Hacking NES Games With The Game Genie
by Rani Baker
The Nintendo Entertainment System, released in the U.S. in 1985, has been experiencing a collector, modding, and homebrew renaissance as of late. Best-selling political commentator Seth Abramson currently runs a blog devoted to NES homebrew games, director Kevin Smith recently released a licensed Askewniverse NES beat-em-up game, and even the guys from Pawn Stars have one for the 35+ year old system.
This renewed interest has extended to interest in game mods, translations, and cheats. And when it comes to cheating on the NES, nothing beats the classic Game Genie. Most guides to this peripheral amount to spooky esoteric vagueness or intimidatingly opaque technobabble, but I think we can give you a little of both.
THE BASICS
The Game Genie itself is an almost shockingly straightforward device, deliberately clouded in some layers of Ovaltine decoder ring nonsense to seem more complicated. It exists both physically and procedurally between the cartridge and the NES itself. As the code from the cartridge is transferred into the CPU memory to run the game, the codes you put into the Genie interrupt that transfer and alter the code. This can result in a change to either the commands (represented as Assembly opcodes) or the data being manipulated by the commands.
What you really need to know is that the letters used in the codes (A, P, Z, L, G, I, T, Y, E, O, X, U, K, S, V, N) correspond with the hexadecimal digits 0-F. There is another abstraction layer, but it's not worth explaining here, because there are apps for that now.
The NES has 64KB of CPU memory, which means every byte is stored in a four digit hex address from 0000-FFFF. A lot of stuff is going on in there, but for the purpose of this article, you don’t need to worry about anything between 0800-8000. The addresses before 0800 are where the game data is, and the addresses after 8000 are where the game code is happening.
If you feel lost, that's OK. I'll give you some examples of brand new Game Genie codes I created myself to illustrate.
EASY: TMNT — Unlimited Continues
The first Teenage Mutant Ninja Turtles NES game is still considered one of the most difficult on the system. One of many reasons for this is because of its notorious combination of cheap insta-kill traps and enemies, combined with an extremely stingy two continues before you have to start the whole game over. One of these things we can fix very easily.
Continues are kept track of in the game’s RAM at address 000046. In the game’s code, after you lose all your turtles and the game plays the Game Over jingle, there’s a line of code (at RAM Address 00CD24, to be specific) that uses the Assembly command DEC (opcode C6) to decrease the number of continues. If you replace it with an LDA (opcode A5), you'll end up with code SZXGKIVG. And voila!
The majority of Game Genie codes you create will be putting LDAs where they didn’t exist before. What does that LDA do, exactly? The computer science answer is that it places the value into the accumulator, but you don’t need to actually know what that means at this stage point. Just think of that original DEC command as a cherry tomato, and that LDA command as throwing that cherry tomato into a garbage disposal. And then you have unlimited continues.
EASY: MAD MAX — Fix The Crossbow Password
Mad Max for the NES is not exactly a great game, and it's most notorious for one infuriating thing: the fact that the final stage password doesn’t give you enough crossbow bolts to kill the final boss, making it unusable and pointless. But fixing it is easy.
The issue is that they give Final Boss Humungus 256 HP, and crossbow bolts take off 4 HP, so you have to hit him 64 times, but you're only given 48 bolts with the final password and no way to get more before the battle. At least one of these things feels like a mistake, or maybe someone being needlessly cruel.
There are a few ways you can go about this. Crossbow bolts are held in the RAM at 000578, so one way is by replacing the DEC command at 00A6A5 with an LDA (Game Genie code SXXZIVVK), giving yourself unlimited crossbow bolts. This final battle is the only time during the entire game that you even use the crossbow, so it really doesn’t change the overall difficulty. But maybe you still think that goes too far with the cheating. You want to keep the challenge of the game, just make it fair.
Turns out the number of crossbow bolts you get with the final boss password is held at 00A052. It starts out at 48 (30 in hexadecimal), a number too small to win the game. You need at least 64 (40 in hexadecimal). The crossbow sucks and it’s extremely hard to line up, so if you want, say, 90 bolts, the Game Genie code ATSZZAAL will do it. If you want a challenge, GGSZZAAL gives you 68, but you can only miss 4 times. With AGSZZAAL, you can still technically kill him, but you have exactly 64 bolts, so you can’t miss once.
At this point you’re probably wondering how I find the RAM address for the game data and the subsequent lines of code that manipulate them. The latter can be found pretty easily using debugger breakpoints in emulators like FCEUX and MESEN. Those same emulators also have cheat search functions to facilitate hunting down where game data is stored, but you’ll be surprised how fast you learn to eyeball it.
Do a save state, kill your guy, do a second save state, and flip back and forth between them until you find the value that went down by one and corresponds with the current number of lives or whatever. Rinse and repeat for whatever else you want to chase down.
MEDIUM: SMASH TV — No Enemies Ever
The results of this one are more of a novelty than anything, because you wind up with a “game” completely devoid of anything to do, where you can just walk through the eerily empty Smash TV arena from beginning to end with nothing in your way.
This one is built off of a cheat code for the game, which empties the next room of enemies if you hold down the A and Select buttons when walking between them. The bit of code that checks for that button press is at 00C1A2, and the controller register for A+Select is A0, so you replace A0 with 00 (which is the controller register for diddly-squat) and it permanently enables the cheat. Then you wind up with the Game Genie code AEXGZPEZ.
Composing Game Genie codes that change button presses are fun because you hunt down codes that either looks like “A5-XX-C9-XX” or “A5-XX-29-XX” where the first XX is the RAM address where they are storing the controller register, and the second XX is the register code. This probably won’t make sense now, but it will after you try it out a couple times. And also why this is “Medium” difficulty.
HARD: GAUNTLET — Disable Final Vault Code
Gauntlet for NES is a strange departure from the straightforward arcade format dungeon-crawling of the other versions. The final stage is locked behind a password, one that you have to collect in pieces throughout the whole game, which is an incredibly daunting task and results in very few people ever managing to beat this already difficult game.
Getting around this requires a little creativity and thinking outside the box; even I was shocked it could be done with one code. I spent ages looking over the password structure algorithm trying to figure out how to reverse engineer it and then ... it hit me. If you fail the password, it still sends you to room 100, but it just instantly kills you afterwards. You might already start to see where this is going.
The instant kill subroutine begins at 00A2C4, and with a craftily placed RTS (Return From Subroutine, opcode 60) command right there, BOOM! No more instant kill subroutine. You’re in the final stage safe and sound, albeit surrounded by the most powerful monsters in the game. But still.
Game Genie code is AVKZGXXG.
VERY HARD: Ghosts ’N Goblins — Get The Good Ending
You may be seeing a pattern forming, but Ghosts ’n Goblins, like many others in this article, is one of the most difficult games on the NES. This is compounded by the fact that after all the trouble you go through to complete the game, it makes you play through the entire game again if you want the real ending. If only there was a way you could get the good ending every time… which is exactly what we're going to do.
This one is a two part code, which sounds scary, but doesn’t have to be. Most of the time, Game Genie codes have multiple parts that are duplicating the same effect in different parts of the code; making you immune to punches and knives, or whatever. This one is a little different, because we are actually rewriting part of the code.
When you get to the end of the game, it reads a value (the number of times you have played the game through) and depending on whether it's even or odd, it sends you to two different subroutines corresponding to the good and bad endings. As it turns out, 008450 is the bad ending, and 008545 is the good ending, so we just have to change that 8450 in the code to 8545. Game Genie codes IGNSAGAI+SANSPGKA do exactly that.
For an extra bonus, add XTVEIYAV to get the special ending credits that are even harder to achieve in a normal game. This one replaces an RTS with a NOP, and I know that sounds like some wizardry that you’re not quite ready for yet, but you'll get it.
Enjoy!
