You can just run it via HBL - 3DSX files are included. Or use CakeHax (Decrypt9WIP.dat) and the Spider exploit for that: http://dukesrg.no-ip.org/3ds/cakes?Decrypt9WIP.dat
You will need Decrypt9 for both, decrypting the .app (yup, you've got the correct one!) and for injecting it. The correct option to decrypt in Decrypt9 is in Game Decryption -> NCCH/NCSD Decryptor.
EDIT: And, once you got Decrypt9 running, I first suggest you try to dump the H&S app and see how it guess. Maybe it will work that way. Your problem is very strange, though, H&S should never have to do anything with the SD being inserted or not.
I can't run Gateway (Launcher.dat) or I can't run this one either. I think none of the Spider based exploits are working on my 3DS right now. It is my db files maybe.
Btw, here are some pics. The one with the app is the one SD card is inserted. Notice that H&S app doesn't have any banner available