I will show you how to patch a CIA's executable, this will allow you to do things like install SaltySD without NTR. Requirements: Ctrtool (in tools.zip) 3dstool (Also in tools.zip) makerom (guess where?) Hex editor CIA you want to patch CFW Decrypt9WIP Step 1: Decrypt the CIA Warning: Spoilers inside! You may skip this if your CIA is decrypted already! Copy your the CIA that you want to decrypt into D9game on the root of your SD card. Then go into Decrypt9, Game Decryptor Options->CIA Decrypter (deep) and wait. Now copy that back to your PC, it is now decrypted! Step 2: Extract the CIA Warning: Spoilers inside! Execute "ctrtool --contents=contents [CIA].cia", with [CIA].cia replaced with the proper file. Take note of the content file names, this will be important while remaking the CIA. Next we need to extract the primary content file, this should be called contents.0000.XXXXXXXX, like the Smash 1.1.5 update it is called contents.0000.00000014. Execute "3dstool -xvtf cxi [CONTENTS] --header ncch.header --exh exheader.bin --exefs exefs.bin --romfs romfs.bin --plain plain.bin" with [CONTENTS] replaced with the contents file. This should generate a warning about "logoregion", it is safe to ignore this. Next we need to extract the exefs, execute "3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefs.header". The final extraction step is to decompress the code, execute "3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin" Step 3: Modify the code Warning: Spoilers inside! Copy the code-orig.bin file wherever you need it, modify it, and copy it back as code-patched.bin. Step 4: Repack the CIA Warning: Spoilers inside! First we need to compress the modified code, execute "3dstool -zvf code-patched.bin --compress-type blz --compress-out exefs/code.bin" Then we need to create the exefs. Execute "3dstool -cvtf exefs exefs2.bin --exefs-dir exefs --header exefs.header" We need to make the modified CXI, execute "3dstool -cvtf cxi patched.cxi --header ncch.header --exh exheader.bin --exefs exefs2.bin --romfs romfs.bin --plain plain.bin" Finally we need to create the CIA file, this is where the name of the content files is needed. Execute "makerom -f cia -o [PATCHED].cia -content patched.cxi:0" with all the content files appended to it with "-content contents.xxxx.yyyyyyyy:x" EXCEPT for contents.0000.yyyyyyyy. For my SaltySD patch it would be "makerom -f cia -o SmashUpdate.NaCl.decrypted.cia -content patched.cxi:0 -content contents.0001.0000000f:1" Step 5: Fix Versions (optional, but recommended) Warning: Spoilers inside! Open the decrypted CIA in a hex editor, and locate the two bytes at offset 0x00002F9C and copy those. Copy that to the modified CIA at 0x00002F9C. Step 6: Encrypt The CIA Warning: Spoilers inside! Now that the cia has been modified, we need to encrypt it; some things will break if the CIA is not encrypted. Copy the modified CIA to D9game again, launch Decrypt9WIP and goto Game Decryptor Options->CIA Encryptor (NCCH) and wait. Step 7: Profit If someone has a capture device, I would love some screenshots of D9!