RingEdge_NoKey_softmod icon indicating copy to clipboard operation
RingEdge_NoKey_softmod copied to clipboard
verified publisher icon ArcadeHustle

How to "disarm" DeleteFileA() inside mxsegaboot.exe

Open kioku25 opened this issue 5 years ago • 12 comments

Not an issue per se, but since I'm not a coder I'd appreciate it if somebody could walk me through the process of patching DeleteFileA inside mxsegaboot.exe, so it won't purge C:\Windows\TEMP any longer. I've got Ghidra set-up and running and am looking at the function right now, but don't know how to proceed.

Thanks in advance.

kioku25 avatar May 20 '20 19:05 kioku25

You can make this easier in the win settings by prohibiting the deletion of files in this directory for all users.

urbanurba avatar May 21 '20 12:05 urbanurba

Indeed... as mentioned in the verbose writeup. There are many ways to skin this cat. Some are included for historic posterity, and to help folks learn.

"You might be able to just take off the delete permission from windows temp" https://web.archive.org/web/20170630214524/https://www.assemblergames.com/threads/sega-ringedge-motherboard-inside-pictures.46424/page-3#post-681518

ArcadeHustle avatar May 21 '20 15:05 ArcadeHustle

@kioku25 There are many good learning opportunities to solve this issue. here is one example. https://youtu.be/H9DyLQ2iuyE?t=164

ArcadeHustle avatar May 21 '20 15:05 ArcadeHustle

@kioku25 you could alternately just use the patched TrueCrypt that was provided in the writeup. https://github.com/ArcadeHustle/RingEdge_NoKey_softmod/tree/master/TrueCrypt-win32_keydump

ArcadeHustle avatar May 21 '20 15:05 ArcadeHustle

@kioku25 you could alternately just use the patched TrueCrypt that was provided in the writeup. https://github.com/ArcadeHustle/RingEdge_NoKey_softmod/tree/master/TrueCrypt-win32_keydump

About those patched TrueCrypt files, where exactly should I put them? I tried putting them into C:\Windows\system32 as well as D:\minint\system32, but never got my keys.

kioku25 avatar May 21 '20 16:05 kioku25

Where were you expecting to find the keys? They get dumped in the root of c:, don't forget about EWF, so you'll have to snag them while the drive is powered up, or they are gone post power down.

ArcadeHustle avatar May 21 '20 16:05 ArcadeHustle

Where were you expecting to find the keys? The get dumped in the root of c:, don't forget about EWF, so you'll have to snag them while the drive is powered up, or they are gone post power down.

Dang it, it never occurred to me that the drive needs to be powered the whole time.

kioku25 avatar May 21 '20 16:05 kioku25

@kioku25 so you found a solution ?

revengemanx avatar Jun 26 '20 17:06 revengemanx

I got a little sidetracked and haven't gotten around to trying it out on my RingEdge yet. I did manage to patch the DeleteFileA instructions found inside the mxsegaboot.exe though.

kioku25 avatar Jun 27 '20 12:06 kioku25

Hi , if you have your patched segaboot mx file you can share it ? I will test. And what about efw you tried To disable it with success ? I was wondering To disable it . Efw c: commit disable blah. Blah was not working for me .

revengemanx avatar Jun 27 '20 12:06 revengemanx

No, I haven't tried to disable EWF, since keeping the drive powered is easy enough to do. I'd gladly share the patched mxsegaboot.exe with you, but since it is technically copyrighted material, I'd rather not post it here. Better drop me an email, my address is in my profile.

kioku25 avatar Jun 27 '20 17:06 kioku25

message sent ;)

revengemanx avatar Jun 27 '20 17:06 revengemanx