GRLDR without bootinst.exe

Discussion in 'Windows 7' started by xinso, Sep 12, 2009.

  1. xinso

    xinso MDL Guru

    Mar 5, 2009
    4,242
    5,511
    150
    #1 xinso, Sep 12, 2009
    Last edited: Sep 14, 2009
    MBR(bootsect.exe /NT60) -> \bootmgr

    MBR(bootinst.exe /NT60) -> \grldr -> \bootmgr

    MBR(bootsect.exe /NT60) -> \bootmgr (original grldr) -> \Boot\bm (original bootmgr)

    1.
    takeown /F %%A\bootmgr
    icacls %%A\bootmgr /grant administrators:F

    2.
    attrib %%A\bootmgr -s -r -h

    3.
    ren %%A\bootmgr bm

    4.
    cut&paste %%A\bm %%A\Boot\

    5.
    Copy bootmgr (from attachment) %%A\ /y

    P.S.
    1. %%A = System partition
    2. attachment bootmgr in Step 5 is actually GRLDR (with ACER OA2.1 SLIC)
     
  2. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
  3. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,488
    66,572
    300
    The one reason I still use bootinst is because it's easy for the user to fix it themselves if they need to. Having to explain how to rename a file back to what it was and delete the existing one via command prompt is sometimes just asking too much of the user. Another reason is that if MS do decide to put out an update that disables/deletes the GRLDR with injected SLIC then the user still has bootmgr to fall back on, but via this method they don't :g:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    When I placed a hacked bootmgr in my WIM, I renamed my original to bootmgr.bak and leave both in PCAT folder inside the WIM

    Windows\Boot\PCAT\bootmgr
    Windows\Boot\PCAT\bootmgr.bak

    I assume
    Windows\Boot\PCAT\bm


    When I install the hacked bootmgr gets moved directly to the Root of the system partition, while the other unknown files in the folder (bootmgr.bak) get placed into to Boot folder

    R:\bootmgr
    R:\Boot\bootmgr.bak

    I assume
    R:\Boot\bm

    The Windows installer will copy to the correct place without any additional effort. No time to test it out. Maybe someone else cares too.
     
  5. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    the bootmgr this guy has posted is grldr edited to chainload the renamed
    bootmgr file if the renamed bootmgr file is in boot then you will have to edit
    grldr to chainload boot\bm or you will have the dreaded blinking cursor hang
    after post.
     
  6. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    #6 Mr Jinje, Sep 12, 2009
    Last edited: Sep 12, 2009
    Yeah, I know, and if someone downloads his file, the method I described should work just fine.

    It will not work with a regular GRLDR renamed to bootmgr, unless they make a few small changes in Hex (mostly changing bootmgr to boot\bm or any other 7 letter string they like). The hack to GRLDR is the same as the hack to bootsect.exe, basically just a pointer rename.

    Xinso, what did windows do when you installed ? Did the backup bootmgr in the WinSXS folder overwrite your GRLDR bootmgr from the PCAT folder ? Did the bm file get copied to the R:\Boot\ folder ?
     
  7. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #7 nononsence, Sep 12, 2009
    Last edited: Sep 12, 2009


    my bad I didnt even read his whole post, I thought he left bm at the root
    of the drive, Im testing now, cert in oem folder, key set with dism, bm and
    renamed edited grldr in pcat.

    failed I dont think it liked me messing with PCAT maybe permissions
     
  8. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    #8 Mr Jinje, Sep 12, 2009
    Last edited by a moderator: Apr 20, 2017
    Nonon - are you using the take ownership reg file or using some other elevated command line. I know that microsoft specifically does not allow accounts in the adminisrators group access to these files (for our own good they says)

    Xinso, I had to replace bootmgr in both the PCAT folder and this WinSXS folder before mine way worked. Maybe is simple fix.

    Code:
    
    C:\Mount\Windows\winsxs\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_6.1.7600.16385_none_c30008a71484187b
    
     
  9. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    That is odd, I cannot make it do that. Copied your bootmgr into PCAT folder and left the machine alone. When I came back and checked that WinSXS folder and it still had the original bootmgr file. :confused:

    What about the other files in the PCAT folder (memtest.exe, en-us folder), did they get copied over or was the hidden drive completely blank.

    Still, even if it cannot be slipped into a DVD, the manual method works, right ?
     
  10. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    there is some kind of check taking place, I have tried padding grldr out to
    the same size as bootmgr, but no luck.
     
  11. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
  12. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #12 nononsence, Sep 13, 2009
    Last edited: Sep 13, 2009
    I got this to work by bypassing the bootmgr checksum

    you will need to edit winsetup.dll in both "dvd root"\sources and and boot.wim\sources with a hexeditor
    EDIT: just tested windows is activated without any loader install bs.
     
  13. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    nice tool Mr Jinje, much better than the command prompt
     
  14. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #14 nononsence, Sep 13, 2009
    Last edited: Sep 13, 2009
    If anyone can get GRLDR at the root of the system volume durring setup,
    I have the mod to make setup install the bootcode. I did this from memory
    check it before making the dvd

    bootcode mod
    modding winsetup.dll to also copy GRLDR to the same place as bootmgr
    might be beyond my skill level. :)
     
  15. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #15 nononsence, Sep 13, 2009
    Last edited: Sep 13, 2009
    I didnt test this, but it looks right in IDA

     
  16. xinso

    xinso MDL Guru

    Mar 5, 2009
    4,242
    5,511
    150
    You made my dream come true. I really felt much obliged!
     
  17. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    Cool, didn't think it would be that easy. :D
     
  18. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #19 nononsence, Sep 13, 2009
    Last edited: Sep 13, 2009
    to make this method as stealthy as posible I have created a GRLDR
    file that is the same size as bootmgr, and has the same creation and
    modification times as bootmgr.

    without any extra files at the root of the system volume, bootcode not modified
    and the phonie bootmgr with the same size, acl's, owner, creation, modification and
    access times as a real bootmgr, this method might escape detection.
     

    Attached Files:

  19. Hazar

    Hazar MDL Guru

    Jul 29, 2009
    2,523
    454
    90
    Sneaky bootmgr ninja pwnage.

    Nice work.