Code Making Example

External Links

Genesis


--

Sega Genesis - Lotus II RECS - Timer Doesn't Decrease

Note: This is my first ever Game Genie code (for Genesis).

In this example, we will find the emulated RAM address for time using Cheat Engine.
After that, we will find the emulated ROM address that effects the emulated RAM.
And finally we will use a hex editor to edit the actual ROM address (the game it's self).

So, open Cheat Engine v5.6.1(+), then Fusion v3.64(+).
Use Cheat Engine's option to attach a debugger to the emulator.

http://img202.imageshack.us/img202/9338/attachdebugger.png

Note: Click on an image for it's full size.

Change the value type to one byte.

http://img259.imageshack.us/img259/6468/valuetypeisonebyte2digi.png

Use the emulator to load the attached (below) Genesis game:
Lotus II RECS (UE) [!].gen

Thing to know about Fusion:
Tab key = Reset
F5 key = Save
F8 key = Load
Backspace key = Fast Forward
Pause/Break key = Pause Emulation
Alt+G = Game Genie / PAR / True Emulation Pause

Press start over and over until you are in a race and see a timer on screen.

Once your in the race use the Pause keyboard key to pause emulation.
Press F5 to make a 'clean' save with no RAM/ROM modifications.
You should have 69 seconds to begin with...

http://img407.imageshack.us/img407/2100/pausef569seconds.png

With emulation still paused, use Cheat Engine to make your first RAM scan for the time of 69 seconds.

http://img34.imageshack.us/img34/5061/firstscanis69seconds.png

Press the Pause keyboard key to resume emulation, but only until the timer goes down a second, then re-pause emulation.
With 68 seconds showing on the game, make your 2nd Cheat Engine RAM scan for the new value of 68.

http://img192.imageshack.us/img192/9492/secondscanis68.png

Repeat as necessary until you are down to 2 possible results.
Once you've added the 2 results to your Cheat Engine code list, freeze one at a time to see which one is the correct address.

http://img10.imageshack.us/img10/3541/twopossibleramaddresses.png

Note: Your address shown in Cheat Engine are likely different than mine...

At this point, you could optionally use Alt+G and CE to convert the emulated RAM to AR (Actual Ram a.k.a. Action Replay).

http://img808.imageshack.us/img808/1869/ramemulated2actual.png


Now that we have an emulated RAM address for time, let's see what emulated ROM addresses modifies it.
Since that other useless RAM code will only cause confusion/get in the way, I'm gonna delete it from the CE code list.
With emulation paused, right-click on the good RAM address and choose Find out what accesses this address.

http://img689.imageshack.us/img689/9163/whataccessestheram.png

Resume emulation until the debugger shows that something accessed the RAM, then you can pause the emulator again.
Almost always, there will be 2 addresses shown in Cheat Engine's debugger, you can go ahead and click the stop button on the debugger.

http://img89.imageshack.us/img89/9140/stopdebuggingif2address.png

Now, you could have earlier, but you should by now un-freeze the RAM code in Cheat Engine.
You need to watch if the RAM value decreases or not, when testing your ROM modification.
You wouldn't want false hopes by accidentally leaving the RAM locked.

So do that, un-check the RAM address if you haven't already...

As far as the two address shown in the debugger; usually, but not always, the first line is reading the RAM.
The second code is usually the one we are after, the address that is writing to the RAM.

So now we double click the 2nd line, or highlight it and click the button that says More information.

http://img340.imageshack.us/img340/2756/doubleclickformoreinfor.png

Note: Again; the numbers in the images don't have to match yours...

In the new information box that pops up, ESI will always hold the address that we are interested in.
If that's not the exact code that we want, it's extremely close.
That address shown is our ROM address, and the last possible one.
If that's not the correct address, you subtract 1 from it until you have the correct one, you never add 1 to the address.

OK, so with the info box still open click the button add address manually.
Change the type to byte and type in the address at ESI to add it to your CE code list.

http://img211.imageshack.us/img211/7199/manuallyaddesitoce.png

Now, with the RAM unfroze lets try to NOP (00) the newly added ROM address.
Remember to have made a save, if your ROM altering is no good, just press F8 to load.
If you press F8 to load and the original ROM byte that you NOP'ed didn't come back, you'll need to load the game instead (or manually insert the original byte).

The game instantly froze after pressing the Pause key, so this address is no good.
Reload the game or whatever is needed to get back to the same spot.
Now we simply subtract 1 from the hex address, never add 1, always subtract.
Actually 9 times out of 10 you'll need to subtract at least 1 from the address given in the more info box...

http://img263.imageshack.us/img263/7660/subtract1andtryagain.png

So I just modified the code that was already in the CE code list by subtracting 1.
I then NOP'ed that address instead, for a now second try at a ROM code.
I start playing the game (yeah, didn't freeze this time) and watch the RAM address in CE to see if it decreases.
It never decreases, so the ROM modification is a success.

As usual, I subtracted 1 from the 2nd address given from the debugger for a successful code.

http://img340.imageshack.us/img340/8927/secondbreakesiminusonei.png

That was all it took for me, but if you still haven't found the correct ROM code:
1. Keep subtracting 1 over and over. If you do this over 10 tries, it's likely the wrong base address.
2. Remember how we started with the second break in the debugger, try the first...

Now, to convert the code from emulated ROM to actual ROM.

This is easy, just right click on your successful ROM code and choose Browse this memory region.
The top left byte is your ROM code, and the next few bytes after that is what you want to use to locate the code with the hex editor.

http://img52.imageshack.us/img52/9303/topleftbyteistheromcode.png

So with this window open, we know to search for 4E 75 72 00 30 2C 00 0E EE 48 02 40 FF F8 32 in the actual game.
So open the game with the hex editor and search for that string of hex values...

After locating the string, just replace the 0x20 before it to 00 for Infinite Time.

http://img257.imageshack.us/img257/7969/patchthe20to00forinfini.png

So after editing the 20 to 00 choose save as to not over write your ROM.
Open the newly created ROM with the emulator without anything changed in CE to test the mod out.
If you didn't use a program to fix the checksum of the ROM after altering bytes, just use the option in Fusion to auto fix checksums.


http://img844.imageshack.us/img844/8525/autofix.png

Damn, this game wasn't the best example (that's what I get for making a guide with my first try).
The game still won't boot, even if you fix the checksum.
Luckily, Tony Hedstrom made a Master Code for this game, to solve the problem.

Master Code (by Tony Hedstrom)
RH9T-860T (0FFFD0:4E71)
Use this code if you get a blank screen.

So, you can try out our hack by either:
1 Input the Game Genie code to bypass the black screen
2 Open the ROM, goto the hex offset 0FFFD0 and type 4E71 to hack your ROM to bypass the black screen

I can finally play the game and the timer indeed does not decrease.
But, at the same time, I notice a small glitch happening.

Anytime a code works, but not exactly as planed, you should try subtracting 1 again from our ROM code.
In the image above, you can see that before the 20 we patched to 00, there is already a 00, so we actually need to subtract 2.

Now we'll try to change the 6C to 00 and hope for a less buggy code.
Success, seems to work fine...

So the actual ROM address of 010E95 was changed from 6C to 00.
Since 010E95 ends with an odd number, subtract 1.
After that write down the 2 bytes that we want our Game Genie code to write.

So therefore:
010E94:5300

http://img811.imageshack.us/img811/1943/evennumbers.png

That's the ROM address, you can now convert it to Game Genie.

http://img88.imageshack.us/img88/9881/encryptdecrypt.png


Č
ċ
ď
LotusIIRECS(UE)[!].gen
(1024k)
Mezmorizing Mage,
Dec 30, 2010, 11:01 PM
Comments