Game Genie Encryption Schemes

Lazy Bastard
Hello, this is Lazy Bastard, of GameHacking.org. These guides were thrown together while I was making Majestic Porter (an offset/conversion utility, which can be found in the GameHacking.org Downloads section). Since I was spending the time to figure out exactly what the previous documentation on these schemes was trying to convey (and correcting the errors therein), I thought I might as well document my new-found knowledge, so everyone can benefit from it. I don't remember what specifically with, but both ugetab and Pugsy answered questions concerning these schemes, so thanks go out to them. Thanks to WyrmCorp (the makers of UGGCONV) for their documentation and utility concerning Game Genie to raw hex conversion (though, admittedly, some of the information was incorrect). Thanks to the following for their original documentation on the various Game Genie encryption schemes: Nick Joslin (GameBoy), D. Lucas (NES), Merlyn LeRoy (Megadrive), and Sam Volo (SNES). Anyway, on with the show:

___________________________________________________________


Game Boy and Game Gear Game Genie encryption works as such:

____________________________________________
Uppercase - Encrypted (Game Genie code)     |
Lowercase - Decrypted (raw hex ROM address) |
____________________________________________|


ABC-DEF-[GHI]

AB is the value of the ROM address, in plain hex. Hence,

XXXX ab


CDE comprises the second, third, and fourth digit of the ROM address, in raw hex. Hence,

Xcde ab


F is the first digit of the ROM address, XORed with F. Hence,

F XOR F = f

fcde ab


GHI, if present, comprises the Check Byte, or Compare. As both GameBoy and GameGear use mappers, and ROM banks may be switched out at certain points, one area of memory may be used for one thing sometimes, and other times it may contain an entirely different set of instructions, data, etc, which we don't want to modify. The Check Byte tells the Game Genie, "If the value is XX, change it to YY. If not, do nothing." So, if you have the code 0123 FF - Check Byte 67, the Game Genie checks to see if address 0123 contains the value 67. If it does, it changes that value to FF. If not, it does nothing.


Anyway, the Check Byte is solved for as such:

Take the initial number - 123 (for example)

Remove the middle number - 13

Convert from hex to binary - 00010011

Shift right by two ("Circular Shift", or "Rotate, No Carry") - 11000100

Convert back to hex - C4

XOR with BA (C4 XOR BA = 7E)

7E is your Check Byte.

_______________________________________________


NES Game Genie encryption works as such:


Game Genie code format: XXX-XXX or XXXX-XXXX

NES ROM address/value format: XXXX XX (with an optional Check Byte, or Compare - XX)


Each character in an NES GG code represents a four digit binary number. Here is a table:

A = 0000
P = 0001
Z = 0010
L = 0011
G = 0100
I = 0101
T = 0110
Y = 0111
E = 1000
O = 1001
X = 1010
U = 1011
K = 1100
S = 1101
V = 1110
N = 1111

We will then run these four-digit binary numbers through a transposition cipher. The cipher for the six-character codes is:

Code:  ABCD EFGH IJKL MNOP QRST UVWX 
Clear: INOP QVWX EJKL MRST AFGH UBCD


...and for the eight-character codes, it is:

Code:  ABCD EFGH IJKL MNOP QRST UVWX abcd efgh
Clear: INOP QVWX EJKL MRST AFGH eBCD afgh Ubcd

Convert the resultant four-digit binary numbers to hex. The first two digits comprise the address, the next two comprise the value, and the final two (if present) comprise the Check Byte, or Compare. As NES uses mappers, and ROM banks may be switched out at certain points, one area of memory may be used for one thing sometimes, and other times it may contain an entirely different set of instructions, data, etc, which we don't want to modify. The Check Byte tells the Game Genie, "If the value is XX, change it to YY. If not, do nothing." So, if you have the code 0123 FF - Check Byte 67, the Game Genie checks to see if address 0123 contains the value 67. If it does, it changes that value to FF. If not, it does nothing.

If your resultant code is less than 0x8000 (8000 hex), add 0x8000.


Example:

Game Genie code - AKE-LVS

A = 0000 
K = 1100
E = 1000
L = 0011
V = 1110
S = 1101

All together: 0000 1100 1000 0011 1110 1101

Code:  ABCD EFGH IJKL MNOP QRST UVWX = 0000 1100 1000 0011 1110 1101
Clear: INOP QVWX EJKL MRST AFGH UBCD = 1011 1101 1000 0110 0100 1000

1011 1101 1000 0110 0100 1000 = BD86 48 (greater than 0x8000, so it's fine)

_____________________________________________________


SNES Game Genie encryption works as such:


SNES GG code format: XXYY-YYYY, where XX is the value, and YY-YYYY is the address.


First, we must run the code through a transposition cipher, and convert it to normal hex:

Code:  D F 4 7 0 9 1 5 6 B C 8 A 2 3 E
Hex:   0 1 2 3 4 5 6 7 8 9 A B C D E F

After this is finished, the value (XX) is now in plain text. However, the address (YY-YYYY) is still encrypted, using another transposition cipher. Save the value for later, convert each hex digit of the address to binary, and run the 8-bit result through the following cipher:

Code:  ijklqrst opabcduv wxefghmn
Clear: abcdefgh ijklmnop qrstuvwx



Example:



SNES GG code: ABCD-EFFF



A = C
B = 9
C = A
D = 0
E = F
F = 1
F = 1
F = 1

C9A0-F111 

C9 = decrypted value; next we solve for the decrypted address:


A0 = 10100000
F1 = 11110001
11 = 00010001

10100000 11110001 00010001

Code:  ijklqrst opabcduv wxefghmn = 10100000 11110001 00010001
Clear: abcdefgh ijklmnop qrstuvwx = 11000100 10100111 00000100 = C4 A7 04

Hence, the decrypted value is C9, and the decrypted address is C4A704. (C4A704:C9)

___________________________________________________


Genesis (also known as Megadrive) Game Genie encryption works as such:

Original Game Genie code format: XXXX-XXXX

Genesis ROM address/value format: YYYYYY:YYYY


Each character in a Genesis GG code represents a five-digit binary number. Here is a table:

A = 00000
B = 00001
C = 00010
D = 00011
E = 00100
F = 00101
G = 00110
H = 00111
J = 01000
K = 01001
L = 01010
M = 01011
N = 01100
P = 01101
R = 01110
S = 01111
T = 10000
V = 10001
W = 10010
X = 10011
Y = 10100
Z = 10101
0 = 10110
1 = 10111
2 = 11000
3 = 11001
4 = 11010
5 = 11011
6 = 11100
7 = 11101
8 = 11110
9 = 11111

After converting each character to its binary equivalent, append them all together into a 40-digit binary number, then break this number up into 8-digit pieces. 


Next, run it through this transposition cipher:

Code:   ijklmnop IJKLMNOP ABCDEFGH defghabc QRSTUVWX
Clear:  ABCDEFGH IJKLMNOP QRSTUVWX abcdefgh ijklmnop

Finally, convert each 8-digit binary number to hexadecimal. The first three comprise the address, and the last two comprise the value.




Example:

ABD5-78F7 [original GG code]

A = 00000
B = 00001
D = 00011
5 = 11011
7 = 11101
8 = 11110
F = 00101
7 = 11101

Result = 0000000001000111101111101111100010111101

Broken up = 00000000 01000111 10111110 11111000 10111101


Encrypted: ijklmnop IJKLMNOP ABCDEFGH defghabc QRSTUVWX
Encrypted: 00000000 01000111 10111110 11111000 10111101


Decrypted: ABCDEFGH IJKLMNOP QRSTUVWX abcdefgh ijklmnop
Decrypted: 10111110 01000111 10111101 00011111 00000000


Converted to hex: BE 47 BD 1F 00

ROM Address and value: BE47BD:1F00



This text was brought to you by GameHacking.org, unless someone else gave it to you, in which case it was only written by someone at GameHacking.org. Heheh.