8 AB 67 - 80 20 04 00
The Legend of Zelda: Ocarina of Time
The Legend of Zelda:Majora's Mask
Perfect Dark
Conkers Bad Fur Day
Jet Force Gemini: 85 87 29 C5 3A 85 F7 50 F0 - 80 19 00 00
<b>Gameshark Pro Version 3.3</b>
Super Mario 64 &amp; Others: 8F 89 AB A0 C3 4C 26 10 A4 - 80 18 00 00
Diddy Kong Racing
1080<EFBFBD> Snowboarding
Kobe Bryant In NBA Courtside
Banjo-Kazooie
MLB Featuring Ken Griffey Jr.
Ken Griffey Jr.'s Slugfest
Super Smash Bros.
Paper Mario: 95 AC 21 BE 58 B0 4E F6 A8 80 20 10 00
Yoshi's Story
Cruis'n World
F-Zero X: C4 6F 1B C2 6C 6C 1F 67 1D 80 20 04 00
The Legend of Zelda: Ocarina of Time
The Legend of Zelda:Majora's Mask
Perfect Dark
Conkers Bad Fur Day
Jet Force Gemini: A9 24 53 52 5F 73 77 37 7D 80 19 00 00
----------------------------------------------------
<a name="whatis_gsbutton"></a>
<b><i><u>What's the GS Button?</u></i></b>
It's the button on the front of the GameShark. It is fairly small, and
makes an amusing clicking sound. It is used for one-time only codes, and
injects the code into the RAM only once, instead of having a constant
effect. For Pro Action Replay owners it is called the "PAR button".
<a name="add_codes"></a>
<b><i><u>How do I add new codes?</u></i></b>
Please refer to the owners manual.
<a name="make_codes"></a>
<b><i><u>Can I make codes?</u></i></b>
Yes, you most certainly can! Refer to the "How-to's" above.
<a name="XXX"></a>
<b><i><u>What do these 'XXX' and so on represent?</u></i></b>
You either place your own digits there (for 'XX' or 'XXX') or you have
to insert the coding that represents a certain level for that game. If it is
'XXXX' then it can probably be replaced with some special digits, that
accompany that code. Sometimes it can represent the quantity of the code,
and for the GameShark 0 is the lowest amount, while F is the highest.
<a name="whatis_memcard"></a>
<b><i><u>What is a Memory Card Manager?</u></i></b>
It enables you to view the contents of any memory card up to 1998 blocks
in size. You do need a v2.0 or higher GameShark to have this ability. Follow
the simple instructions to save, load, and copy between memory cards that
are there on your GameShark. You can even copy save games from your game
cartridge onto memory cards.
<a name="whatis_smartcard"></a>
<b><i><u>What is a SmartCard/Port?</u></i></b>
The Smart Card Port is a reader/writer slot at the back of the GameShark
that will be able to read SmartCards when they are available. InterAct says
that in the future the slot will support a range of SmartCards, and will
offer features including special game cheats and memory card support. This
includes Ram, Rom, and Flashy Rom cards. SmartCard are reported to be only
supported in the GameShark for PSX and the GameShark PRO for both the PSX
and N64. This function was discontinued on the 3.2+ version of the N64 GS and
replaced with the 25 pin parallel connector port.
<a name="new_shark"></a>
<b><i><u>How can I get a newer GameShark?</u></i></b>
This late in the game, the only thing you can really do is find a newer
version for sale either online at Gamestop, EBworld, Ebay, etc. or at a
local store that deals in games.
<a name="whatis_sharklink"></a>
<b><i><u>What is the difference between the GameShark Pro and the Shark Link Trainer?</u></i></b>
The devices work on the same principle. The major hardware differences
between them are: The Shark Link Trainer consisted of a PC Comms link board
that was inserted into a ISA slot of your PC for PSX owners and for N64
owners an additional special adapter that was for all intents and purposes a
"stand in game shark". This adapter was essential to use for N64 owners as
the Game Shark for N64 lacks any parallel connector port as in the PSX
version. N64 owners also had to purchase a 4 meg ram expansion pack for
their N64 console and replace the standard jumper that comes with it. This
memory upgrade was also essential as the N64 lacks sufficient memory to
operate the Shark Link alone for storage of found codes and activated codes
during use. Custom written software and drivers were then loaded on the PC
and then used to perform various searches of the game ram to find a varied
assortment of different code addresses depending on what was displayed on
the screen and what codes were active in the program at that moment. In
essence, the user was taking game ram or memory "snapshots" in order to find
what code addresses were increasing, decreasing or remaining the same as
the game progress. This allowed the user to "zero in" on any particular
code(s) of interest from infinite health to finding the debug menu screen.
The user was then allowed to activate these codes immediately for testing
and alter the codes as desired and make them active. In addition, the user
of the PSX version of the shark link could immediately upload these new
codes into their game shark while the N64 version user had to go through the
laborious task of inputting these new codes by use of the game controller.
Rocket Games Inc., (part of Datel) use to sell the Shark Link.
The GS PRO is different in that it no longer requires the PC Comms link card
as it has the code generator built right in. It still currently requires the
additional memory expansion pack in order to do the maximum code activation
allowed per game and it still retains the property of altering codes and
making them active. The GS PRO has known and unknown code search capability
as well as text search mode to find hidden screens in certain games.
Previous shark link users will welcome the familiar screen command
environment they have come to know while those new to the code hacking world
will come to know a powerful ally they can use to find those codes they
always dreamed of. The Game Shark PRO 3.3 is the new Shark Link and Datel,
Interact and independent organizations such as Game Software Code Creators
Club <a href="http://www.cmgsccc.com/">http://www.cmgsccc.com/</a> now have software that allows the Game Shark to be
connected to your PC. Other cheat device manufacturers such as Fire
International (Blaze) also have their own version of PC hacking utilities
for their devices as well. The hacking utilities as it is known, allows a
code hacker to use more advanced hacking features and options of the Game Shark.
<a name="whatis_n64pc"></a>
<b><i><u>What is required to connect my PC and Game Shark PRO for N64?</u></i></b>
Materials You Need:
-GameShark Pro 3.1 - 3.3
-25 Pin Printer Cable (available at Radio Shack, or any other
computer/electronics store. We recommend using IEEE-1284 compliant,
high speed parallel cables such as from Belkin.
-Computer, with a functioning LPT1 port
-N64 Utilities (available for free at <a href="http://www.gameshark.com/">www.gameshark.com/</a>)
WARNING! USA GS owners should not download the file from
Datel as this version is made for AR PRO owners. The AR PRO
works on PAL TV systems only while the GS PRO works on NTSC.
<i><u><i>Step By Step Procedure:</i></u></i>
Step 1: Check to see if you have a printer connected to your PC's parallel port.
Disconnect the printer from the cable if you do. You need to do this to continue.
If you do not have a printer than this connect one end of your new cable to your PC (while off)
parallel port, 25 pin female. Connect to www.gameshark.com and get the latest N64
hacking utilities from their web site. Install them on your PC but do not run them yet.
Step 2: Boot your PC and get into the PC BIOS screen. This is usually allowed
during the first few seconds during boot up and is invoked by pressing some key on your
keyboard such as F1. Consult your owners manual for more info. Once in the BIOS screen
you should check that you parallel port is using either EPP or ECP, NOT Bi-directional
(the Game Shark will not work with this setting). Warning! You many find you can longer
communicate with your printer once you reconnect you printer to your PC If your printer
required bi-directional communication.
If you change the port to ECP or EPP then you should save the settings and reboot.
-Step 3: Place the GameShark into your N64 console while off. Now plug a game into the Game shark.
Connect the other end of your cable into the back of the Game Shark (25 pin male connector).
Turn on the N64, after the short loading time
you should be at the GameShark's Main Menu. If you are not, read the
GameShark's Manual.
-Step 4: Start the N64 Utilities you installed earlier. Go to the
Screen that has the 'System Information' info. Click on the 'Detect' button.
You should see an affirmative reply it found the console. If you see "console
didn't respond, you possibly did not do step 1 and 2 correctly.
-Step 5: Assuming you got through to this step ok you can now explore the
utilities. The following info is used with permission from james007.
<i><u>-Code Generator:</u></i> The Code Generator acts a lot like the Code
Generator built into the GameShark itself. Using the one on your
computer is a lot slower, since the LPT1 port is only a 25kb/sec
port. Extra features to look out for are the 'In Range' button, which
allows you to search for a value in range of what you specify. The
'Resume Last' button allows you to resume a search incase the game
crashed (good for games with Anti-GameShark Chips). The 'Search
Range' area allows you to specify where the Code Generator will
search in the games RAM. I usually use 80000000 to 80100000, since
most codes are in between these two addresses. The 'Search History'
area allows you to see the history of what type of searches you did.
<i><u>-Results (Code Tester):</u></i> This page allows you to test codes you have
found using the Code Generator, and to enter in new codes. This area
is pretty self-explanatory.
<i><u>-Code List:</u></i> This page allows you to modify your GameShark codes on
your computer. This is far faster than entering them in using your
N64 Controller. The first step is to Download your codes onto your
computer using the 'Download Codes From Cartridge' area. Select the
'Browse' button to pick a location where you want the codes to go.
Then push the 'Download Codes' button to copy them to your computer.
Now you can modify them using a text editor like Notepad. When you're
ready to upload your new code list, do the following. Go to the 'Code
List Compiler' area and push the 'Browse' button. Search for the code
list you want to upload. Once found push the 'Compile Codes' button,
N64 Utilities will now check the syntax of the code list. If it is
good it will say it had no errors. If it found errors it will tell
you what line had errors and what the error was. Fix the error before
uploading your codes. If you now have no errors, push the 'Upload
Codes' button in the 'Upload Codes To Cartridge' area. It will send
your code list to your GameShark. You now have to turn off your
GameShark so it can load them up properly.
<i><u>-Other Utilities:</u></i> This page has two useful things. An upgrade place,
where you can upgrade your GameShark, and a video
capture area, where you can take screenshots of your game. The
screenshots are saved as Bitmap files (*.bmp), which is a Windows
standard graphic file. The files can be easily converted to other
formats with third party programs. The 'Cartridge Upgrade' area
allows you to upgrade your GameShark to the latest version.
Selecting the Overwrite code lists &amp; settings' option will do just that,
when you upgrade, it will overwrite your entire GameShark, including
all your codes and settings.
<a name="n64_reflash"></a>
<b><i><u>REFLASHING the BIOS of a defective N64 GameShark:</u></i></b>
(DISCLAIMER! Neither the authors, contributors, Datel, MadCatz, Interact or
its subsidiaries, or GSCentral assume any responsibility in consequence
of the results of the this procedure. The authors do not and will not be
held liable for anyone attempting this procedure. The reader is advised to
understand that this is a last ditch effort to repair a defective
GameShark. Neither Datel, InterAct, MadCatz, nor GSCentral endorse this
procedure.)
Proceed like above from steps 1 - 3 but with this one major change:
After you seat the working GameShark in the N64 console you will seat the
defective GameShark into the working GameShark and then the game into
the defective GameShark. Connect the Shark link cable into the bottom
(working) GameShark. (Caution! You should use a working GameShark that
is of the same version you are going to reflash the defective GameShark
as this procedure will flash both GameShark BIOS to same version. You can
choose to NOT overwrite your code list in the GameSharks if you don't want
to loose your current codes in the working GameShark. The authors suggest
you backup your codelist at any rate for safekeeping. Once you have
everything ready proceed to flash the BIOS by going to the upgrade
screen and choosing the upgrade option. Once the operation is complete,
you will have repaired the defective GameShark and both GameSharks will
be the same version. Turn off the N64 and remove the GameSharks from
one another and if desired plug the Shark link cable into the former defective
GameShark and reload the code list. One of the authors (macrox) has tried
this procedure several times without negative results.
<a name="gb_reflash"></a>
<b><i><u>REFLASHING the BIOS of a defective Game Boy 3.0 GameShark:</u></i></b>
(DISCLAIMER! Neither the authors, contributors, Datel, Interact, MadCatz, or
its subsidiaries, or GSCentral assume any responsibility in
consequence of the results of the this procedure. The authors do not
and will not be held liable for anyone attempting this procedure. The
reader is advised to understand that this is a last ditch effort to repair
a defective GameShark. Neither Datel, InterAct, MadCatz, nor GSCentral
endorse this procedure.)
The reader may find the need to reflash the Game Shark 3.0 for Gameboy should
it become corrupted during use. Corrupted can mean many things such as the code
database is lost. The code generator program is buggy or missing. The boot
record of the shark can also be faulted. One procedure that has been found to
revive the 3.0 is as follows:
Step 1 - Turn your Game Boy off.
Step 2 - Insert a fully working 3.0 shark in your Gameboy.
Step 3 - Insert the corrupted shark into the working shark.
Step 4 - Insert a game into the corrupted shark.
Step 5 - Turn the Gameboy on.
Step 6 - There should be a different icon on the right side of the Gameboy
screen that indicates upgrade. Choose it and let the process complete
without interruption.
Step 7 - Wait to see process is complete, turn your Gameboy off and remove the
game and sharks from the Gameboy.
Step 8 - Insert shark that was corrupted in Gameboy with game and test shark.
Note: If no upgrade icon is seen in step 6: This may mean your corrupted shark
has a hardware fault that will not and CANNOT be corrected by
reflashing...ergo...your shark is dead.
<a name="whatis_gscc2k2"></a>
<b><i><u>What is GGCC2k2?</u></i></b>
Game Software Code Creator 2002 (GSCC2k2) is a program devoloped by
CodeMaster. It features many improvements and added options over Interact's
old PC Utils. You can get it at <a href="http://www.cmgsccc.com/">http://www.cmgsccc.com/</a>.
<a name="non_working_codes"></a>
<b><i><u>A code doesn't work for me for the other levels, what can I do?</u></i></b>
Certain games have certain "beginning" codes, and certain letters that
follow it. For example, all of the Jetpack codes for Shadows of The Empire
begin with "801", and then for one of the levels it is soon followed by a
"A55" for the Xizor's Palace level. If you wish to use that code for a
different level, which doesn't always work for the other levels, then you
merely switch those three (or if two) digits with the digits that represent
the level that you wish the code in. Sometimes you may need to find a
different three-digit code that that specific code needs to work.
<a name="tough_games"></a>
<b><i><u>What games are easy or difficult to hack with a GameShark?</u></i></b>
Please refer to above document.
<a name="theory"></a>
<b><i><u>Have there been any theories made for hacking with a GameShark?</u></i></b>
Please refer to above document.
<a name="whatis_porting"></a>
<b><i><u>What does the term "Porting Codes" mean?</u></i></b>
It means that you are transferring a code from one version of the game
to another. This example is from Mortal Combat Trilogy v1.0 &amp; v1.1. The v1.0
Codes-
P1 No Energy: 8016984D 0000
P2 No Energy: 80169B21 0000
v1.1 Codes-
P2 Automatically Dies: 80169C61 0000
P1 Automatically Dies: 8016998D 0000
Notice how the two versions of the game are the same except for the
sixth, seventh, and eighth digits. I find usually that transferring codes
from one game to another the sixth digit goes up one 'step' in the code.
(E.G. 'C' would become 'D'). Further info is available in this document.
See how to hack codes section for online code porter site.
<a name="versions"></a>
<b><i><u>How can I tell what version I have of a game?</u></i></b>
One way at the moment to see what version of a game that you own is by
testing all of the known versions of the game that you own with your copy of
the game. Depending on which version of codes works, that is the version
that you own! With most games you can tell just by looking at the label,
but not in some cases.
There is a part of the label that reads: NUS-006 (USA) NUS-NWGE-USA All
games have something like that on the label the first line seems to stay the
same from game to game but the "NWGE" is different sometimes. The example
above shows v1.0 of the game. Here is what v1.1 looks like: NUS-006
(USA)NUS-NWGE-USA-1
<a name="jap_games"></a>
<b><i><u>Does the GameShark support Japanese games?</u></i></b>
Yes, the GameShark can hack foreign games.
<a name="play_jap"></a>
<b><i><u>Can I play Japanese games on the GameShark?</u></i></b>
Yes, you can. Simply plug the foreign game in and start the game without
any codes! PSX Users must do that "swap trick".
This edited version of the GameShark FAQ was made possible by contributions
over the last couple of years by these fine people:
Jim Reinhart, Avid Gamer, Kong K. Rool(aka Parasyte), ShadowKnight(aka Dawn
of Time/Rune), Gaming Freak, and special thanks to Gavin Thornton, Ali Yates
and Marios(from Datel) for helping get the original shark link off the
ground. A Special Thanks to Bill Kaufman (CodeBoy) for supplying Game
Sharks to the GSCentral beta test team and to Kris Schineller at Blaze
USA for providing sample N64 and GB Xploders for testing and review.
Finally, a special thanks to Wayne Beckett - the Game Shark creator,
without whom, the concept of Game Shark may never may have become a reality.
<a name="game_copying"></a>
<b><i><u>What are the Z64 and V64?</u></i></b>
The Z64 is a utility that is inserted into the Nintendo 64. A game cartridge
is inserted into the Z64, and it is then possible to store the games contents
(ROM) onto a 100 Mb zip floppy. The game can later be played without the
original cartridge by using the 100 Mb disk. The game ROM can also be copied
to a personal computer, and played on an emulator. The Doctor V64 is a similar
utility, that is inserted in the bottom of the Nintendo 64.
<b>Note:</b>
Copying games is illegal. GSCentral does not endorse the illegal copying of
games, and can not be held responsible for any illegal activites engaged in.
Macrox - April-21-2001
Additions by Tolos - June-14-2003
-----------------------------------------------
<b><i><font size="+1"><a name="#psx_xplorer_infO">XV) Playstation Xplorer/Xploder Code Types: In-Depth FAQ - Courtesy of Hackman</a></font></i></b>
-----------------------------------------------
XPLORER CODE STRUCTURE
1. 3-Code 7. 9-Code (Do-if-False)
2. 8-Code 8. B-Code (Slide Code)
3. 4-Code (Slow Motion) 9. C-Code
4. 5-Code (Supercode) 10. D-Code
5. 6-Code (Modcode) 11. F-Code (Auto Activation)
6. 7-Code (Do-if-True) 12. Joker Command
<b><u><i>Xplorer Code Structure</i></u></b>
It seems rather amazing that an Xplorer code, a mere sequence of 12 numbers,
accomplishes such stunning results as invulnerability. On the following pages
we will describe these <20>mysterious<75> codes in detail -- specifically their
structures, types, and functions. This knowledge is not necessary if you only
want to occasionally hack a simple cheat. However, in order to rise to the class
of the professional hacker in all around abilities this section can not be
avoided. It should also be noted here that all codes are described using HEX
values and all mathematical computations are done using the base HEX.
The Xplorer code usually consists of the following parts:
CSAAAAAA DDDD
C = Code identification or Control Code which tells the Xplorer, what follows
next (left half of the first byte or 1 number).
S = Status of the code (right half of the first byte or 1 number).
A = Storage Address in the PlayStation RAM with a range from 000000 to
01FFFF, (3 bytes or 6 numbers).
D = Data, these values are written to the given address
A, (2 bytes -word- or 4 numbers).
Note: For the sake of clarity, a blank character often is inserted after each
fourth number in the code. If you enter a code in the Xplorer, omit this blank
character. Thus - way of writing: 8009 1234 5600; way of entering:
80091234 5600.
We will explain the types of codes (C) in detail on the following pages.
(Comment: This section assumes that you are activating ALL codes by selecting
the name of the game.)
We mark the status thereby by an italic S. (example: 8Sxx xxxx) it can contain
only 8 or 0. If it is 8, then you must switch this code on manually, since it
is not activated automatically when selecting the codes by Game Name in the
Xplorer menu. That makes sense, because with so many variations of game play
there are usually codes of the following type:
Infinite Energy
8001 1234 03E7
On Hit Death
8001 1234 0001
To have both codes switched on is unreasonable since they affect the same
address. The PSX CPU must decide whether the player has infinitely energy or
can be defeated immediately. If you only want infinite energy to be activated
when you select the entire game then the code becomes:
Infinitely Energy
8001 1234 03E7
On Hit Death
8801 1234 0001
Now, when you select the Game Name to <20>turn on<6F> all the codes, all will be
activated EXCEPT One Hit Death. Additionally, if you have multiple code lines
the status value must be entered in the FIRST code line:
Have All Items
B8A6 0002 0001
1007 836C 6401
B021 0002 0001
1007 84B8 84A7
The above code now must be manually activated even though you may have chosen
to activate ALL game codes by selecting the name of the game.
Status Note: The developers of the Xplorers have a method of encrypting codes
in such a way that they function with the Xplorer but not with other Cheat
Carts. Such codes you can recognize by the status "6" (more recently "4"
and "5" also). Encrypted codes are published only by FCD (aka Blaze
International in USA.)
<b><u><i>Xplorer Code Types</i></u></b>
<b><u><i>3-Code</i></u></b>
The 3-Code is the simplest. It describes a memory cell with a fixed amount. The
code 3000 0004 0001 writes the byte 01 into the address 000004.
Example:
The code 300D 8A42 0003 keeps the number of the lives constant at 3. If you
would rather have 9, then change the value (data) part of the code to 9:
300D 8A42 0009.
Composition:
3Sxx xxxx 00yy
where: xx xxxx address yy value (byte)
Note: If you should see a 3 or 8 code which possesses the status (S) of 6 (more
recently "4" and "5" also), it concerns an encrypted code.
<b><u><i>8-Code</i></u></b>
Together with the 3-Code is an 8-Code, the basis code, which describes the
memory location directly. With the 8-Code two bytes are registered in two
addresses. The code 8000 0004 FF01 writes directly into the address
0000 0004 the word value FF01 which has the following result:
Memory Cell New Contents
0000 0004 01
0000 0005 FF
Note: The 8-Code of the PlayStation permits only the access to even storage
addresses (technical term: "even alignment"). An attempt to go around this
adjustment is not possible and can provoke a crash. Make sure that at the
eight place of the memory address you have an even hexadecimal number
(0, 2, 4, 6, 8, A, C or E).
With the help of the 8-Codes you can register (decimal) a value between 0
and 65535 into a specific memory cell. Convert the value, 9999, into
hexadecimal which results in the HEX value of 270F and corresponds to the
right part of the code -- the data (D) part. However, the value would be
stored in reversed order as 0F27.
Note: The PlayStation processor stores bytes of larger numbers in reverse order.
An 8-Code has the same effect as two 3-Codes with the two storage locations
being directly next to one another. It is sometimes meaningful to split an
8-Code up into two 3-Codes if we want only one part of it to function.
Suppose you have a code 8008 8AEC FF01 with the description "Rifle + 255
cartridges" or "Rifle with Unlimited Ammunition". Experienced Coders can see
immediately where the values lie that describe each cheat (I.e., FF = Unlimited
Ammo and 01 = Rifle). Usually programmers will note in an individual memory cell
whether an article is available or not. The absence is usually marked by 00,
the presence by 01. Each processor understands an instruction of the kind......
if contents of the memory cell x contains 0 , then do this...
Such fragments are used if you change from a pistol to a rifle -- then the
program must examine whether you have the rifle at all. The possession variable
does not necessarily have to be 01 - you could use 05, 27 or any other number.
Usually, however, one takes 01 because it can be associated so nicely with the
variables "yes" or "on." This would also correspond with the original language
of each microchip<69>s binary values of 00 and 01.
For manipulating the ammunition or the number of the lives, where not just
possession matters but the actual quantity is important, one usually selects a
maximum value like 99 or 255 (FF in hexadecimal, the highest value for a byte).
Naturally one could use most any number here because the value always remains
constant. But, for psychological reasons a large number is recommend.
The code 8008 8AEC FF01 writes into the memory cell 0008 8AEC the value 01 in
order to specify the rifle and into the cell 8008 8AED the value FF in order
to make 255 cartridges available. Split up into two 3-Codes we have the
following:
3008 8AEC 0001
3008 8AED 00FF
Note: In the Memory Editor the code would look like this (note the reversed
values):
80088AE0 00 00 00 00 00 00 00 00 00 00 00 00 01 FF 00 00
The two 3-Codes have the same effect as the one 8-Code. You can, however, omit
the second 3-Code in order to limit the overall effect -- you have received the
weapon but must look for the ammunition independently. If you omit the first 3-
Code, you must find the rifle only and would not have to concern yourself with
getting ammunition. An 8-Code is unsuitable for this choice as the code
8008 8AEC 0001
gives you the rifle without any ammunition.
Examples
1. In the address 0000 0004 an 01 means that you possess the appropriate weapon.
In the following address, 0000 0005, the quantity of ammunition for that weapon
is stored. You would like to possess the maximum number of bullets, i.e., 255
(FF in hexadecimal). The correct code is then 8000 0004 FF01.
2. In the address 0000 000A the number of possible magic points are stored.
Since we want to make this value as large as possible, and only have 4 numbers
within which to do so, we take the maximum value of 9999 (0F27 HEX). The correct
code is then 8000 000A 270F.
3. From the following two codes:
3001 26AA 0063
3001 26AB 00C7
you would like to make an 8-Code because it is shorter. The result is:
8001 26AA C763
4. The code 8008 8AEC FF01 describes two memory cells. If you want to leave one
of the two cells unaffected, split the code in two as follows:
3008 8AEC 0001
3008 8AED 00FF
and then omit one of the two lines.
Composition
8Sxx xxxx yyyy
where: xx xxxx even storage address
yyyy value which can be registered (2 bytes - word)
<b><u><i>4-Code (Slow Motion Code)</i></u></b>
With the help of the 4-Code you slow down the execution of a game. Logically it
is called a Slow Motion Code. A meaningful application of this type code is when
your opponent is very fast and you cannot react quickly enough. With the Slow
Motion Code you can create for yourself a greater chance to win.
The 4-Code is not connected with a certain storage address because the
processing of the game was not intended to be slowed down from the start. It is
recommended that the activation of the slow motion code be accomplished by
depressing a particular JoyPad key. For such codes, which are to apply only
during certain time periods, there is the so-called Joker Code or Command. A
Code which is activated with such a Joker Command is only effective as long as
the selected key or combination of keys is held. We will discuss the Joker
Command at a later place in more detail.
Because of the missing storage address a 4-Code is quite naked -- consisting of
all zeros. It exclusively contains the delay value which should not exceed 12
(0C). Delays are accomplished internally as the processor runs through a series
of millisecond rotations or loops (technical term: to over loop).
Example
You would like for the expiration of play to be slowed down as long as you hold
the Select key. You have previously determined that the Joker Command address
is D009 1234 0100 (that is usually quite simple). You feel that a suitable
delay value is 6. The complete code is then:
D009 1234 0100 (Push the Select Button)
4000 0000 0006
Composition
4S00 0000 000x
Where: x Number of repetitions or 'loops' (delay value)
<b><u><i>5-Code (Supercode)</i></u></b>
The 5-Code is that so-called Supercode. It is meaningful if you want to describe
several memory cells one behind the other. Some examples are:
- changing a text, a player<65>s name for example.
- manipulating a whole inventory list.
- changing a diagram, like a texture.
For the Supercode you must make arrangements for three data types:
- the memory cell, starting from which the changes become effective.
- the number of places which can be changed.
- the new entries.
In your preferred combat game your favorite character is named Eddy. However,
you would find it more to your liking if he was called Rico. With the text
search function of X-link you determine the storage address starting from
which the character string "Eddy" is found -- for example 0002 67AA. Determine
now the hexadecimal ASCII-Code of the character string "Rico." That can be done
most simply through "manipulation" of the memory editor of X-link. Write into
the right column (the ASCII Column) the character string "Rico" and then check
to the left which HEX values have changed as a result of your changes to the
name "Eddy.".
Note: X-Link for DOS generates a 5-Code automatically if it concerns text.
Select in the menu option / further options / advanced code generator / string
code where you must indicate only the storage address and the text in order
from it to provide you with a completed code.
Example
You would like to insert the text string "GBP!" starting from the address
0002 67AA. The correct code is:
G = 71 ASCII DEC = 47 HEX
B = 66 ASCII DEC = 42 HEX
P = 80 ASCII DEC = 50 HEX
! = 33 ASCII DEC = 21 HEX
5002 67AA 0004
4742 5021 0000
Composition
5Sxx xxxx 0yyy
zzzz zzzz zzzz
zzzz zzzz zzzz
......
Where: xx xxxx Address (in our example 0002 67AA)
yyy Number of repetitions (for example 004 or 4 letters)
zzzz zzzz zzzz The bytes which can be used (for example GBP!)
Fill up the remaining spaces in the last line with zeros in order to have
a <20>full<6C> or complete line of code.
<b><u><i>6-Code (Modcode)</i></u></b>
The 6-Code lets a piece of program code implement on a certain event - for
instance when depressing a key or describing a certain memory cell. The code
consists of several parts: the kind of event which leads to the temporary abort
(BREAK) of normal program processing, the memory cells concerned, and the
program code which is to be implemented with the arrival of the event.
The 6-Code is the code most complicated for the inexperienced. A basic
requirement is a comprehensive knowledge of the assembly language programming of
the processor. Consequently, we present the code only briefly.
A summary of the code is as follows.
Composition
6S?? ???0 YYYY
AAAA AAAA CCCC
FFFF FFFF XXXX
XXXX XXXX XXXX
.......
Where: ? All the same value.
YYYY Number of bytes which are used.
AAAAAAAA BREAK address (here 001F AB92 and 3).
FFFF FFFF BREAK POINT mask (on 0FFF FFFC set).
XXXX XXXX The bytes which can be used.
CCCC Type of BREAK POINT at the BREAK address:
E180 The instruction gotten by the processor but is not
yet implemented.
EE80 The data to be read or written
E680 The data to be read.
EA80 The data to be written.
EF80 The data to be either read, written or implemented
(instruction).
Note: X-Link for DOS contains two templates which determines your 6-Codes via
the advanced code generator. They must indicate only the necessary addresses and
values. The Mod code has the form: "If the address X has the value Y, then add /
subtract the value A to / from the address B." After the input of the four
values the generator makes a pertinent 6-Code. The slip code changes contents of
a memory cell as a function of depressing a specific key.
<b><u><i>7-Code (Do-if-True)</i></u></b>
This Joker code works with an If-Then relationship: If a specific memory cell
contains a certain value, then the Xplorer becomes active and writes into a
fixed (same or other) memory cell a fixed value. The 7-Code is identical to the
<EFBFBD>D0<EFBFBD>-code of the GameBuster.
Example
You would like to receive after collecting a certain weapon the pertinent
ammunition. Or in hexadecimal language: If the address 0001 2346 (weapon)
contains the value 0001, then the address 0001 8450 (ammunition) is to receive
the byte with the value of 63 HEX. As a code that results in the following:
7001 2345 0001
3001 8450 0063 (63 HEX = 99 DEC)
Composition
7Sxx xxxx yyyy Where xx xxxx Address (in our example 0001 345)
yyyy Value (in our example 0001)
Observe that always two bytes (word) are queried at one time (yyyy).
Note: The Joker code generator of X-Link for DOS generates a finished 7-Code
based on your defaults. Do not confuse the Joker code with the Joker Command
which we will present later.
<b><u><i>9-Code (Do-if-False)</i></u></b>
The 9-Code is the opposite of the 7-Codes. It activates only when the code which
follows directly after it does NOT contain the expected value. Or differently,
the following code is ignored if the condition is fulfilled.
Example
In address 0001 8430 the number of your cartridges is stored. However, the game
always crashes in Level 2 if the code is activated. In all other Levels the code
functions as designed. With the following example you query the Level which your
on and if you are NOT on the second level then the code for the ammunition is
activated:
9011 8AFE 0002
3001 8430 0063
Composition
9Sxx xxxx yyyy
Where: xx xxxx Address (in our example 0011 8AFE)
yyyy Value (in our example 0002)
Observe that always two bytes (word) are queried at one time (yyyy).
Note: The Joker code generator of X-Link for DOS generates a finished 9-Code
based on your defaults.
<b><u><i>B-Code (Slide Code)</i></u></b>
(A more in-depth discussion can be found in the Advanced Xplorer Code Types FAQ)
The B-code or so-called Slide Code shortens long code lists to a compact
instruction. For games in which there is an inventory in existence such as a
chest with collected treasures, a whole list of full spells, or a selection of
different weapons, the storage location of each item in the inventory list is
usually incremented by the same value. The solution to using fewer code lines
is the B-code. A code list for All Items might look like this:
8001 1234 0101
8001 1236 0101
8001 1238 0101
8001 123A 0101
8001 123C 0101
8001 123E 0101
8001 1240 0101
8001 1242 0101
8001 1244 0101
This can be shortened with the help of a B-Code by using only two lines. The
address in this example is always increased by 2 and the value remains the same
in each case.
From our example list above:
B009 0002 0000
1001 1234 0101
Note: The Slide code generator of X-Link for DOS generates a finished B-Code
based on your defaults.
The exact function results from the composition:
Composition
B0ww AAAA DDDD
10xx xxxx yyyy
Where: ww Number of repetitions plus 1 (in the example 8+1)
AAAA Size of the address step (in the example 2 = always
even, 2 or greater)
DDDD Size of the data step (in the example 0 = always the
same value)
xx xxxx Start address (in the example 0001 1234)
yyyy Initial data (in the example 0101)
Slide codes can be combined with a D-, C-, 7-, or 9-Codes.
<b><u><i>C-Code</i></u></b>
This If-Then code was only taken up in order to remain compatible with the
GameBuster. The appropriate Xplorer code is a 7-Code. The C-Code corresponds to
the D-Code. The only difference was that in quite early version of the
GameBuster / GameShark the C-Code was responsible for the upper megabyte of the
PlayStation. The D-Code functioned only within the address range from 0000 0000
to 000F FFFF while the C-Code only from 0010 0000 to 001F FFFF. Today the C-Code
is no longer needed since the D-Code can now be used for this entire memory
block. For the sake of completeness, nevertheless, a composition of the code:
Composition
C0xx xxxx yyyy
Where: xx xxxx Address in the upper megabyte which is to be examined
yyyy Value for which one examines
Observe here always two bytes (word) are queried at one time (yyyy).
<b><u><i>D-code</i></u></b>
An If-Then code identical to the 7-Code: With this code the following line is
implemented only if a certain condition is fulfilled -- that condition being a
certain value in a certain memory cell. The D-Code is only supported in order to
remain compatible to the GameBuster codes. For newly created codes one
recommends using a 7-Code in lieu of a D-Code. (Note: for the newer versions of
the GameBuster there are other types of D-Codes such as D1, D2, etc. that are
not compatible with the Xplorers and will not be presented here.)
Example
If the storage location 0000 0100 contains the value 0000 then write the
value FF in 0011 1234 and 0011 1235. The storage location 8011 1236 FF00 is not
affected as the D-Code only writes to the storage location of the first line of
code directly following it:
D000 0100 0000 (If 8000 0100 contains 0000 then activate the first
line of code.)
8011 1234 FFFF
8011 1236 FF00 (This line of code is not written to.)
Composition
D0xx xxxx yyyy
Where: xx xxxx Address which is to be examined (in the example 0001 1234)
yyyy Value for which one examines
Observe that always two bytes (word) are queried at one time (yyyy).
<b><i><u>F-Code (Auto Activation)</u></i></b>
The F-Code is the equivalent of the Master or Must-Be-On Code of the
GameBuster / GameShark. It is called Auto Activation and resembles the D- or
7-Code except that it is automatically selected when any other code is selected
in the Select Cheats Menu. Additionally, unlike the D0- and 7-Codes where only
the first line of code is activated when the Do-if-True conditions are met, the
F-Code will activate ALL lines of Code for the game that have been initially
selected in the Select Cheats Menu. One should realize here that NO codes are
'activated' during the game until the conditions of the F-Code are met. As with
the 8-Code, two bytes are always queried.
Example
The game crashes because of some specific code conflicts in the Main Menu or
during the loading of Introduction Films. Consequently, you only want the codes
to be active AFTER the game has started. You find out that during the
<EFBFBD>Introduction<EFBFBD> the address 0011 8AFE does NOT contain the value 612A -- it only
contains that value AFTER the game has loaded. Thus we want the codes that we
have initially selected to be activated only if the address 0011 8AFE contains
the value 612A. If the 612A value is missing then the codes are not activated.
"GAME NAME"
-------codes-------
8007 84EC 00FF &lt;&lt;&lt;&lt;&lt; I.e., Gets activated if originally selected in the
Select Cheats Menu.
Auto Activation
F011 8AFE 612A &lt;&lt;&lt;&lt;&lt; Do-if-True code. ALL of the selected code lines, both
above and below this code line, are activated if this
condition is met. The codes remain inactive till then.
Infinite Gel and All Items
8011 A72C 270F &lt;&lt;&lt;&lt;&lt; I.e., Gets activated if originally selected in the
Select Cheats Menu.
8011 AEEC FFFF
B0A6 0002 0001
1007 836C 6401
Next Cheat Description
8007 84B8 84A7
-------codes-------
Note: This also works with Joker Commands.
Composition
FSxx xxxx yyyy
Where: xx xxxx Inquiry address (in our example 0011 8AFE and F)
yyyy Inquiry value (in our example 612A)
<b><u><i>Joker Command </i></u></b>
(A more in-depth discussion can be found in the GameShark Code Types FAQ)
The Xplorer writes a constant value to a memory cell many times per second. This
is called <20>constant write<74> or <20>always on.<2E> Sometimes, however, it would be
desirable if a code were active only at certain times because:
- A Cheat is to be switched on only in an "emergency" -- you would like to
play predominantly in an honest fashion.
- A Cheat works properly only during the actual game and causes the PlayStation
to crash during the Introduction or at the Main Menu.
- A Cheat functions only on certain levels.
- A Cheat does not function in certain situations.
The solution is the Joker Command. It permits activation of a code temporarily
while a certain key or combination of keys of the Controller is held.
Note: Cheats can be also be deactivated temporarily if the Xplorer<65>s on / off
button is switched off or, with the Xplorer FX, by using the In-Game menu to
switch the codes off.
In each game there is at least one place in memory (or memory address) where
the pressed keys of the JoyPad are shown by a specific value. This address is
usually accessed by the use of a D- or 7-Code.
A Joker Command is thus a D- or 7-Code whose address is a storage location for
a specific JoyPad button or combination of buttons. Joker Commands can be used
with any game and combined with any code type.
You can select from the Table below the pertinent key code. Some games use this
value in a reverse format called a Reversed Joker Command. Here only the key
value changes. Otherwise the Reversed Joker Command functions exactly like a
Normal Joker Command.
Normal Joker Command Digits Reversed Joker Command Digits
VALUE KEY VALUE KEY
0001 L2 0100 L2
0002 R2 0200 R2
0004 L1 0400 L1
0008 R1 0800 R1
0010 Triangle 1000 Triangle
0020 Circle 2000 Circle
0040 X 4000 X
0080 Square 8000 Square
0100 Select 0001 Select
0800 Start 0008 Start
1000 Up Arrow 0010 Up Arrow
2000 Right Arrow 0020 Right Arrow
4000 Down Arrow 0040 Down Arrow
8000 Left Arrow 0080 Left Arrow
In cheat data bases or code sites you will usually find the JoyPad keys that are
used in place of ????. I.e., Replace the question marks by a key of your choice.
You can combine several keys such that a code is only activated if you press
Select + Left Arrow + Triangle by adding the numerical values, in HEX, of the
selected keys:
Normal Joker Command Reversed Joker Command
0100 = SELECT 0001 = SELECT
0004 = L1 0400 = L1
0010 = Triangle 0010 = Triangle
- -
0114 = Select+L1+Triangle 0411 = Select+L1+Triangle
Note: Note that these calculations are accomplished in hexadecimal. That can be
done quite easily with a scientific calculator -- if necessary use the one that
comes with Windows.
There are also complementary and reverse-complementary versions to these two
types of values. In order to make the complementary of a value, you subtract
it from FFFF:
- subtract 0100 (Reversed for #L2) from FFFF to get FEFF
- subtract 0200 (Reversed for #R2) from FFFF to get FDFF
- subtract 0300 (Reversed for #L2 + #R2) from FFFF to getFCFF
These are known as Reversed Complementary Joker Commands or R.C.J.C.
Example
You found the following code:
Infinite Energy
8012 3456 00C8
In addition we have found the Normal JoyPad address (This will be discussed
later.) and made it a D-Code:
D001 2876 ???? (This is now our Joker Command.)
Further we know that the key Select is not used in the game so nothing
"critical" would happened if it was pressed. Now you look in the table and you
will see that the value for Select is 0100. Enter the following:
Infinite Energy
D001 2876 0100
8012 3456 00C8
Start the game with this code selected. First nothing happens with respect
to the <20>Hero<72>s<EFBFBD> energy -- but as soon as you press Select the energy is
refurbished. But only as long as you keep the Select button pressed -- release
it, or press any other key, and it no longer functions.
Last Modified: June 3, 2000 - Hackman
<hr width="800">
<center><b><font size="+1"><a name="section_4">Section 4: Legal</a></font></b></center>
<hr width="800">
This document Copyright <20> 1999 - 2003 GS Central, All content is used with
permission by the specific authors. This Document may not be used in any book,
magazine, website, or any other form of written or recorded media without expressed
written consent of the authors. Nintendo64, PS1, PS2 and PSX(Playstation), Game Boy,
Game Boy Advance, GameShark, Interact, Datel, GS Central, Pelican, Game Genie by Galoob,
Code Breaker, Xploder, Xplorer, Fire International, Blaze USA, MadCatz, and any
aforementioned game or product are trademarks of each respective company and product of
respective companies as cited in this document. Action Replay,GameShark or Xploder/Xplorer
devices are not sponsored, endorsed or approved by Nintendo, Sony or Sega. GS Central
<a href="http://www.gscentral.com/">http://www.gscentral.com/</a> is an independent
code club and cheat code information web site and is not affiliated with Interact Accessories,
Pelican Accessories, Fire International, Blaze LTD, MadCatz, Nintendo, Sony, Sega or Microsoft.
Madcatz is the official site of Game Shark codes
at <a href="http://www.gameshark.com/">http://www.gameshark.com/</a>.
</pre></body></html>
Reference in New Issue View Git Blame Copy Permalink