Mega Man Legacy Collection 2 - decrypting game assets

If you own Mega Man Legtacy Collection 2, you might want to extract the games' assets (music, gallery, levels, movies, etc) for some reason. These assets are mostly in a ZIP archive named "disc", which can be opened with any application that can open ZIP achives. Anyone can browse the files in the archive, unfortunately the files themselves are encrypted.

For the first Mega Man Legacy Collection, the password can be found by disassembling the EXE file, or by watching the process memory while the game is running, as described here:

Get MMLC1 password using CheatEngine

Get MMLC1 password using disassembly

These methods cannot as easily be used on MMLC2, at least I am not successful. Fortunatelly though, on MMLC2,  the ZIP file is encrypted using the method "ZipCrypto Store", which is old and effectively broken. To crack it, all we need is:

- 12 bytes of known decrypted plain text. Most PNG files have a 12 byte header, and this ZIP contains at least one PNG file! :)

- The tool bkcrack

So what we need to do is:

1. Create a 12 byte file containing the PNG header as known plaintext

2. Use bkcrack to crack the internal key of the ZIP archive

3. Use bkcrack to use the internal key to create an unlocked copy of the ZIP archive with a password of our choice

4. Use any ZIP software to extract the unlocked copy using our custom password

More detailed instructions can be found at Examples on how to crack using PNG header and on the readme on the bkcrack tool (same as above).

Limitations

- We don't get the actual password, only the internal key. This is enough to extract files from the archive, but I'm not sure if it allows us to change files in the archive. Maybe replacing the entire archive with an identical one without encryption would work? Have not done any experiments on this, depends completely on what checks the EXE does on the ZIP.

- Many of the internal files are compressed files with "LZS" extensions. (The ZIP archive is for encryption only, not compression). Decrypting these should not be a challenge, but I haven't tested it.

- Some of the games larger resources are in the "resources" folder. They may be encrypted movie files?

- The ZIP archive does not seem to contain any ROMs or other executables, only content, such as level data, fonts, music, graphics, videos, galleries etc. If ROMs or binaries are bundled in any way they are probably inside the EXE, like they were on MMLC1.

As far as I know, this cannot be used for piracy or anything else of that kind. Regardless, I am strongly opposed to piracy. Please support your game developers, mkay? :)

Make LG DVX-642H region free

To make the DVD player LG DVX-642H region free, the same trick as for other LG dvd players can be used, as described here: http://multi-region.net/lg_3620
In case that wiki is closed, what you do is you create a DVD with the folder "RMTM0000", with a subfolder "Scarlet", with a file named "kpjc19_1.dvd". (Some suggest the file should be uppercase).
The length of the file should be 0x500004 bytes. The last four bytes (i.e. starting at address 0x50000), should be 008C1717. The rest of the file should be 00. Some versions of this suggest the file can be only four bytes long and contain "17178C00".
Unfortunatelly you can't put this on a USB drive, but a DVD+RW is fine.

Inserting this disc triggers a region test mode which allows you to select any region, including 0 for region free.

Deep dive into an old router to extract its password

The objectives:
I had an old ISP provided ADSL wifi router to spare. I was hoping to increase its value slightly by checking if I would be able to use one of the LAN ports as WAN port and ignore the ADSL part, but we were never given the credentials for logging in to the web UI. Challenge accepted! :)

The router:
Provided by Swedish ISP Boxer (later sold their ADSL service to AllTele)
Branded name: Inteno X5669A

Original name: Xavi X5669A-WP2 (closely related to WP2U, same model with USB ports - they share firmware)

Specification: ADSL 2+, 4x10/100 Mbit LAN, 802.11b/g wifi, 2xVoIP ports
Internal hardware:
- ADSL/router SoC: Broadcom BCM6358VKFBG
- Ethernet switch: Broadcom BCM5325EKQMG
- Wifi: Broadcom BCM4318KFBG
- VoIP: Legerity LE88221DLC
- 32mb RAM
- 8 mb Flash
Router was running CFE version 1.0.37-12.5
Firmware version was X5669A-WP2U_3.12UVNT10.08

Looking for the obvious...
(Unsuccessful stuff is greyed out, including it since it might have worked for other routers)

- Lots of googling, tried every default credential I could find and think of (admin/admin, admin/serialnumber, etc), or trying to find a firmware update of this or a similar router that might contain the default credentials. No luck.- Tried Telnet, SSH, etc - but these also required credentials.
- Contacted Boxer and AllTele asking for the default credentials - no luck.
- Using Firefox dev tools I was able to see in the HTTP headers which HTTP server it used, trying to find exploits of it but no luck
- Resetting to factory settings by holding reset for 10+ seconds - no luck, but curiously it changed the Wifi name from the previous Boxer_XX to Inteno_YYXX (XX amd YYXX being the last digits of the MAC address). This might have affected the password as well!

No luck... Time to open it up
- Opened it up, looking for serial port and JTAGs - yes to both!
- Bought a CP210x (USB to Serial adapter with 3.3 and 5V support) for like 15 SEK on ebay. Initially I didn't get it to work - first Windows 10 just spammed me with "the device has malfunctioned", until I tried a different USB port (maybe it had problems with USB 3). Then I needed drivers.
- Checked the settings of the device in device manager, I found that the COM port became called "COM6".
- Used multimeter to find ground pin of the serial (black on a grounded point on the PCB, red on each of the four pins. All but one shows 0 while the others shows 3.3V - that one is the ground. Then just took a semi-wild guess and actually picked the right pinout on the first go: "GROUND - NC - VCC (3.3V) - RX - TX" - the TX goes to the RX on the adapter and vice versa. Note: Never connect VCC pin.
- Tried to access the device with PuTTY. With cables connected as such, I just got a lot of garble. Changed the bit rate from the default to 115200, both in device settings in Windows and in PuTTy. Success - the CFE boot loader gave me a boot menu! :)

Using CFE
- Sadly, all of the obvious commands in CFE (such as "save") was not enabled in this version. There were plenty of commands to erase or write to Flash but that is not what I need.
- However, the CFE allowed download an image from TFTP to RAM, and run it from there... but what image to use?

OpenWRT to the rescue!
- OpenWRT supports at least the BCM63xx, so I created an Ubuntu VM, downloaded and installed the prerequisites and the code repository, selected the proper hardware (generic BCM63xx), "ramdisk" as target, and compression disabled.
- I then used Solarwinds free SFTP server on Windows box and hosted the OpenWRT image I built. I hooked the PC and the router with Ethernet cables.
- I configured CFE ("c" command) to a manually selected IP address of the PC, specified that it should boot from host ("h") instead of flash ("f").
- Got error code "-18".  Solarwinds log was empty. Removed a switch that sat between the router and the PC, and disabled the Windows firewall.
- Succes! OpenWRT was booting!

Getting the Flash content
- With OpenWRT running, I could use dd to copy the raw flash data from /dev/mtdX (X = 0-4) to files in the /tmp folder:

dd if=/dev/mtd0 of=/tmp/mtd0backup

- I could then use WinSCP to transfer the content to my PC.
- I then used a hex editor (HxD) to simply search for "user" and "password" in the flash image files. - In mtd1 I found quite a few interesting passwords, but the most interesting was [sysusername value="admin"] and [syspassword value="cGliNk9FWXZ5Qg=="]. (XML angle brackets replaced with square brackets because Blogger...
- The "==" at the end of the password makes it look like it is base64 encoded. Decoding it gave me the password "pib6OEYvyB".

And indeed, admin and pib6OEYvyB where the correct credentials for this device. Victory! :)

Further work...

And no... the current web UI doesn't allow using a LAN port as WAN port... :( Perhaps some configuration changes could be done to make it happen...
Would be nice to get OpenWRT running on this, though it seems from the wiki that it is not likely to have wifi drivers for this device (and ADSL and VoIP certainly wont work). I'll look closer into this another day...


Very thankful for OpenWRT, enabling stuff like this!

Checklist for freshing up computer

I am wondering how much perfectly good computers are thrown out that could have been saved by a reinstallation of Windows (sometimes not even that).

This is what I do when someone asks me to have a look at their computer:

(Do everything behind a firewall and without any other devices in the network if there is a risk of it having a virus! If you KNOW it has a virus, deal with that first - worst case wipe hard drive using a safe, secure (but disposable) environment).

1. Is hardware OK?
Visual inspection, are fans clogged up?

Charger cable worn out? (often close to the connector at the PC end) - this can literally cause fires

Dust clogged up in fans? (Causes fans to spin faster to compensate, makes PC louder, hotter and the fan will break down sooner)

(start PC)

Does the fans sound healthy?

chkdsk X: /R (for each hard drive, C, D, etc).

Seagate SeaTools for Seagate hard drives

WD Windows Data Lifeguard (WinDLG) for all hard drives

Windows memory diagnostics (start menu -> type: mdsched)

Any serious errors - look closer into that part, make sure there is no false positive, replace any hardware determined to actually be bad

Bluescreens happening? Maybe some bad hardware, but more commonly caused by bad drivers. Enable further logs and investigate based on information in bluescreens.

If it can be done, upgrade to 4 gb ram or more and an SSD, SSHD or at least a 7200rpm drive.
Definitly make sure it has at least 80gb drive (death to absolutely useless 32gb eMMC!)

Check UEFI and firmware updates for other hardware from PC maker, hard drive firmware update from hard drive maker.


2. Is software OK?

What version of Windows is suitable?
- Windows XP - do not use! Upgrade if hardware can supports it
- Windows Vista - not as bad as people say but if you can, but pretty much zero drawbacks of upgrading at least to Windows 7
- Windows 7 - if user is happy, no problem keeping it, but can be upgraded to Windows 10 if user wants to.
- Windows 8, 8.1 - strongly recommend upgrading Windows 10

Note that if you have a legal license for Windows 7 and forward (e.g., it came with the computer), it can be upgraded to Windows 10 - you can simply download it from Microsoft's website. (DO NOT download it from any website not on "microsoft.com"). When asked for licence key, type the key on the sticker on the computer. Windows 10 installation will accept most keys for Windows 7 newer. If the Windows sticker on the computer does not have a licence key on it, the key is stored in the computer's UEFI (BIOS) and you can just click "I don't have a licence key" during the installation.

Even if Windows version is good or not, do the rest of the list first before upgrading, system needs to be healthy before upgrading

Then...

Make sure some virus software is running, at least Windows Defender. Make sure it and it's virus definitions are up to date. Run a full scan and make sure it is not finding anything.

Is Windows Update working properly? Sooner or later it tends to break in one way or another. Are recent updates installed? Is any update repeatedly being installed? Get those problems fixed.
Configure WU to "include software for all Microsoft software". Check for updates manually until it specifically says there are no more updates.

Disk clean up ("include system files")

Clean temp folders (disk clean up does usually not clear up everything)

Defrag (unless system is on SSD), check defrag is scheduled

For each web browser, disable every add-on/plugin that is useless. Make sure default home page and search engine is the one the user want to use.

Update drivers for everything (from PC maker and/or separate device manufacturers)

Make sure all partitions have at least 15% free space (except "recovery" partitions, boot system partitions etc

In Startup tab of Task Manager, disable everything useless

Check services and make sure there is nothing inappropriate running

Make sure computer is running the performance profile "Maximum performance"

Check BIOS/UEFI settings. Reconsider all settings that affect the priority between performance, noise and heat. (E.g. "best performance" vs "best acoustics". Usually make sure everything is set to best performance, then noise, then heat.
HP laptops often have option "Fan always on" - disable it. No reason to have fan running (and getting worn out) if the computer is not hot enough.


Update everything, such as Flash, Acrobat, Java, web browsers, and generally everything else that says it needs to be updated

Clear CCM cache - Control Panel -> Configuration Manager -> Cache

Use Task Manager and Resource Monitor to see which the hardware bottlenecks are, and what processes are taking the most resources. Disable theses processes by appropriate measuers (e.g. uninstalling useless applications).

3. Still sluggish?

Take a backup, wipe it, install Windows from scratch...

Dear all web developers out there... Can we talk about some things?

I use the web sometimes. Here are some practices that needs to end, now!.

1. Page scrolling up and down on mobile devices.
So I go to a long web page on your mobile device, sometimes not with the fastest connection. Top of the page loads, I scroll down. Since not all of the huge images and ads has loaded yet, the content scrolls up and down for ages until the page has finished loading. Developers, please pre-define the height of the content as much as possible (especially images) in the HTML so it doesn't have to be readjusted after the content has loaded!

2. Banners that scrolls the page
So there is some cookie warning or what not as a banner on top of the page. Please, don't make it so the entire page scrolls 30 pixels down just as I am about to click a link... (I'll appreciate any irony if there is such a cookie warning on this page. :-D )

3. Popups (aka modal dialogs)
A long time ago, pages used to open popups as new browser windows. People hated them, so browsers started blocking them. Then web designers started making in-page popups instead. Granted, there are many cases where this is perfectly fine. But to show errors or alerts or especially ads, are usually NOT. Even worse, the implementations are often slow and jerky and jumps around and the "X" icon are hard to find or moves around until the popup has finished loading. Please just integrate your message into the rest of the page instead!

4. Full screen ads appearing after I already started reading the page
See title. It just makes me hate your site and the advertiser more than otherwise. Especially if the scroll position is reset after I close the ad.

5. target=_blank
I know how to use "Open in new tab". If I clicked the link without selecting "Open in new tab", I did not want it to open in new tab. Open in same tab, please.

Let's make the world a better place! :)

Intel SSD Toolbox - installation fails, reboots Windows before installation is completed

The problem:
I wanted to install Intel SSD Toolbox 3.4.0.400. After clicking Next a few times in the wizard and the actual installation has started, Windows reboots and the installation is interrupted. Nothing of Intel SSD Toolbox is installedor changed.
Additionally, for each interrupted installation, a number of folders called "IIxxxx.tmp" (xxxx = random characters and numbers) are left in the C:\Windows\Temp folder, each containing 300+ MiB.

The cause:
The first thing the installer does, is to run the included vc_redist.x86.exe. This is the Visual C++ Redistributable runtime installer - essentially an installation program which installs a few DLLs that the toolbox apparently requires. On my computer, the VC++ runtime installer determined my computer needed to reboot. The Intel installer should have ran this installer with the command line that instructs the installer to suppress such reboots, but it does not.

The fix:
Download the installer.Run it.
Wait while "Please wait while setup initializes".
When the installer is waiting for you to hit Next at the first step, do NOT press it.
Instead, open C:\Windows\Temp.
Find the LAST folder (order by Modified date) called "IIxxxx.tmp". Check the modified time - it should be just a minute ago.
Open the Dependencies subfolder. It should contain a file called vc_redist.x86.exe file, and a few DLL files.
Rename the vc_redist.x86.exe file something else or delete it.
Find any other exe file - I picked C:\Windows\notepad.exe.
Copy it to the Dependencies folder and rename it to vc_redist.x86.exe.
Go back to the installation wizard and hit Next to let installation proceed.
Hopefully installation should be fine.
After completion, the installer will ask you properly to reboot. Do so.
After reboot, make sure to remove all of the "IIxxxx..tmp" folder in your Temp directory to avoid wasting disk space.
Complain to Intel that the installer has a bug.

Note: If the toolbox doesn't work properly, or if installation now fails at a later stage, you might have a problem with the VC++ runtimes. One thing to try then, is to follow the instructions above, but copy the vc_redist.x86.exe file to a separate folder and run it on its own by just double clicking it. It should show you a GUI offering to install, repair or uninstall the runtimes. You could also try downloading the runtimes from Microsoft.


Please leave me a comment if this helped you or not!

"Back to the Future: The Game" episodes 2-5 not downloading on iPad Mini

I played the first free episode of "Back to the Future: The Game" (1.6) on my iPad Mini (with iOS 9.3.5). Everything was fine and I decided to buy the bundle with episode 2-5. However, downloading the episodes (over wifi) persistently froze somewhere between 1% and 12%. After a long time, the game would then either close or give an error message about losing internet connection. I would then have to restart the download. I contacted Telltale's support, they responded quickly and with a lot of suggestions (restart the iPad, close all other apps, try another Wifi connection, keep trying, try a VPN), but neither of them made a difference.

I found this page where some people suggest using cellular data instead of wifi connection to get the episodes. That was not an option for me, as my iPad model is wifi only. However it gave me the idea to try to connect to the internet using internet sharing/tethering over Bluetooth from another device. Using Bluetooth internet sharing on my low end Lumia Windows Phone, I was able to download the episodes on the first attempt.
Note that similar Bluetooth internet sharing on an old HTC One M7 was not successful - the iPad was not able to connect to internet at all using that.

So - things to do if you suffer this issue:
- Contact Telltale support, even if you manage to solve this issue yourself using workarounds - if they do not know how many are having this issue, they wont fix it.
- Try either cellular data or Bluetooth internet sharing from another device, instead of Wifi, if you can.
- If it doesn't work over Bluetooth with your device - check if you have Internet connection at all over Bluetooth. If not, try another device, iOS is incompatible with many devices.
- Demand a refund if neither of the above helps.
- Mention this issue on App Store review etc.

Don't hesitate to leave a comment if this helped you or not!