Whipon, try the 3rd even number match of "66" and you'll find your master code. It's actually the 4th match, but one of the matches is an odd number.

Tony.

P.S. Nice job on the codes.

Here's some more info on finding master codes... When you were searching for 66 and 67, you were really searching for 66xx and 67xx which are instructions for BNE (Branch if not equal) and BEQ (Branch if equal). The right BNE or BEQ will almost always have a CMP (Compare) instruction right before it. Some compare opcodes (instructions) are: B0xx, B2xx, etc, and 0Cxx. When you are searching the ROM with your hex editor and you get matches for 66xx and 67xx, look right before the match and see if there is a CMP (Compare) opcode right before it. If there isn't, then go to the next match.

In your ROM (Alien Soldier), you'll find that the 3rd even numbered match of 66 has a B251 right before it. B251 is a CMP (Compare) opcode. By changing the 66 to 67, you'll get your master code.

As I said before, I still need to add lots of stuff to this so that it works on almost every game.

Tony.


EDIT: The CMP opcode may not always be RIGHT before the BNE or BEQ. Here's an example where the CMP opcode is a few bytes before the BEQ...

0C38 0000 A660 6700

0C38 is the CMP, and 6700 is the BEQ. 0000 A660 are just operands (ie. not opcodes).

You'll find that after a little practice with this method, you can make 98% of master codes in under 2 minutes. Just find your ROM address in the Gens debugger, open your hex editor and search backwards from that ROM address looking for the first BNE/BEQ with a CMP before it. Very fast, and fairly simple. And no need for a disassembler.


EDIT #2: Here's a tip... set your hex editor so that the columns are grouped by 2's. Since all Genesis (68k) opcodes are 2 bytes, this makes it much easier to read raw assembly. In hex workshop, go to "Options / Preferences".

So instead of this:

B2 51 66 00

you'll see this:

B251 6600

Perhaps you should have tried my method ([sulk]I did post mine first[/sulk]), it's probably a lot easier and quicker once you got past the loads of add.w instructions and you get to use the same emulator too. In addition it should work for most games that need a master code and will all due respect the method that Tony H posted is just trial and error - this is the proper & correct way to do it (and the Hazemd/mame debugger helps alot!):-

From the good trace file (no ROM cheats enabled) we have :-

and from the bad trace file (with ROM cheats enabled) we have:-

As you can see at 000468 the branch taken differs in the good trace file it just passes onto the next instruction in the bad trace file it takes the branch to 0596. So to turn it off either just NOP it (which would take two GG codes as it's a 4byte branch) or just make it branch to 46C instead...

so just poke 046A with 0002

One more thing - changing a BNE to a BEQ or a BEQ to a BNE is not the way to bypass a checksum check because if the checksum is returned to what it should be then the checksum check would fail.

For instance if the master code changes a 6600 to a 6700 and a cheat changes a 6100 to a 6000 then you have a 6600 & 6100 being changed to 6700 & 6000 and and as 6600+6100=6700+6000 the original checksum would be correct but as the branch instruction would NOT be expecting that result you'd get a red screen and a useless master code.

The only correct ways of making a master code would be either to:-

1. Change the test so that the required result is always fed into the branch
2. NOPing the branch or changing the branch jump location
3. Changing a BEQ or BNE to a BRA instruction
4. Jumping past the test completely

I'd personally choose the BRA or the branch jump location (whichever one is needed)

Eg. Of what I mean

If you enable the proper master code the Example cheat won't cause a red screen, however if you chose the BNE/BEQ method you will find you get a red screen


PS: Tony H please don't take offence at any of this...it's honestly not meant to be personal. I've been doing this sort of stuff (granted not master codes or genesis cheats) since around 1984 and my 68000 is still pretty good from my Atari ST days so I do know plenty of semi-useless guff like this.

Thanks again. Its much more clear now !

Thank you very much my friends!. Its one more point in for me future hacking!!!!
C U!!!
Whipon.

Well, Alien Soldier hacking finished!!!

These are all the codes for the game:

Alien Soldier

Master Code, (Thank you Pugsy!)
000468:6002

Infinite Energy,
FFA216:0BB8
0146E2:600C

Infinite Phoenix Teleport,
017C02:4E71

Infinite Ammo Weapon 1,
FFA260:0BB8
01871A:6002 Shoot Mode A (White)
018CF8:082D Shoot Mode B (Green)

Infinite Ammo Weapon 2,
FFA262:0BB8
018AFE:6002 Shoot Mode A (White)
018BD0:6002 Shoot Mode B (Green)

Infinite Ammo Weapon 3,
FFA264:0BB8
018BE2:6002 Shoot Mode A (White)
018AEC:6002 Shoot Mode B (Green)

Infinite Ammo Weapon 4,
FFA266:0BB8
018D0C:6002 Shoot Mode A (White)
018708:6002 Shoot Mode B (Green)

Infinite Time,
FFA270:0999
0133B2:6002
0133AA:6002

Enjoy!!!!

Pugsy, I don't take offense to it at all. I taught myself almost all the 68k assembly I know, so it's good to have someone who knows what they're talking about correct some of my mistakes.

Tony.

I found another one!

Well, searching the web i found a lot of GG codes for Alien 3. These only work in Alien 3 REV00. But the master code is nowhere. I tried to make one miself. So here's the trace fragments of HazeMD:

Without Cheats:

07DBB4: bcs $7dbbe
07DBB6: clr.w $ffe808.l
07DBBC: rts
07DB86: move (A7)+, SR
07DB88: bne $7db9c
07DB9C: rts
01110A: movem.l (A7)+, D0-D7/A0-A6
01110E: rte
0025CC: add.w (A0)+, D0
0025CE: subq.l #2, D1

With Cheats:

07DBB4: bcs $7dbbe
07DBB6: clr.w $ffe808.l
07DBBC: rts
07DB86: move (A7)+, SR
07DB88: bne $7db9c
07DB9C: rts
01110A: movem.l (A7)+, D0-D7/A0-A6
01110E: rte
0025D0: bne $25cc
0025CC: add.w (A0)+, D0

The file changes since 01110E. I tried to modify this address and 07DB88, but it doesn't work.

Any suggestions?.

PS: I created a lot of GG codes for Light Crusader and the Master Code for it. I'll post them in the site.

Whipon.

That's a strange one indeed, as it does seem to handle it differently. What you need to do is to find were it starts to be different on each instruction. A good way is to make a new excel spreadsheet copy the good trace into column A and the bad trace into column B and in column C add a check to compare column A to column B eg. enter this into cell C1:- =IF(B1=A1,"","DIFF") and then duplicate into the rest of the C cells...if you do this you will find this:


Good Trace:-
Bad Trace:-
As you can see in the good trace file the branch at '0025D6: bne $25da' is not taken and it executes the next instruction at 25d8. You could NOP out 25D6 or you could put an RTS at 25da...I've taken the RTS route in case 25da is jumped to elsewhere (not checked though so the NOP is probably ok)

I knew it was a hard one!!!

That method seems to be a time saver. It works with any game?. If it works I can save time letting excel do the job of checking the trace files. Thanks to your master code now I can post some codes I made for Alien 3. Them are useless without the master code. Another thing i found: some new emulators have a Fix Checksum built in (like Kega). It can be handy if you doesn't know the master code.
Thanks again !
Whipon.

Wasn't that hard though....only took me about 10 minutes total from start to finish but it took longer to write the reply

Yes it will work with all trace files (i often use excel for other similar things)...but bear in mind that excel has a limit of 65536 rows so you may need to choose a identical point in each trace file to copy and paste from rather than the start (especially if there's a lot of repeated ADD instructions).

HazeMD doesn't really need a master code either because you should only really enable the cheats when the game starts or during play

Hmm...if someone would compose this into a solid chunk (at least, the tutorial parts of it), I'd be glad to add it to the Hacking FAQs section, with credit to everyone involved.

A new interesting one

A new interesting one: Super Jump Codes: Triying to make a Super Jump code the only result I have is the character freezed in the air (Light Crusader). I don't know where to hack. I searched the RAM Address for the height of the jump, then used that address in HazeMD. But I can't find the correct way to hack the ROM to make the Jump higher.
Any comments??
Whipon.

Once you got the RAM location, perform a jump and when you are still moving upwards start the debugger put a rw WP on the location and then look for a compare after the places the WP stops - change the compare value to increase the max jump height.

Thanks again

Thank you. It was more easy than I tought. !
Whipon.