Hi Tony :

Thanks for the great tips, I used to search the on/off address but failed ( use compare different )
with your hint ( 01 or FF ), I will try it again after work and feel it will success !

I can not "add the RAM code", it's gray out as you said, I use mobile phone photo it and
input to game genie area manually, a little inconvinence,
maybe it's a bug or some procedure I got wrong...
If I figure out, I will tell you...

Thank you.

Dewen, it looks like the method I mentioned (using "read" breakpoints for the flicker timer) is not correct. You'll need to search for the byte that determines if you're inv or not and then do a "read" breakpoint on that one. I think I got the two methods mixed up (haven't done that type of code in a while).

Here are some tips on how to find the inv on/off byte...

Usually, the inv on/off byte will be zero when off, and either 01 or FF when on. You can use this info to greatly narrow down your RAM search results. You can also look at the assembly trace log right where the flicker timer is being activated and see what other RAM addresses are being changed in that area. Here is a tip: The value that is loaded for the flicker timer is D2, so look in your assembly trace log for #$00D2,($F854). Changing the "00D2" will change how long your invincibility will last. There are a few "MOVE" instructions in that immediate area that might be what you're looking for.

EDIT: I previously got the search results for the inv on/off RAM address down to around 20 results, but could not figure out how to "add" the RAM codes with the emulator you mentioned in the PM (Gens r57 shell mod). Do you know how to add them? The "add cheat" button is blanked out. I seem to remember having the same problem a few years ago when I first tried that emulator.

This should be your non flashing inv code. I don't have the ISO file, so I can't test it...

FF87FE:6002 .... this code will make it so that it will never follow the "if equal to zero" branch, which should give you invincibility.

FF:87FE 67 00 BEQ #$0014 [FF:8814].... The 0014 tells you how many bytes it will branch, and it shows you the address it is branching to in the brackets: [FF:8814]

Hi Tony :
Thans for your great help,
after hours of search and learning ( complete new to 68K and programming )
I figure the following code maybe important,
but I can not understand,
can you give me more instruction and hint ?
thanks a lot !!!

===
FF:87FA 4A 78 TST.W ($F854)
condition code, set Z if ($F854)=0
( $F854 = inv time count ram address )
FF:87FE 67 00 BEQ #$0014 [FF:8814]
if $F854=0000, branch to ?? FF:8814 ?
what is #$0014 means ?
is it branch to FF:8828 ( 14+14 ? ) or something ?

FF:8814 4A 79 TST.W ($FFFFCC02)
compare ($FFCC02) with zero
FF:881A 67 00 BEQ #$0006 [FF:8822]
if yes, branch to FF:8822 ? ( what is $#0006 ? )
Raw code FF8814:60 02 will incinvible, but loss joystick control...
FF:8822 4A 78 TST.W ($F828)
if Ram address $F828 = 0000 <-- ram address for inv or not inv ?
if I bypass this code, change 4A 78 to 60 02,
it will become invincible, but character still mild blurred and double vision, and can not get items
check for collision ?
FF:8826 67 00 BEQ #$002E [FF:8856]
branch to FF:8856 ?

FF:8856 61 00 BSR #$FAEC [FF:8344]
branch subroutine go to FF:8344
( what is #$FAEC means ? )
FF:8344 70 00 MOVEQ #$00,D0
move 00 to D0 ? ( what address ? )
FF:8346 12 38 MOVE.B ($FE20),D1
D1 : 181C FFFF --> 181C FF00
( assume $FE20 = ram address for not invincible if = 00 )
FF:834A 02 41 ANDI.W #$000F,D1
$000F and $FF00 --> D1= 18EC 0000
FF:834E 10 3B MOVE.B $08(PC,D1),D0
program count 08 --> D0 ??
FF:8352 12 38 MOVE.B ($FE20),D1
D1 become 18EC 0000
FF:8356 4E 75 RTS
Return
=====
IF $FE20 is the ram address for invincibility ( 0 = not invincible ),
How do I bypass the routine to set it to zero ?

Thanks for your great help !!!
I think I need more learning for X68, sorry...

You're really close...

FF:87FA 4A 78 TST.W ($F854) .... This is testing your inv flashing timer RAM address. The instruction right after this should be a conditional branch, and that is the one you want.

Search and find this, seems like you said ( but it's for SMS ) :
http://www.smspower.org/forums/14312...ithoutBlinking

must find the ram address that store the zero ( invincible ) or not zero ( invincible ),
maybe beneath the breakpoint...

log "read" breakpoint,

[FF:87FC] R16 = 0000 [FFF854]
[FF:87FC] R16 = 0000 [FFF854]
[FF:87FC] R16 = 0000 [FFF854]
[FF:87FC] R16 = 00B4 [FFF854]
[FF:8804] R16 = 00B4 [FFF854] ==> ( FF:8802 = 53 78 subqw(F854), decrease count 1 of FFF854, B4,B3,B2... )
[FF:87FC] R16 = 00B3 [FFF854]
[FF:8804] R16 = 00B3 [FFF854]
[FF:87FC] R16 = 00B2 [FFF854]
[FF:8804] R16 = 00B2 [FFF854]
[FF:87FC] R16 = 00B1 [FFF854]
[FF:8804] R16 = 00B1 [FFF854]
[FF:87FC] R16 = 00B0 [FFF854]

seems FF:87FC is the address to check zero or not zero ?

search trace.log for FF:87FA
find
FF:87FA 4A 78 TST.W ($F854)
and
FF:87D4 67 00 BEQ #$0024 [FF:87FA]
but I can not understand what it means,
change opcode to 6002, but no effect...

the code above FF:87FA are
FF:87D0 61 00 BSR #$F8C6 [FF:8098]
FF:8098 4A 79 TST.W ($FFFFC24A)
FF:809E 67 00 BEQ #$000C [FF:80AC]
FF:80AC 30 39 MOVE.W ($FFFFC248),D0
FF:80B2 42 79 CLR.W ($FFFFC248)
FF:80B8 4A 40 TST.W D0
FF:80BA 67 00 BEQ #$000C [FF:80C8]
FF:80CE 70 00 MOVEQ #$00,D0
FF:80D0 4E 75 RTS
FF:87D4 67 00 BEQ #$0024 [FF:87FA]
FF:87FA 4A 78 TST.W ($F854)

I don't know if the procedure right ? what should I do ? thank you !

Here's one way to do a "Non Blinking" type invincibility code...

Use the RAM address that you found for the blinking invincibility timer (FFF854), but instead of doing a "write" breakpoint, do a "Read" breakpoint. Look at the trace log file and figure out how to change the conditional branch near the breakpoint so that it will always make you invincible. It is checking to see if that RAM address is zero, and if it's zero, you're not invincible.

EDIT: On Robo Aleste, there might be several occurrences of the subtraction instruction. Just write down a string of numbers for the subtraction at 03FF14 and see if there are any other matches in the ROM/ISO using a hex editor.

Follow the document by Tony Hedstrom, I try to hack Keiou Yuugekitai (Japan) = Keiou Flying Squadron,

Lives store at FFF856
so I hoot and find FF:8B 52 is the code to substract it,
then search trace.log FF:8B 50 53 78 subQw.1 ($F856),
change 53 78 to 60 02 to bypass the code,
Raw game geine code is : FF8B50:6002
Hex patch ISO
search 53 78 F8 56 6A 00
replace 60 02 F8 56 6A 00

success !

Then I try invincible hack, at the first appear after death, the character will blink and invincible,
I search the count time of invincible time and find FFF854:B4
I can lock it and play as invincible, but the character is blinking and transparent....
try to hook FFF854, aind FF:88 04 is the code to substract the count,
and search trace.log
FF:8802 53 78 subqw(F854)
I change 53 78 to 60 02 again, same as lock ram, but still blinking.

How can I keep the count not to 0 ( will blinking but invincible ) but the character will not blinking ?
It seems I must find the code that check if i got hit by enemy, or which address store the check value, but how ?
Or there is another way to keep invincible but not blinking ?

Another question is Robo Aleste,
use Gens hack version I find the live seems store at 03FF14, but I can not lock it with genie code ( gens/gs ),
it seems more complicated...

any help will be appreciated, thanks.

Are you talking about hacking existing codes into a Sega CD game, or making new codes?

Namii, I must have missed this post. If you still want some info, please post again.

I found the CRC for Keio Flying Squadron!
It's 77C4FA1B. Now my question is how to hack Sega CD games using a hex editor?
I really want to learn.

I found the CRC for Keio Flying Squadron!
It's 77C4FA1B. Now my question is how to hack Sega CD games using a hex editor?
I really want to learn.

Tomcat Alley (U)

Retro Gaming Bug bit me pretty hard after New Years. And I've been actually to find out how to hack the Sega CD game Tomcat Alley. I'm not quite understanding what values to find and replace.

I found this on a similar thread...

Tomcat Alley (U)

Infinite Missiles/Escape (6006)
[|gg]42B900FFD7B2[/|gg]

What exactly do I search? and replace? Do I find 6006 replace it with 42B900FFD7B2 or Vice Versa?

Someone please help me out. Thanks!

Battle Frenzy (U)

Infinite Ammo on pickup (all weapons): 1 instance @ 0x00407112
Search: 4A7900059DEE66000004E28891AB0002
Change: 4A7900059DEE66000004E28860020002

Infinite Lives: 1 instance @ 0x00404BA4
Search: 0040322E01003D410102D2403D410100
Change: 0040322E01003D410102D24060020100

Infinite Continues: 1 instance @ 0x004041A2
Search: 4EB90000BB4A6000003A537900059CC2
Change: 4EB90000BB4A6000003A600400059CC2

Infinite Continue Time: 1 instance @ 0x003FE02A
Search: 0647003248A70B004EBAD8904C9F00D0
Change: 0647003248A70B004EBAD8904C9F6002

Infinite Health: 1 instance @ 0x00404AD0
Search: 4EB9000374064CDF470170003D400106
Change: 4EB9000374064CDF4701700060060106

Disable Stage-End Countdown: 1 instance @ 0x003D32C6
Search: 7200323900059D8C534133C100059D8C
Change: 7200323900059D8C600233C100059D8C

Time Cop (E)

Infinite Time: 1 instance @ 0x0000AF7A
Search: 10387051670C53387051705911C07052
Change: 10387051670C53387051705911C06002

Infinite Gun: 1 instance @ 0x0000C956
Search: 66F69040720110387654810111C07654
Change: 66F69040720110387654810111C06002

Infinite Lives: 1 instance @ 0x0000CBBC
Search: 662A904072011038764E810111C0764E
Change: 662A904072011038764E810111C06002

Full = 64
Infinite Health: 1 instance @ 0x0000B8F2
Search: 72B231FC043672B050F8764D51787652
Change: 72B231FC043672B050F8764D51786002

Invulnerable: 1 instance @ 0x0000C65A
Search: 00FF3D4000464A6E005A6718536E005A
Change: 00FF3D4000464A6E005A67186004005A normal
Change: 00FF3D4000464A6E005A67186002005A blinking

Infinite Bombs: 1 instance @ 0x0000BF70
Search: 10387655670E92417201810111C07655
Change: 10387655670E92417201810111C06002



Time Cop (U)-one level demo

Infinite Time: 1 instance @ 0x0000CBE2
Search: 10387049670C53387049705911C0704A
Change: 10387049670C53387049705911C06002

Infinite Lives: 1 instance @ 0x0000EC12
Search: 662A9040720110387648810111C07648
Change: 662A9040720110387648810111C06002

Infinite Health: 1 instance @ 0x0000D69E
Search: 72AC31FC043672AA50F876475178764C
Change: 72AC31FC043672AA50F8764751786002

Infinite Bullets: 1 instance @ 0x0000E9AA
Search: 66F6904072011038764E810111C0764E
Change: 66F6904072011038764E810111C06002

Invulnerable: 1 instance @ 0x0000E6A8
Search: 00FF3D4000464A6E005A6718536E005A
Change: 00FF3D4000464A6E005A67186004005A normal
Change: 00FF3D4000464A6E005A67186002005A blinking