Question 1): To the best of my knowledge, there are 3 main types of Sega CD file extensions that have the actual game programming in them, bin, img, and iso. Out of those 3, bin and img have ROM offsets that are 0x10 higher than iso types. In other words, if you had two ROMs of the same game and one is iso and the other is img, and the address for infinite lives was at 0x4000 in the iso ROM, the address for infinite lives would be at 0x4010 in the img ROM. This happens because iso ROMs have a 0x10 byte string at the very beginning of the ROM that the other two don't have. The program uses a pattern search, so different offsets don't matter at all.

The program checks to see if the file it is opening has the string 44495343 at the correct location in the ROM. 44495343 = DISC is ascii. The program knows if it's the correct type of file or not. If you open up any Sega CD file with a hex editor, you will see this as ascii text on the right side: SEGADISCSYSTEM. I just use the "DISC" part as a convenient way to check. Since the program will probably work on Sega Genesis (and maybe 32x) as well, I've included the option to open any kind of file you want, but it will give you a warning message if it's not the correct type of Sega CD file. In short, the program should work on any Sega CD file type.

Question 2): I only have it so that it lists 10 ROM addresses. It will find every match in the ROM, but will only put the first 10 in the list. If you want to see all of them, you can select to view them one at a time, and it will show you each ROM address individually in a separate box, along with the value at that address (in both hex and decimal). Games like Sonic CD will have 73 different matches with many RAM addresses, for 73 different levels in the game, so I had to draw the line somewhere. I just added a new filtered searching feature today that helps to deal with games that have more than 10 matches. For a game like Sonic CD, you would find 73 matches, and patch 10 addresses into the ROM. Then use the filtered search and since it would no longer find the 10 addresses that were just patched, it would only find 63 matches. Keep patching 10 at a time until they're all patched. It searches and patches very quickly (in one to two seconds), so wouldn't take long at all. But Sonic CD is probably the worst as far as how many matches it has. Most games would have only one, or definitely way less than 73. You'll find that RPG type games usually only have one match, while games with levels will have more than one.

It looks so cool!
Two questions:
1. As i know, cue+bin, cue+iso+wave, ccd+img, different iso format has different offsets on binary data? In your tool, will it be compatible to all formats? or just support ccd+img?
2. If i select "Find all matches at once", will it list all addresses in ROM/ISO?

Here's a screenshot of it searching for the RAM address for missiles (07FFD0) in The Adventures of Batman & Robin (Sega CD). It found 12 matches in the ROM that are subtracting from that address, 12 matches that are adding to that address, and one address moving a value of 3 to that address. I think there are 12 levels and each one has it's own programing (this is common with Sega CD games). Now that the program found this info, you can use it to patch the ROM so that you have infinite missiles in all 12 levels, make it so that missile pickups are worth more in all 12 levels (you can use the tool to adjust how many you want), and you can adjust how many missiles you start the game with.

Remember that this is just a rough version, and I still have a lot of work left to do. There is a patch menu, and a dump menu that you can see by clicking on the tabs. You can choose between having it search for everything at once and show you the results, or you can have it step through each match one at a time. It shows you how many matches it found for each type of search it did, and it shows you if certain matches are 16 or 32 bit. You can also dump all of the ROM addresses to a text file, along with other info. This is useful if you want to save the info for later, or if you want to look at the addresses with a hex editor.

Great News!
i will check "hook_log_cd.txt" and the "hook_cd.txt" and am waiting for your Sega CD program~

First off, when you used Gens Tracer, did you use the "hook_log_cd.txt" and the "hook_cd.txt"? Also, if you make an assembly trace log, make sure you look at both trace logs (trace.log and trace_cd.log) I've used Gens Tracer before with a couple different types of Sega CD RAM addresses and didn't have any problems.

As far as Lee4's method, maybe you should try the game he uses in his example (I think it's Mortal Kombat) and follow along with that. That might help you understand how everything works. I've never tried Lee's method, so I can't help you much with that.

I'm working on a Sega CD program that will let you enter any type of Sega CD RAM address (PRG RAM, Word RAM, etc), and it will search for possible ROM addresses that it can patch so you will have the cheats/codes in your game. I just tried it with one of the RAM addresses for Lethal Enforcers (P1 bullet) from the site, and it found a match on the first try. I should have it done it a week or two.

Hi Tony, i am coming back.
I am trying hack continues(credits) on Lethal Enforcers and Lethal Enforcers 2(both version are JP).
Lethal Enforcers continues RAM address: 00238403
Lethal Enforcers 2 continues RAM address: 000292A5
i have tried to search 00238403-00230000 = 00008403 and 000292A5 - 00020000 = 000092A5, but still failed.
Firstly, i used "Gens Tracer", but it seems it can not look for the break point based on 00008403 or 000092A5.
Secondly, i used "Fusion 3.5 + ArtMoney" which "lee4" has recommanded.
1) i located RAM: 00238403(x86 RAM Address is 025CB9CA)



2) i click "Find an instruction..."



3) start debug when "00238403" is written, i can get the instruction address:



So what is the next step in this way?

i got stuck...T-T

Thank you, Tony. I will try Gens Tracer, let's end up this topic temperarily, if any further question I come back to you

Markle666, one easy way to find the actual ROM address in this situation is to search for a string of bytes that CE gives you in the Memory Viewer. Unfortunately, some Gens emulators will have the byte order swapped, so it can be a bit difficult to read and figure out a string to search for in the ROM. In your example above, the second line you show: 9F4C 0100 754Eis actually in the ISO/ROM like this: 4C9F 0001 4E75 If you search in the ROM for that string you'll get a few matches, but the correct one is the fourth match. It looks like you copied the values incorrectly for the first line, you wrote 04 84, but it should be 04 64.

If you don't want to deal with this reverse byte stuff, you can use Kega Fusion and it will show the bytes in the correct order.

Once you find the correct ROM address, you'll need to figure out what the values mean and this is where some 68000 assembly knowledge is useful. Usually, when CE snaps and gives you the address, the part you're interested in will usually be right before the address that CE gives you.

If you can't figure out what all the instructions are in the ROM, you may want to try Gens Tracer or Gens 9.5b like I mentioned before, and set a break point and do a trace log. The trace log will show you what all of the instructions are. I wrote a guide on how to use Gens tracer (it's on my site). It doesn't show Sega CD specifically, but it will get you pointed in the right direction.

EDIT: I just read a note to myself from a while back that says that I got the asm trace log working on Gens 9.5b for Sega CD, but couldn't get the memory log working. The memory log in Gens Tracer works with Sega CD.

Tony, I used Gen+CE. i follow your instructions:

right click on the address and click on "Find out what writes to this address". This will open a new debugger window. Play the game until the debugger window shows a line of code. Double click on the line of code and it will open another window called "Extra info". Now, double click on "ESI" (yes it should be ESI) and it will open another new window called Memory Viewer.


I can locate RAM memory 01057C06(this represent 1P heath), but this digit is not the RAM address as real Genesis memory, right?
then i follow your instructions to open ESI, it give another window called Memory Viewer. i can see base address:010600000 (program base address?)
and it also show a chart as following:
01060418 04 84 6E 42 28 00 ...
01060428 9F4C 01 00 75 4E ...
...
...
So the first row is the writing action point, right? sub this 01060418 with 010600000, i get 418, so this "418" is the ROM address in iso file?

Markle666, you didn't follow the instructions, so I will just copy and paste it again:

EDIT: Just remembered that you can use the address you found with Gens to possibly find a code in the ROM/ISO or a trace log. I believe you subtract 0x20000 from the RAM address you found and search for that. So in your case, 0002F0FD - 20000 = 0000F0FD. Search for 0000F0FD (or possibly 0000F0FC) in the ISO/ROM itself, or in an assembly trace log. This will not always work, but worth a try.

There is no "assembly viewer tool" that I know of, so it's just a matter of getting to know some of the more popular instructions, or looking them up. Doing it this way (just searching for the RAM address in the ROM) is kind of a short cut and probably not the best way to learn. You may want to use one of the other methods I mentioned as well since that is the best way to do it, and so you can see how everything works. When you just search in the ROM, you are kind of guessing whether or not it will work.

As for the patch on TCRF, I don't know anything about it.

Thank you for your suggestion. i try to locate "0002F0FD" in iso and find 25 results, then look for "SUB" instruction(9X or 09) among these codes, but still be at a loss, since you find "There is also a subtract instruction for both of them that is most likely what subtracts 1", could you tell me how you locate it? Maybe is there any assembly viewer tool to make location more efficient?

About "Option menu"(debug mode), i checked , it does have( https://tcrf.net/The_Ninja_Warriors_(Sega_CD) ), need do a ips patch, i patched but not work, my iso is ccd+img+sub, do i need convert it into cue+bin?

Markle666, I downloaded the Ninja Warrior Sega CD ROM and found that the method I mentioned above about subtracting 0x20000 from your RAM addresses looks like it will work in this case.

I checked the ROM with a hex editor, and found what appears to be the assembly for moving a value of 04 to both of your continue RAM addresses. This can be changed to let you start a new game with more continues. There is also a subtract instruction for both of them that is most likely what subtracts 1 when you use up a continue. This would be where you make your infinite continue code. Haven't tested any of these, but they look like they should work. I won't give any specific details unless asked, since I'm guessing you want to find this stuff yourself.

One last thing, there appears to be some programing that gives each player 99 continues. Either this is something you can select in an Option menu (don't even know if there is an Option menu), or it is possibly some kind of cheat that the developers included. Haven't seen any controller button cheats for this game anywhere online, so this may be previously undocumented.


EDIT: Had forgotten that Gens Tracer looks like it can do Sega CD break points for any type of RAM address, including the type you found.

I haven't done much Sega CD stuff in a while, so I'm a little rusty on the details. Sega CD uses two different types of RAM. One is the conventional FF type like what the Genesis uses, and the other is what you found. The type that you found is not supported by most emulators when it comes to debugging and using the RAM codes as cheats. There was one or two emulators that were supposed to be updated to be able to support those types of RAM addresses, but I haven't checked in awhile so don't know if that ever happened. I think Mame is supposed to have complete support for those types of RAM addresses, but I've never tried it.

If you don't want to use Mame, you can always use Cheat Engine, together with your favorite emulator. Once you find the RAM address with CE, right click on the address and click on "Find out what writes to this address". This will open a new debugger window. Play the game until the debugger window shows a line of code. Double click on the line of code and it will open another window called "Extra info". Now, double click on "ESI" (or possibly "EAX"?) and it will open another new window called Memory Viewer. This will show the RAW assembly that you're interested in.

Lee4 also wrote a guide with several pictures. Have never tried it but Lee4 is a good hacker, so I'm sure it will be useful: https://gamehacking.org/vb/forum/vid...559#post143559


EDIT: Just remembered that you can use the address you found with Gens to possibly find a code in the ROM/ISO or a trace log. I believe you subtract 0x20000 from the RAM address you found and search for that. So in your case, 0002F0FD - 20000 = 0000F0FD. Search for 0000F0FD (or possibly 0000F0FC) in the ISO/ROM itself, or in an assembly trace log. This will not always work, but worth a try.

Hi Tony， i am trying to hack <Ninja Warriors>, i see in another thread, somebody has hacked infinite health, but I want to hack continues(both 1P and 2P) and use "gens_r57shell_mod_r665" to locate RAM Address : "0002F0FD" for 1P continue, and "0002F0FF" for 2P continue, but genesis RAM range should be 0xFFxxxx? right? Then i put them into "M68K" debugger and try to add break points for write/read this RAM, but it not work, how can i do that ? Any tutorial i can refer?

Thank you for these codes. The only problem is that the games don't have music when I play.