1. Play 3ds with NTR CFW for the game ACNL (with wireless switch on)
2. Check the IP address of the 3ds (e.g. 192.168.1.10)
3. Run ntrclient application on Windows PC
4. Execute the following command:
connect('192.168.1.10', 8000)
5. After the connection is establish, you could see the list of process by using command:
listprocess()
6. One of them is the ACNL game of interest (in this case the process name is GARDEN, and has pid # 0x25)
7. Then you could check the memory layout, for example:
> memlayout(0x25)
null
valid memregions:
00100000 - 00b6efff , size: 00a6f000
08000000 - 08073fff , size: 00074000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
14000000 - 174dcfff , size: 034dd000
1f000000 - 1f5fffff , size: 00600000
1ff50000 - 1ff57fff , size: 00008000
1ff70000 - 1ff77fff , size: 00008000
1ff80000 - 1ff81fff , size: 00002000
1ffad000 - 1ffaefff , size: 00002000
end of memlayout.
8. I could dump the biggest one and see whether the savegame file is in that part (i.e. finding
garden.dat file (extracted by using savefiler 3ds application) content inside this memory data
dump file, data.bin):
> data(0x14000000, 0x34DD000, filename='data.bin', pid=0x25)
9. garden.dat actually starts at offset 0x01FB7E80 in that data.bin file, so now we could try finding
the location of the pocket slots of the first player by changing the content in the first slot of the
pocket multiple times and dump those data.bin for each change. In this case, I could see the offset
is 0x1FBEAD0 (or 0x15FBEAD0 after taking into consideration that data.bin starts at 0x14000000 in
the memory of pid 0x25).
10. Now, we could use command to put a bag of 99,000 bells in that first slot of pocket:
write(0x15FBEAD0, (0x12, 0x21, 0x00, 0x00), pid=0x25)
11. Profit
