Hacking Badge Arcade Cheating with Gateway

  • Thread starter Thread starter aos10
  • Start date Start date
  • Views Views 198,048
  • Replies Replies 1,063
  • Likes Likes 8
here are the ones working for me -- Jap n3ds

[MAIN - L+UP - Unlock Catcher (Use if you have 0 plays)]
DD000000 00000240
D3000000 3644B73C
20000000 00000004
D2000000 00000000

[MAIN - L+LEFT - 30 plays]
DD000000 00000220
D3000000 3644B74C
00000000 0000001E
D0000000 00000000

[MAIN - L+DOWN - Stop Playing (1 Left)]
DD000000 00000280
D3000000 3644B74C
20000000 00000001
D0000000 00000000

[TRAINING - R+DOWN - Stop Playing (1 Left)]
DD000000 00000180
D3000000 3682C25C
00000000 00000001
D0000000 00000000

[TRAINING - R+RIGHT - +1 play]
DD000000 00000110
D3000000 3682C25C
D9000000 00000000
D4000000 00000001
D6000000 00000000
D0000000 00000000

[TRAINING - R+UP - 30 plays]
DD000000 00000140
D3000000 3682C25C
00000000 0000001E
D0000000 00000000
 
Sound like a real pain!
My sysnand and emunand are linked and I like to keep this like this so there isn't an atiban solution for me than. I don't want to lose my current save :(

I hope someone will manage to find a way to make a homebrew app to bypass this, like eShop spoofer. But that's a whole different thing :(
I think I am out of luck.

I hope it isn't really permanently.
 
Oh, so only the unlock catcher code can be used then? That makes sense.
I have a bad feeling about the unlock catcher code... 6th sense if you will. I try to use it the least as possible and if I am able to add more plays as soon as I get the free ones the better.
 
  • Like
Reactions: aos10
Is it possible to calculate the real machine address from knowing practice address, or have we not quite gotten that far yet?
 
How does one unlock the themes(background) ?? Anybody know?

Also
If anything, yeah, add to the practice plays earned, and also to real plays paid for. Don't add too many though. I do like the machines that can actually earn lots of badges in one play.
What do you mean by Real Plays Paid for? And what are the Practice Plays by the way? Are those for the stand on the left ?
 
USN3DSXL
Practice Plays:
3682085C
37249340

Real Plays:
3646674C
370A6A40

Two addresses each? Well, I tried both with NTR Debugger on a N3DSXL and nothing. What I tried:

Code:
write(0x3646674C, (0x04, 0x00), pid=0x**)
write(0x370A6A40, (0x04, 0x00), pid=0x**)

As well as the ones on the OP. No dice.
 
3646674C is correct for USA N3DS - I found it myself. Try using just the unlocker (which is what I use exclusively)

3646673C -- Works fine on 2 of my N3DS's

Edit: Don't use the second value, I believe that's just the mem loc for the displayed number (probably)
 
3646674C is correct for USA N3DS - I found it myself. Try using just the unlocker (which is what I use exclusively)

3646673C -- Works fine on 2 of my N3DS's

Edit: Don't use the second value, I believe that's just the mem loc for the displayed number (probably)

Tried it again, with this line in NTR Debugger:

Code:
write(0x3646674C, (0x04, 0x00), pid=0x**)

Not working. Am I missing something? Do I need to use a key sequence like with GW cheat codes? L+(Any D-PAD direction) don't trigger anything.

BTW: I changed the spreadsheet to say these codes don't work. Potentially misread the "By" column as an indicator of who tested them last. Sorry about that.
 
Tried it again, with this line in NTR Debugger:

Code:
write(0x3646674C, (0x04, 0x00), pid=0x**)

Not working. Am I missing something? Do I need to use a key sequence like with GW cheat codes? L+(Any D-PAD direction) don't trigger anything.

BTW: I changed the spreadsheet to say these codes don't work. Potentially misread the "By" column as an indicator of who tested them last. Sorry about that.

Here's the thing, you cant start the app with that mem loc already modified because it will just change it back, you need to trigger it (with a key combo, which is possible with NTR) however, you still cant use it without unlocking the machine first, which is what the unlock code does. Please don't mark it as bad, cause it's not ;)

These are meant for GW users, if you can't get them to work on NTR please don't comment "No" :/

Maybe we can get an NTR column?

--------------------- MERGED ---------------------------

To clarify, make an NTR cheat that has a trigger that activates the 'unlocker' cheat, which gives you 5 plays. That's really the only cheat you need.
 
  • Like
Reactions: Zidapi
Sound like a real pain!
My sysnand and emunand are linked and I like to keep this like this so there isn't an atiban solution for me than. I don't want to lose my current save :(

I hope someone will manage to find a way to make a homebrew app to bypass this, like eShop spoofer. But that's a whole different thing :(
I think I am out of luck.

I hope it isn't really permanently.
If you are worried about your save, you can always try custom badge manager, it backs up all your current badges and saves them as png. Just keep in mind it doesn't sort badges by category, and it deletes your current setup. Do not enter badge arcade without backing up your badges, I think it deletes them or something.
You can also add pngs to make custom badges. It even lets you place as many as you want.
 
Here's the thing, you cant start the app with that mem loc already modified because it will just change it back, you need to trigger it (with a key combo, which is possible with NTR) however, you still cant use it without unlocking the machine first, which is what the unlock code does. Please don't mark it as bad, cause it's not ;)

These are meant for GW users, if you can't get them to work on NTR please don't comment "No" :/

Maybe we can get an NTR column?

I'm not. Here are the complete set of steps I'm following to try to unlock the catcher:

  • Run BootNTR, change menu trigger to L+START rather than X+Y.
  • Start Badge Arcade. Press A, get to the "main menu", where you can select between Practice Catcher/etc.
  • Enable Debugger through NTR Menu. Start the client on laptop.
  • Run connect("ip.ad.dre.ss", 8000) successfully. Test sayhello() and see green screen flash on 3DS.
  • Stare at rabbit on the bottom screen menacingly.
  • listprocess(), get pid.
  • write(0x3646674C, (0x04, 0x00), pid=0xPID), returns null(this is Python, isn't it? Shouldn't it be None?) and then says it's finished.
  • Go to catcher, fingers crossed. Nope, still telling me I can pay for plays.
  • Try staying in the catcher, run write(0x3646674C, (0x04, 0x00), pid=0xPID) again. Nothing changes on the 3DS' end.
  • sayhello() flashes green screen normally, meaning the debugger is running fine, AFAICT.
  • Try write(0x3646673C, (0x04, 0x00), pid=0xPID), despite you saying it's just for the display number. Again, no dice.
What am I doing wrong?
 
I'm not. Here are the complete set of steps I'm following to try to unlock the catcher:

  • Run BootNTR, change menu trigger to L+START rather than X+Y.
  • Start Badge Arcade. Press A, get to the "main menu", where you can select between Practice Catcher/etc.
  • Enable Debugger through NTR Menu. Start the client on laptop.
  • Run connect("ip.ad.dre.ss", 8000) successfully. Test sayhello() and see green screen flash on 3DS.
  • Stare at rabbit on the bottom screen menacingly.
  • listprocess(), get pid.
  • write(0x3646674C, (0x04, 0x00), pid=0xPID), returns null(this is Python, isn't it? Shouldn't it be None?) and then says it's finished.
  • Go to catcher, fingers crossed. Nope, still telling me I can pay for plays.
  • Try staying in the catcher, run write(0x3646674C, (0x04, 0x00), pid=0xPID) again. Nothing changes on the 3DS' end.
  • sayhello() flashes green screen normally, meaning the debugger is running fine, AFAICT.
  • Try write(0x3646673C, (0x04, 0x00), pid=0xPID), despite you saying it's just for the display number. Again, no dice.
What am I doing wrong?

Ok, so, you CAN'T add play credits to the game if you don't have any to start with (i.e. the dollar bill slot is showing on the machine)

You MUST *unlock* the catcher, THEN send the code to modify play count. The problem is you are trying to write an invalid value to the unlocker (probably)

Unlocker GW Code:
DD000000 00000240 -- button combo (skip this)
D3000000 3646673C -- unlocker address
20000000 00000004 -- write this value to "unlock" the machine and add 5 plays (it's like you put in a dollar)
D2000000 00000000
 
What do you mean by Real Plays Paid for? And what are the Practice Plays by the way? Are those for the stand on the left ?

Practice plays, refers to the machine on the far left. Cheat those high enough to earn enough practice badges to get at least 3-4 real plays.

As for Real plays paid for, is exactly what it means. Actually pay the money for it, then at most, double the plays you have.

--------------------- MERGED ---------------------------

And as things stand, still not banned from the game yet. :D
 
I'm just posting what worked for me, and for Jan 21, the codes I posted gave me both practice plays and real plays. I'll include pictures from now on.
 
Ok, so, you CAN'T add play credits to the game if you don't have any to start with (i.e. the dollar bill slot is showing on the machine)

You MUST *unlock* the catcher, THEN send the code to modify play count. The problem is you are trying to write an invalid value to the unlocker (probably)

Unlocker GW Code:
DD000000 00000240 -- button combo (skip this)
D3000000 3646673C -- unlocker address
20000000 00000004 -- write this value to "unlock" the machine and add 5 plays (it's like you put in a dollar)
D2000000 00000000

After taking forever trying to find how to set up button triggers for commands on NTR, I ended up on a forum thread in spanish, where some people were sharing NTR cheat plugins. Downloaded the source for cell9's ALBW cheat plugin and changed it to run WRITEU32(0x3646673C, 0x00000004); when L+UP were pressed.

Happy as fuck thinking it was finally going to work, I put it in the right folder(/plugin/0004[...can't remember]). Ran Badge Arcade, confident my suffering would end, only to be met with 006-0114 when trying to connect to Nintendo Network. "Oh right, I read somewhere that NTR disables online services when you're using cheats. Is that true?" Restarted the title to be sure. Yeah, same error. "Well fuck."

Deleted the plugin and went back to the debugger.

"Maybe writing something to 0x364674C is affecting how 0x364673C is interpreted. It might only unlock it if I exclusively write 4 to 0x3646673C. Let's try that."

So I tried to understand how the array that write() receives is read. Passing just an int(0x04) to it didn't work, since it was expecting an array. (0x04) doesn't work. I assume the 0x00 in (0x04, 0x00) is just a terminating null value, the likes of which you see in C strings. I opened Badge Arcade with NTR Debugger enabled and connected to the PC client. write(0x3746673C, (0x04, 0x00), 0x0000002e) -> no dice. No change whatsoever from the previous behaviour, the catcher is still locked, while I'm offered to pay for a few plays.

-- EDIT --

WHOA! Some black magic happened. I was at the catcher, minding my own business, accepting the fact I wouldn't cheat the rabbit tonight, when I pressed A to get the "you don't have sufficient funds in your account" message. At that moment, I ran write(0x3646673C, (0x04, 0x00), 0x0PIDHERE) one more time. No change, but after I hit "Cancel", I had 15 plays(I set it to purchase 15 plays at a time, so maybe? I dunno).
 
Last edited by spoonm, , Reason: Computers operate on magic.
<snip>

Yeah, also cheated, but now, I am doing so in a lower key manner, and mixing in some paid plays, even if it will mean missing some badges.

Not sure if there is a bundle setting higher than 20. (I did manage to unlock the 20 play bundle today, by paying for 15 plays.) Subsuquently, payed for 20 plays, nothing unlocked yet. maybe another play of 20 might do something though.
 
Last edited by raulpica, , Reason: Removed quote -rp

Site & Scene News

Popular threads in this forum