RingEdge_NoKey_softmod icon indicating copy to clipboard operation
RingEdge_NoKey_softmod copied to clipboard

Published 20 hours ago verified publisher icon ArcadeHustle

An alternative to dump game key.

Open francky06l opened this issue 4 years ago • 7 comments

Being very new in the Ringedge "world", a friend let me play with an RE2 UC (just the UC, no JVS board etc.) originally just to copy games drive. I found the excellent "sister writeup" https://github.com/ArcadeHustle/RingEdge_SSD_Softmod, and I was able to copy game's SSD. Then, being curious, I was searching a way to dump the game key. This excellent repository is full of hints and very educative !!

The problem I had was, mainly, I have only a laptop with an US / ATA adapter and thus, hot swapping drive was not possible. Also the fact that I am a Linux user, having windows in a VM only was also a problem. Whatever game I plug into the RE2 end up in error because of the JVS, but the game is loaded so the key has been generated.

At the end, I tried to "compile" all the knowledge and make it a single step to extract the game key. Note that I did not invent or found something not known, it's more a sequential set of commands to automate.

Checking the registry, we know that the WinLogon is actually replaced by mxprestartup, a bit of disassembly show that mxprestartup starts the mxstartup using the SystemUser with it's password. The password can be found in

HKEY_LOCAL_MACHINE\System\FBA\RegMigrate\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

and it's <6/=U=#tpe!$*3!5

The mxstartup does mount the TrueCrypt System Container (using the SystemKey and other partitions) then starts the mxmaster.exe that will extract the KeyChip.

I made a simple exe that can log the SystemUser and starts the mxstartup, but at the end I found logical to replace the mxstartup itself by a version that would:

  • Disable EWF on C:
  • TrueCrypt mount the System container
  • Start the mxmaster
  • Wait for a 16 Bytes file in windows temp

This is what I did and it does work.

The step to get the game key are quite simple (I worked on a copy of a game, if ever you work on an original drive, backup the C:\ drive - the /dev/sdX1 partition) :

  • unlock the drive
  • backup/rename the mxstartup.exe of C:\System\Execute
  • copy the mxstartup.exe into C:\System\Execute
  • install the drive into the RE2
  • power on the RE2
  • It will run for about 1 minute and will show the steps progress
  • When it display " you can power off the Ringedge", you can power off, mount the drive in a computer (or plug it in an adapter), you should find in C:\ a file SystemKeyFile and a file candidate_1 which is the game key.

Note that, to verify the key, I copied the TrueCrypt keydump binary - modified them to store the keys/password on C: rather than D: - and the key found are of course the same.

This solution does not need a TrueCrypt patched version, but it does not hurt !

I haven't uploaded the mxstartup.exe yet, I rather wait for the OP opinion/authorization, I realized that this is quite close to this https://github.com/ArcadeHustle/RingEdge_NoKey_softmod/issues/2

F.

Update: I made a second version, that just print the 16 Bytes in Hex on a console screen. The first version, by disabling EWF, was leaving many files on the C: drive (check System/Execute or temp). Actually the process is the same, except EWF is not disabled, the key is just displayed on the screen. You have to write it down or make a picture. I'll upload this version in a moment on archive.org

francky06l avatar Jul 20 '20 08:07 francky06l

Excellent! Great work. Feel free to upload, I am all about various permutations to enable the community. If you need to, upload the .exe to archive.org for "preservation" purposes, and then link it here.

MAVProxyUser avatar Jul 20 '20 14:07 MAVProxyUser

Is your .exe a compiled AutoIT script? or an actual C program you wrote? either way the source code to it may be useful for others to build off of.

MAVProxyUser avatar Jul 20 '20 14:07 MAVProxyUser

It's a Cpp program that I wrote. Not being familiar with windows, I had to dig a bit to find the right "library" (Winxp is quite old) but at the end I was able to compile it using MSVC 2017. The exe and source code have been uploaded here https://archive.org/details/mxstartup

Adding registry changes would be easy (I did not need any).

For now I am the only tester, feedback about your testing would be great.

Next steps (when I have time), check the game partition and see the changes to make them work in the Multi RE. Also, I wounder about the ATA key for the SSD, I think they are "generated" from the Disk information, I mean the BIOS expect a value according to the disk specifications, I am not sure though.

francky06l avatar Jul 20 '20 15:07 francky06l

thx you very much francky06l i have some games to work on i will test when i will have time thx you very much for your help and share !!!!

revengemanx avatar Jul 30 '20 11:07 revengemanx

Is this intended to work on RingWide? Gave it a shot, but eventually final screen only says ">>> Nocandidate key found !!"

sTo0z avatar Aug 05 '22 02:08 sTo0z

Confirmed working for me!

emase1 avatar Feb 08 '23 19:02 emase1

Glad it has been helping someone ! I am not specialist of all this, it was a fun work. Concerning RingWide, I do not know, I had only a friend RingEdge. Actually I do not have any Ring* stuff myself.

francky06l avatar Feb 08 '23 20:02 francky06l