[Question] In W8-1 and W2012 R2 manifests are packed. How to extract them to XMLtext?

Discussion in 'Windows 8' started by moderate, Sep 5, 2013.

  1. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    #1 moderate, Sep 5, 2013
    Last edited: Sep 5, 2013
    Hello,
    under W8-1 and W2012 R2 the manifests stored in:

    %windir%\winsxs\manifests\

    are compressed to some DAT format starting with strings:

    DCM and A30

    (in Total Commander Viewer).

    Pls how to extract them to plain text XML?

    Thanks...
     
  2. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    Not just .manifest files, but some components that aren't installed by default (the TFTP client, for example) are compressed/encrypted (more or less) the same way.

    I went crazy Googling around trying to figure out the format, but gave up in disgust after a few days. The only thing I could think of would be to hook CBS with OllyDbg to figure out what's going on, but I'll leave that to someone with more knowledge on the subject than I. :(

    Sorry I can't be more help. Rest assured, I'm just as frustrated as you by this 'development'. :mad:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    #3 SuperBubble, Sep 22, 2013
    Last edited: Sep 22, 2013
    Bump, for a damn good reason: (I think) I've identified the compression method - a bit of file comparison suggests it's a variation of Microsoft's semi-famous - but poorly-documented, since it's under patent - BDC (Binary Delta Compression).

    Does anyone know of a tool (besides EXPAND.EXE) that handles, or can at least tell us something about, BDC files?

    Bonus gun-jumping: I take it back: BDC (or at least the MS Patch API it's based upon) appears to be very well-documented. I'm slaving over a hot compiler as we speak (hurrah, a real language again after all that VBScript :D).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    I've tried expand.exe two weeks ago with no luck.
     
  5. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    #5 SuperBubble, Sep 22, 2013
    Last edited: Sep 22, 2013
    Because EXPAND.EXE only handles BDC in very specific situations - and this isn't one of them. :rolleyes:

    I'm currently writing some native code to interface directly to MSDELTA.DLL. Haven't made much headway yet. The file format is becoming clearer to me though: the first four bytes (DCM$01 or DCN$01 usually) appear to be flags for compression/decompression, and the rest is just a standard BDC PA30-format compressed file, similar to the components of a Windows update.

    If I don't make a breakthrough in the next hour or so, I'll shim MSDELTA.DLL, and trap the calls made during the install of the TFTP client on Windows 8.1. That should reveal everything. :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    Good, best will be Total Commander x64 plugin... :D
     
  7. NaiveUser

    NaiveUser MDL Senior Member

    Apr 14, 2011
    419
    523
    10
    good luck ! maybe I'll also have a try later in case you didnt work it out :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    Epiiiiiiiiiic!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. NaiveUser

    NaiveUser MDL Senior Member

    Apr 14, 2011
    419
    523
    10
    Excellent ! Can you post a standalone exe that can extract a .manifest files ? :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    Good job, SewerBubble :))
     
  12. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,682
    18,581
    340
  13. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    #14 SuperBubble, Sep 22, 2013
    Last edited: Sep 26, 2013

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    Nice, at least somebody has worked today :))

    Thanks...
     
  15. redroad

    redroad MDL Guru

    Dec 2, 2011
    5,326
    6,043
    180
  16. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    however, it doesn't want to extract the files :p

    ext.jpg
     
  17. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    7,394
    11,615
    240
    I'm in no way an expert on winsxs package extraction stuff, but are the files you are trying to extract, copied from the winsxs folder?
     
  18. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,353
    2,479
    120
    I got your point. I'll try it again directly on W2012 R2 installation without copying the files elsewhere...
     
  19. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    150
    294
    10
    Ze Bubble has screwed up. I freely admit it.

    moderate's right. I've screwed up badly. :eek:

    There are two, slightly different, kinds of compression used in WinSxS: (what I call) the 'M1' method (used by .manifest files), and the 'N1' method (used by everything else, it seems). It was a mistake to ignore that four-byte header... :eek:

    My tool, as it is, only handles 'N1' compression. I've been working on it for the last few hours, and I'm not sure what's wrong. These are the possibilities, in increasing order of 'badness'.

    • Bug in my decompression routine. Unlikely, since it works on N1 just fine;
    • M1 isn't a truly 'source-less' delta. Most likely, just need find the source file the delta applies to, and the file will decompress;
    • M1 is a noticeably different method to N1. Unlikely, but I'm really paranoid it could be true. :fear:
    Results pending...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...