http://tuxnes.sourceforge.net/gamegenie.html

NES Game Genie Technical Notes

by The Mighty Mike Master
with thanks to Cheatmaster for helping me figure out the NES Game
Genie codes.

The NES Game Genie from Galoob is a device that allows a player to
enter a variety of codes into a Nintendo Entertainment System game in
order to cause the game to do things it would not normally do, e.g.,
grant the player extra (or fewer) lives at startup, give the player
extra items, change the gameplay, or just cause crazy things to
happen.

The NES Game Genie works by allowing the player to plug an NES game
cartridge into it and then plug the Game Genie into the NES console
in place of the cartridge. The Game Genie then allows the player to
enter a code which consists entirely of letters. The codes come in
two flavors: 6- and 8- character. The codes translate into addresses
and data in a game's program space (upper half of address space,
0x8000-0xFFFF) which the Game Genie fools the CPU into using rather
than the byte which is supposed to be there. Because of this method,
there is no limit to the number of Game Genie codes that can be
discovered.

6-Character Codes

6-character NES Game Genie codes translate into a 15-bit (not 16-bit)
address and an 8-bit data byte. The address is 15-bit because address
bit 15 is always set to 1 in order to reference the top half of the
CPU address space. When the CPU attempts to read the memory address
specified by the Game Genie code, the Game Genie apparently
intercepts the read and substitutes the byte from the Game Genie code
in place of the actual ROM byte.

To decode an NES Game Genie code, first translate each character into
its hexadecimal equivalent using the following table:

        A  0x0
        P  0x1
        Z  0x2
        L  0x3
        G  0x4
        I  0x5
        T  0x6
        Y  0x7
        E  0x8
        O  0x9
        X  0xA
        U  0xB
        K  0xC
        S  0xD
        V  0xE
        N  0xF


Then comes the tricky part. There is a lot of convoluted bit shifting
that occurs in order to get the address and data from a Game Genie.
This is probably to make the Game Genie codes seem more magical.
After all, given 2 Game Genie codes, one that granted 5 lives on
startup and another code that granted 9 lives, and the only
difference between the 2 codes was one character, even a novice
player could probably figure out that modifying that one character to
any of the acceptable letter characters would grant between 1 and 16
lives on startup.

In order to decode the 6-character NES Game Genie code, name the 6
characters/hex values [n0 .. n5]. Follow the pseudocode (which
assumes you know the C-style operaters for bitwise AND (&), bitwise
OR (|), and the << and >> bit shift operators):

        address = 0x8000 +
              ((n3 & 7) << 12)
            | ((n5 & 7) << 8) | ((n4 & 8) << 8)
            | ((n2 & 7) << 4) | ((n1 & 8) << 4)
            |  (n4 & 7)       |  (n3 & 8);


The algorithm simply combines the lower 3 bits from one 4-bit nibble
and the top bit from another nibble and puts the resulting nibble
somewhere else. Here is the data algorithm:

        data =
             ((n1 & 7) << 4) | ((n0 & 8) << 4)
            | (n0 & 7)       |  (n5 & 8);


Example: The code is GOSSIP (amazing coincidence that it happens to
also be an English word). This works in Capcom's Ghosts 'n Goblins to
start your player with a really funky weapon. Work through the code
by hand to see if understand the decoding algorithm.

           n0   n1   n2   n3   n4   n5
           G    O    S    S    I    P
          0x4  0x9  0xD  0xD  0x5  0x1
         0100 1001 1101 1101 0101 0001

         address = 0xD1DD, data = 0x14


Therefore, whenever the CPU reads from address 0xD1DD, the Game Genie
will intercept the read and return the byte 0x14.

8-Character Codes

8-character NES Game Genie codes are similar to the 6-character
variety except that there is also a compare byte value that needs to
be decoded as well. This is most likely due to the fact that many
games use memory mappers in order to increase the amount of code and
data they can use. Since the game might be swapping program (PRG)
banks in and out of the CPU address space, the Game Genie can't just
return the code data value when the CPU reads from a particular
address. Instead, when the CPU reads from the cartridge, the Game
Genie checks if the address in the cartridge equals the compare value
and returns the code data value if it does; otherwise, it returns the
real value in the cartridge.

The algorithm for decoding the address of an 8-character code is the
same as decoding the address for a 6-character code. The algorithm
for decoding the data byte changes a little:

        data =
             ((n1 & 7) << 4) | ((n0 & 8) << 4)
            | (n0 & 7)       |  (n7 & 8);


And the algorithm for decoding the compare value is as follows:

        compare =
             ((n7 & 7) << 4) | ((n6 & 8) << 4)
            | (n6 & 7)       |  (n5 & 8);


Example: The code is ZEXPYGLA. This works on Dr. Mario in order to
clear a row or column with only 3 colors in a line, rather than 4.
Work through the code by hand to see if understand the decoding
algorithm.

           n0   n1   n2   n3   n4   n5   n6   n7
           Z    E    X    P    Y    G    L    A
          0x2  0x8  0xA  0x1  0x7  0x4  0x3  0x0
         0010 1000 1010 0001 0111 0100 0011 0000

         address = 0x94A7, data = 0x02, compare = 0x03


Therefore, when the CPU reads from address 0x94A7 and the real byte
at that address is 0x03, then the Game Genie will return 0x02 instead
of 0x03. If the byte is something other than 0x03, then that byte
will be returned.

- The Mighty Mike Master