Hello, this is Lazy Bastard, of GameHacking.org. These guides were thrown together while I was making Majestic Porter (an offset/conversion utility, which can be found in the GameHacking.org Downloads section). Since I was spending the time to figure out exactly what the previous documentation on these schemes was trying to convey (and correcting the errors therein), I thought I might as well document my new-found knowledge, so everyone can benefit from it. I don't remember what specifically with, but both ugetab and Pugsy answered questions concerning these schemes, so thanks go out to them. Thanks to WyrmCorp (the makers of UGGCONV) for their documentation and utility concerning Game Genie to raw hex conversion (though, admittedly, some of the information was incorrect). Thanks to the following for their original documentation on the various Game Genie encryption schemes: Nick Joslin (GameBoy), D. Lucas (NES), Merlyn LeRoy (Megadrive), and Sam Volo (SNES). Anyway, on with the show: ___________________________________________________________ Game Boy and Game Gear Game Genie encryption works as such: ____________________________________________ Uppercase - Encrypted (Game Genie code) | Lowercase - Decrypted (raw hex ROM address) | ____________________________________________| ABC-DEF-[GHI] AB is the value of the ROM address, in plain hex. Hence, XXXX ab CDE comprises the second, third, and fourth digit of the ROM address, in raw hex. Hence, Xcde ab F is the first digit of the ROM address, XORed with F. Hence, F XOR F = f fcde ab GHI, if present, comprises the Check Byte, or Compare. As both GameBoy and GameGear use mappers, and ROM banks may be switched out at certain points, one area of memory may be used for one thing sometimes, and other times it may contain an entirely different set of instructions, data, etc, which we don't want to modify. The Check Byte tells the Game Genie, "If the value is XX, change it to YY. If not, do nothing." So, if you have the code 0123 FF - Check Byte 67, the Game Genie checks to see if address 0123 contains the value 67. If it does, it changes that value to FF. If not, it does nothing. Anyway, the Check Byte is solved for as such: Take the initial number - 123 (for example) Remove the middle number - 13 Convert from hex to binary - 00010011 Shift right by two ("Circular Shift", or "Rotate, No Carry") - 11000100 Convert back to hex - C4 XOR with BA (C4 XOR BA = 7E) 7E is your Check Byte. _______________________________________________ NES Game Genie encryption works as such: Game Genie code format: XXX-XXX or XXXX-XXXX NES ROM address/value format: XXXX XX (with an optional Check Byte, or Compare - XX) Each character in an NES GG code represents a four digit binary number. Here is a table: A = 0000 P = 0001 Z = 0010 L = 0011 G = 0100 I = 0101 T = 0110 Y = 0111 E = 1000 O = 1001 X = 1010 U = 1011 K = 1100 S = 1101 V = 1110 N = 1111 We will then run these four-digit binary numbers through a transposition cipher. The cipher for the six-character codes is: Code: ABCD EFGH IJKL MNOP QRST UVWX Clear: INOP QVWX EJKL MRST AFGH UBCD ...and for the eight-character codes, it is: Code: ABCD EFGH IJKL MNOP QRST UVWX abcd efgh Clear: INOP QVWX EJKL MRST AFGH eBCD afgh Ubcd Convert the resultant four-digit binary numbers to hex. The first two digits comprise the address, the next two comprise the value, and the final two (if present) comprise the Check Byte, or Compare. As NES uses mappers, and ROM banks may be switched out at certain points, one area of memory may be used for one thing sometimes, and other times it may contain an entirely different set of instructions, data, etc, which we don't want to modify. The Check Byte tells the Game Genie, "If the value is XX, change it to YY. If not, do nothing." So, if you have the code 0123 FF - Check Byte 67, the Game Genie checks to see if address 0123 contains the value 67. If it does, it changes that value to FF. If not, it does nothing. If your resultant code is less than 0x8000 (8000 hex), add 0x8000. Example: Game Genie code - AKE-LVS A = 0000 K = 1100 E = 1000 L = 0011 V = 1110 S = 1101 All together: 0000 1100 1000 0011 1110 1101 Code: ABCD EFGH IJKL MNOP QRST UVWX = 0000 1100 1000 0011 1110 1101 Clear: INOP QVWX EJKL MRST AFGH UBCD = 1011 1101 1000 0110 0100 1000 1011 1101 1000 0110 0100 1000 = BD86 48 (greater than 0x8000, so it's fine) _____________________________________________________ SNES Game Genie encryption works as such: SNES GG code format: XXYY-YYYY, where XX is the value, and YY-YYYY is the address. First, we must run the code through a transposition cipher, and convert it to normal hex: Code: D F 4 7 0 9 1 5 6 B C 8 A 2 3 E Hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F After this is finished, the value (XX) is now in plain text. However, the address (YY-YYYY) is still encrypted, using another transposition cipher. Save the value for later, convert each hex digit of the address to binary, and run the 8-bit result through the following cipher: Code: ijklqrst opabcduv wxefghmn Clear: abcdefgh ijklmnop qrstuvwx Example: SNES GG code: ABCD-EFFF A = C B = 9 C = A D = 0 E = F F = 1 F = 1 F = 1 C9A0-F111 C9 = decrypted value; next we solve for the decrypted address: A0 = 10100000 F1 = 11110001 11 = 00010001 10100000 11110001 00010001 Code: ijklqrst opabcduv wxefghmn = 10100000 11110001 00010001 Clear: abcdefgh ijklmnop qrstuvwx = 11000100 10100111 00000100 = C4 A7 04 Hence, the decrypted value is C9, and the decrypted address is C4A704. (C4A704:C9) ___________________________________________________ Genesis (also known as Megadrive) Game Genie encryption works as such: Original Game Genie code format: XXXX-XXXX Genesis ROM address/value format: YYYYYY:YYYY Each character in a Genesis GG code represents a five-digit binary number. Here is a table: A = 00000 B = 00001 C = 00010 D = 00011 E = 00100 F = 00101 G = 00110 H = 00111 J = 01000 K = 01001 L = 01010 M = 01011 N = 01100 P = 01101 R = 01110 S = 01111 T = 10000 V = 10001 W = 10010 X = 10011 Y = 10100 Z = 10101 0 = 10110 1 = 10111 2 = 11000 3 = 11001 4 = 11010 5 = 11011 6 = 11100 7 = 11101 8 = 11110 9 = 11111 After converting each character to its binary equivalent, append them all together into a 40-digit binary number, then break this number up into 8-digit pieces. Next, run it through this transposition cipher: Code: ijklmnop IJKLMNOP ABCDEFGH defghabc QRSTUVWX Clear: ABCDEFGH IJKLMNOP QRSTUVWX abcdefgh ijklmnop Finally, convert each 8-digit binary number to hexadecimal. The first three comprise the address, and the last two comprise the value. Example: ABD5-78F7 [original GG code] A = 00000 B = 00001 D = 00011 5 = 11011 7 = 11101 8 = 11110 F = 00101 7 = 11101 Result = 0000000001000111101111101111100010111101 Broken up = 00000000 01000111 10111110 11111000 10111101 Encrypted: ijklmnop IJKLMNOP ABCDEFGH defghabc QRSTUVWX Encrypted: 00000000 01000111 10111110 11111000 10111101 Decrypted: ABCDEFGH IJKLMNOP QRSTUVWX abcdefgh ijklmnop Decrypted: 10111110 01000111 10111101 00011111 00000000 Converted to hex: BE 47 BD 1F 00 ROM Address and value: BE47BD:1F00 This text was brought to you by GameHacking.org, unless someone else gave it to you, in which case it was only written by someone at GameHacking.org. Heheh.