How to "disarm" DeleteFileA() inside mxsegaboot.exe

[kioku25]

Not an issue per se, but since I'm not a coder I'd appreciate it if somebody could walk me through the process of patching DeleteFileA inside mxsegaboot.exe, so it won't purge C:\Windows\TEMP any longer. I've got Ghidra set-up and running and am looking at the function right now, but don't know how to proceed.

Thanks in advance.

[urbanurba]

You can make this easier in the win settings by prohibiting the deletion of files in this directory for all users.

[ArcadeHustle]

Indeed... as mentioned in the verbose writeup. There are many ways to skin this cat. Some are included for historic posterity, and to help folks learn.

"You might be able to just take off the delete permission from windows temp"
https://web.archive.org/web/20170630214524/https://www.assemblergames.com/threads/sega-ringedge-motherboard-inside-pictures.46424/page-3#post-681518

[ArcadeHustle]

@kioku25 There are many good learning opportunities to solve this issue. here is one example. https://youtu.be/H9DyLQ2iuyE?t=164

[ArcadeHustle]

@kioku25 you could alternately just use the patched TrueCrypt that was provided in the writeup. https://github.com/ArcadeHustle/RingEdge_NoKey_softmod/tree/master/TrueCrypt-win32_keydump

[kioku25]

@kioku25 you could alternately just use the patched TrueCrypt that was provided in the writeup. https://github.com/ArcadeHustle/RingEdge_NoKey_softmod/tree/master/TrueCrypt-win32_keydump

About those patched TrueCrypt files, where exactly should I put them? I tried putting them into C:\Windows\system32 as well as D:\minint\system32, but never got my keys.

[ArcadeHustle]

Where were you expecting to find the keys? They get dumped in the root of c:, don't forget about EWF, so you'll have to snag them while the drive is powered up, or they are gone post power down.

[kioku25]

Where were you expecting to find the keys? The get dumped in the root of c:, don't forget about EWF, so you'll have to snag them while the drive is powered up, or they are gone post power down.

Dang it, it never occurred to me that the drive needs to be powered the whole time.

[revengemanx]

@kioku25 so you found a solution ?

[kioku25]

I got a little sidetracked and haven't gotten around to trying it out on my RingEdge yet. I did manage to patch the DeleteFileA instructions found inside the mxsegaboot.exe though.

[revengemanx]

Hi , if you have your patched segaboot mx file you can share it ? I will test. And what about efw you tried To disable it with success ? I was wondering To disable it . Efw c: commit disable blah. Blah was not working for me .

[kioku25]

No, I haven't tried to disable EWF, since keeping the drive powered is easy enough to do.
I'd gladly share the patched mxsegaboot.exe with you, but since it is technically copyrighted material, I'd rather not post it here. Better drop me an email, my address is in my profile.

[revengemanx]

message sent ;)