Extracting Windows components

Discussion in 'Windows 8' started by Stannieman, Aug 30, 2013.

  1. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,798
    90
    #1 Stannieman, Aug 30, 2013
    Last edited: Aug 30, 2013
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,787
    10,365
    210
    Are you looking to create some sort of service removal tool or something?
    Why go through all this effort?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,377
    15,028
    340
    He wants to build a tool to port SKU specific packages to others that can be installed through DISM. 100 has said that he designed a messy script for this job but its still unpublished.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    867
    451
    30
    #4 KNARZ, Aug 30, 2013
    Last edited: Aug 30, 2013
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. alien2xx

    alien2xx MDL Senior Member

    Aug 5, 2009
    384
    189
    10
    This would be perfect if a package like NFS client can be taken form the Enterprise version and transferred to the Pro Version.. this is the only thing is preventing me from installing the Pro version..
     

    Attached Files:

  6. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    867
    451
    30
    Don't worry about signing... DISM also don't allow you to remove inbox flaged drivers (DMIProvider.dll) thus could be easily "hacked" by some simple nop command via hex editor. I guess it isn't that different with other DISM providers.

    Something to add: Don't forget that Windows since Vista has a internal license system. If features are prohibit by SKU than you won't be (that much easy) able to run added/imported features. I'm thinking of WMC or some kind of Server-Based features which might aren't in the image but prohibit by license.

    More Details:
    In conclusion: Someone should still hack sppsvc as it's not validating the signature. So that any value can be imported. - This would also make all methodes of activation obsolete. - And i still think this would become the biggest hack in windows history since vista

    http://forums.mydigitallife.net/threads/38870-License-System-(tokens-dat)-and-EditionID
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. HALIKUS

    HALIKUS MDL Addicted

    Jul 29, 2009
    527
    369
    30
    This is maybe a stupid suggestion, but maybe poking around in the Dart installer files (in hex?) you can find a few tricks. I know if you select something like "add setup files" it will also add the other necessary files\dependencies. It will also remove unnecessary packages, so maybe that part will help. Good luck anyways. I'm sure there is essentially no documentation on the matter.
     
  8. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    241
    10
    #8 SuperBubble, Aug 31, 2013
    Last edited by a moderator: Apr 20, 2017
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    867
    451
    30
    anything new?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,078
    60
    Thanks for the info's
     
  11. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,619
    2,120
    90
    #11 moderate, Sep 9, 2013
    Last edited by a moderator: Apr 20, 2017
    1. Manifests are packed in unknown format in W8-1 and W2012 R2 and you can't place them packed in CAB.
    http://forums.mydigitallife.net/thr...sts-are-packed-How-to-extract-them-to-XMLtext
    So nothing can be extracted until the compression method of manifests is found.

    2. Also pls could anybody tell me:
    The Update.CAT (signed) file hashes only MUM file or even Manifests too (or even components files (like DLLs, EXEs etc.) in subdirs)?

    3. I also couln't find, where are Manifest names specified. For example:
    There is file Microsoft-Windows-Dedup-Package~31bf3856ad364e35~amd64~en-US~6.2.9200.16384.cab in 100's Dedup pack (en-US language resources for Dedup component).
    It contains amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.2.9200.16384_en-us_2f145f4ba256b1cb.manifest (for W2012 R1).
    Now (in W2012 R2) we have in Manifests subdir:
    Code:
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_0e193e5c1481b20c.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_1374f60d4d6e0cdb.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_18d3fb8dd61aca48.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_2183a558174e431f.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_27d40bef9d2cbc93.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_27d90fd779598c35.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_3002f701b65b2cd2.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_379806ca427da4a4.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_39563d62278d60f0.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_3d8abc6c4998eaec.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_53de21695ee9fa65.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_579b6f620edffd28.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_72e63909be7b85e2.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_7aaaa83b31566356.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_7ebbe8b39309fd90.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_7fc5bbda65b87992.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_83a1f19ddece203d.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_8513309300eaf5c9.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_920894a118f2e5a6.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_9ea092b0471a07db.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_a1cb894d69c20158.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_acf32a2a55895e88.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_b13b1244556d7237.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_b227931b82e438eb.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_bd9194af1a4a8117.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c35fe806d00a06a0.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c3deac3b462c9b36.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c70917f1ec898248.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c85a87fc113bd964.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_e92b480435f1159f.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_ede462aa2b4c4162.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_f62cf149076777a6.manifest
    So which one is it? Where is it specified? The suffix number like (what was in 2012 R1) 2f145f4ba256b1cb isn't there. In MUM there is nothing useful.
    Also you can't view the files to select right one (with <assemblyIdentity name="Microsoft-Windows-Dedup-Common.Resources"...> line) since they are packed.

    4. Also where are components files (DLLs, EXEs, etc.) subdirs specified?
     
  12. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    241
    10
    #12 SuperBubble, Sep 9, 2013
    Last edited by a moderator: Apr 20, 2017
    As far as I can tell, it's only files in subdirectories of %SystemRoot%\WinSxS that are subject to this 'compression'. Catalogue files are stored in %SystemRoot%\Servicing\Packages, with an identical name to the .mum file - that was the update.cat before the package was installed (usually - keep in mind .mum files can reference other .mum files).

    You're on the right track. Look for <assemblyidentity> tags inside the .mum file, mentally convert them to 'assembly ID' format (described in my earlier reply), and hunt for a .manifest and/or subdirectory of %SystemRoot%\WinSxS that matches.

    Of course it isn't there. New version of Windows := new version of dedup := new assembly hashes.

    However, I was under the impression that .manifest/.mum files did pop the hash value somewhere in the <assemblyidentity> tag. Clearly I was wrong, and you now have a mission on your hands. Perhaps the hash value can be parsed out of the catalogue file in some way?

    No, you can't. Thanks Microsoft. :mad:

    By a folder below %SystemRoot%\WinSxS that (approximately) matches the .manifest file name. WinSxS doesn't specify individual files - it specifies by entire assemblies. An assembly can contain a single file, though.

    Hope my rambling helps. :hug2:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,619
    2,120
    90
    #13 moderate, Sep 9, 2013
    Last edited by a moderator: Apr 20, 2017
    CAT file is MS-signed file, that can't be changed. In this file (some other files checksums are stored), so they can't be changed too. So I was interested if:
    -only MUM file is hashed inside CAT
    -MUM and manifests are hashed inside CAT
    -MUM, manifests and all files from packages (EXEs, DLLs, etc.) are hashed inside CAT

    If only MUM is hashed there, we could use manifests from W2012 R1 server and edit them with version 6.3.9600... and possible other things...

    Yes, this is only identification of package files (EXE, DLLs, etc.) and Manifests I have found. However it also means, that we can't find manifest names (WHICH DOESN'T INSTALL FILES) anywhere else and if there is duplicity like:
    Code:
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c3deac3b462c9b36.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c70917f1ec898248.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_c85a87fc113bd964.manifest
    amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_e92b480435f1159f.manifest
    we can't to find out, which manifest is right without its depacking. Also we can't add them all, it will produce errors.
     
  14. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    241
    10
    #14 SuperBubble, Sep 9, 2013
    Last edited by a moderator: Apr 20, 2017
    Alas, I'm pretty sure all files in the package are hashed in the catalogue file. :(



    Precisely. The first step is still to figure out this new encryption/compression method MS are using - at which point, all (well, most :)) of our problems will be solved.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,798
    90
    So SuerBubble can you please share me your script? I don't mind if it's ugly cause I'm not using it for production stuff anywas, just experimentaml.
    Then I can first try to get it working with Windows 7 for the time being, untill the compression is sorted out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,787
    10,365
    210
    Stannieman, IIRC there is a Windows 8.0 update KB2821895 servicing stack update that claims to change the compression on winsxs folder stuff as well.
    It probably wouldn't affect old files unless you run a:
    dism /online /cleanup-image /startcomponentcleanup

    If it has a similar effect on the manifest files, it might be a good start for reversing the compression
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    241
    10
    #17 SuperBubble, Sep 10, 2013
    Last edited: Sep 10, 2013
    SuerBubble? As in a homophone of sewer bubble? I shouldn't give you anything after a typo like that. :nono:

    But yes, I'll be happy to post it here as soon as I find it (I recently reformatted my laptop's hard disk). :hug2:

    THANKYOU THANKYOU murphy78! Now we have a clue - I avoided attaching OllyDbg and tracing through because I would have had to hook the entire servicing stack... but a single .DLL (or small list of .DLLs) is much less work! :hug2:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,619
    2,120
    90
    Yep, until we will find, that this "compression" is RSA encrypted file, which will take three trillions years by brute force decrypt... :/
     
  19. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,798
    90
    #19 Stannieman, Sep 10, 2013
    Last edited: Sep 12, 2013
    (OP)
    If it's encrypted the decryption key has to be on the system, otherwise it's useless the files are even there.

    EDIT: I'm currently doing some other things :converting my deduped volume with windows isos to xdelta files cause I find dedum highly unpractical when other computers must be able to read the volume. It's also easier to make backups in the cloud. When I'm done I'll look deeper into this compression/encryption.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,787
    10,365
    210
    They have upgraded the 8.0 servicing stack thing that compresses winsxs folder.
    Old one was 2821895.
    New one is 2871777.

    If you are looking into reversing the strange compression in the winsxs folder i'd start with looking at those two...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...