Hacking Badge Arcade Cheating with Gateway

[Splosionz]

correct me if i am wrong, but, just for information, NTR CFW doesn't permit online use to avoid cheating online.
Badge Arcade require to be online, so even if you can access those memory regions in NTR CFW, you still can't use them because the CFW disables online connectivity?

You are right but, for whatever reason, NTR CFW's debugger works with Badge Arcade.

Using NTRClient you can connect to your 3DS and enter this (if you have an o3ds) "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes to unlock the catcher. You need to replace the question marks with the PID# of your Badge Arcade first though.

 

[Criminal90]

You have to be sitting on the real catcher where you can cycle through the different sets, then press L and Up simultaneously. It worked for everyone else, I fail to see why it wouldn't work for you...

not working for me too

 

[Woody8275]

You are right but, for whatever reason, NTR CFW's debugger works with Badge Arcade.

Using NTRClient you can connect to your 3DS and enter this (if you have an o3ds) "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes to unlock the catcher. You need to replace the question marks with the PID# of your Badge Arcade first though.

how do i use ntr cfw to enable cheats
I have never used cheats before
Edit: I installed ntr but it requires a cheat.plg file for the game which you are cheating how to i get one for badge arcade

 

[20mark]

You are right but, for whatever reason, NTR CFW's debugger works with Badge Arcade.

Using NTRClient you can connect to your 3DS and enter this (if you have an o3ds) "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes to unlock the catcher. You need to replace the question marks with the PID# of your Badge Arcade first though.

how can you know the pid of the game without actually use NTR CFW?
even if entering NTR CFW, take note of the badge arcade process id, exiting NTR (so rebooting emunand in whatever cfw) the pid could be not the same i think.

 

[Splosionz]

how do i use ntr cfw to enable cheats
I have never used cheats before

This is the quick tutorial I used to learn the very basics of NTR's Debugger. Not sure who wrote it though so I'm unable to give any credit.

Spoiler: Quick NTR Debugger Tutorial

1. Play 3ds with NTR CFW for the game ACNL (with wireless switch on)
2. Check the IP address of the 3ds (e.g.192.168.1.10)
3. Run ntrclient application on Windows PC
4. Execute the following command:

connect('192.168.1.10', 8000)

5. After the connection is establish, you could see the list of process by using command:

listprocess()

6. One of them is the ACNL game of interest (in this case the process name is GARDEN, and has pid # 0x25)
7. Then you could check the memory layout, for example:

memlayout(0x25)

null
valid memregions:
00100000 - 00b6efff , size: 00a6f000
08000000 - 08073fff , size: 00074000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
14000000 - 174dcfff , size: 034dd000
1f000000 - 1f5fffff , size: 00600000
1ff50000 - 1ff57fff , size: 00008000
1ff70000 - 1ff77fff , size: 00008000
1ff80000 - 1ff81fff , size: 00002000
1ffad000 - 1ffaefff , size: 00002000
end of memlayout.

8. I could dump the biggest one and see whether the savegame file is in that part (i.e. finding
garden.dat file (extracted by using savefiler 3ds application) content inside this memory data
dump file, data.bin):

data(0x14000000, 0x34DD000, filename='data.bin', pid=0x25)

9. garden.dat actually starts at offset 0x01FB7E80 in that data.bin file, so now we could try finding
the location of the pocket slots of the first player by changing the content in the first slot of the
pocket multiple times and dump those data.bin for each change. In this case, I could see the offset
is 0x1FBEAD0 (or 0x15FBEAD0 after taking into consideration that data.bin starts at 0x14000000 in
the memory of pid 0x25).

10. Now, we could use command to put a bag of 99,000 bells in that first slot of pocket:

write(0x15FBEAD0, (0x12, 0x21, 0x00, 0x00), pid=0x25)

11. Profit

Hope this clarifies.

Cheers.

how can you know the pid of the game without actually use NTR CFW?

I'm not sure how you would find it without using NTR CFW.

even if entering NTR CFW, take note of the badge arcade process id, exiting NTR (so rebooting emunand in whatever cfw) the pid could be not the same i think.

Why would you need to reboot your emunand or exit NTR? I'm a bit confused... The badge arcades pname is CENTER and will always be the same. Right next to the pname is the PID. From there you search through your memory dumps for the address you want to edit. Keep in mind that when using NTRClient, everything is being done in real time from your PC so there is no need to exit Badge Arcade, and all address edits made will be seen as you write them.

 

[Localhorst86]

not working for me too

No clue then.

 

[Woody8275]

This is the quick tutorial I used to learn the very basics of NTR's Debugger. Not sure who wrote it though so I'm unable to give any credit.

Spoiler: Quick NTR Debugger Tutorial

1. Play 3ds with NTR CFW for the game ACNL (with wireless switch on)
2. Check the IP address of the 3ds (e.g.192.168.1.10)
3. Run ntrclient application on Windows PC
4. Execute the following command:

connect('192.168.1.10', 8000)

5. After the connection is establish, you could see the list of process by using command:

listprocess()

6. One of them is the ACNL game of interest (in this case the process name is GARDEN, and has pid # 0x25)
7. Then you could check the memory layout, for example:

memlayout(0x25)

null
valid memregions:
00100000 - 00b6efff , size: 00a6f000
08000000 - 08073fff , size: 00074000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
14000000 - 174dcfff , size: 034dd000
1f000000 - 1f5fffff , size: 00600000
1ff50000 - 1ff57fff , size: 00008000
1ff70000 - 1ff77fff , size: 00008000
1ff80000 - 1ff81fff , size: 00002000
1ffad000 - 1ffaefff , size: 00002000
end of memlayout.

8. I could dump the biggest one and see whether the savegame file is in that part (i.e. finding
garden.dat file (extracted by using savefiler 3ds application) content inside this memory data
dump file, data.bin):

data(0x14000000, 0x34DD000, filename='data.bin', pid=0x25)

9. garden.dat actually starts at offset 0x01FB7E80 in that data.bin file, so now we could try finding
the location of the pocket slots of the first player by changing the content in the first slot of the
pocket multiple times and dump those data.bin for each change. In this case, I could see the offset
is 0x1FBEAD0 (or 0x15FBEAD0 after taking into consideration that data.bin starts at 0x14000000 in
the memory of pid 0x25).

10. Now, we could use command to put a bag of 99,000 bells in that first slot of pocket:

write(0x15FBEAD0, (0x12, 0x21, 0x00, 0x00), pid=0x25)

11. Profit

Hope this clarifies.

Cheers.

I'm not sure how you would find it without using NTR CFW.

Why would you need to reboot your emunand or exit NTR? I'm a bit confused... The badge arcades pname is CENTER and will always be the same. Right next to the pname is the PID. From there you search through your memory dumps for the address you want to edit. Keep in mind that when using NTRClient, everything is being done in real time from your PC so there is no need to exit Badge Arcade, and all address edits made will be seen as you write them.

how do i Check the IP address of the 3ds and where do i find ntrclient application for windows
Edit: found IP from router webpage just neede to know where to find ntrclient

 

[Splosionz]

how do i Check the IP address of the 3ds and where do i find ntrclient application for windows
Edit: found IP from router webpage just neede to know where to find ntrclient

If you ever forget it, a couple of other ways to find your IP would be by opening FBI and pressing Y or downloading an ftp client like FTBrony or FTP-3DS and launching it. >Here< is a link to my NTRClient. I included the tutorial I posted earlier in a txt file.

 

[Woody8275]

If you ever forget it, a couple of other ways to find your IP would be by opening FBI and pressing Y or downloading an ftp client like FTBrony or FTP-3DS and launching it. >Here< is a link to my NTRClient. I included the tutorial I posted earlier in a txt file.

thanks for the help i got the ntrclient open and was able to read 3ds memory
Do you need a free play to edit number of plays in badge arcade also is it normal to get this
rtCheckRemoteMemoryRegionSafeForWrite failed: d8e007f5
broken protocol: 00002112, 12345678

 

[Splosionz]

You need at least one play for it to update if editing the amount of plays you currently have. If you have no plays and are on an o3ds then you can use the one I posted earlier, "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes and with your own PID to give yourself 5 plays on the real catcher.

What did you enter to get that?

 

[WallK]

You need at least one play for it to update if editing the amount of plays you currently have. If you have no plays and are on an o3ds then you can use the one I posted earlier, "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes and with your own PID to give yourself 5 plays on the real catcher.

What did you enter to get that?

Tried that piece of code but with

It seems to me, that the unlock catcher cheat doesn't activate the amount paid or the number of plays you get but only triggers the activation itself. Because I bought two rounds of plays to to get the Pikmin theme. After that, the bunny let me set 10 plays instead of 5 as the new default amount of plays to buy (for the according price). That would be 2$ for US.

Pressing the combo for the unlock cheat gave me then 10 plays, not 5.

BTW I can confirm that the unlock cheat also works for EU o3DS

So for real offset 3286AD4C you'll get:

[Real L+Right unlock catcher]
DD000000 00000210
D3000000 3286AD3C
20000000 00000004
D2000000 00000000

Thanks to @TheGreek Boy and @Localhorst86 for your work!

3286AD3C

Client said finished. Nothing happened ):

 

[mungry]

So essentially this will never be available for NTR and is only available with GW? If so, that is disappointing since I don't ever plan on supporting GW.

 

[WallK]

You need at least one play for it to update if editing the amount of plays you currently have. If you have no plays and are on an o3ds then you can use the one I posted earlier, "write(0x32868C3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??)" without the quotes and with your own PID to give yourself 5 plays on the real catcher.

What did you enter to get that?

He entered data(0x___, 0x___, filename='data.bin', pid=0x__), I guess, but with end adress instead of length in the second parameter

 

[Splosionz]

Tried that piece of code but with


3286AD3C

Client said finished. Nothing happened ):

Where you in the badge catcher when you entered it? If not you need to be.

 

[WallK]

Where you in the badge catcher when you entered it? If not you need to be.

I was in the Catcher Select menu, when you see coin slot and things

 

[Woody8275]

I listed the processes and the pid 0x25 process name was not garden its dlp
I cant find garden on the processes
Im using a EUR 3DS

 

[WallK]

I listed the processes and the pid 0x25 process name was not garden its dlp
I cant find garden on the processes
Im using a EUR 3DS

It's CENTER, actually. Must look like this

Make sure you have badge arcade open

 

[Woody8275]

It's CENTER, actually. Must look like this

Make sure you have badge arcade open

yes i got center

 

[WallK]

yes i got center

That's the one you want

 

[Splosionz]

I was in the Catcher Select menu, when you see coin slot and things

That's strange. So this is exactly what you entered? write(0x3286AD3C, (0x04, 0x00, 0x00, 0x00, 0x20), pid=0x??) With your PID of course. I would help you test other things but I don't have an EU 3ds unfortunately.

I listed the processes and the pid 0x25 process name was not garden its dlp
I cant find garden on the processes
Im using a EUR 3DS

If you are using Animal Crossing: New Leaf then the pname is GARDEN. Sorry if that wasn't clear. The PIDs aren't always the same so you need to use your own.