How to Verify OEMBIOS Files

Discussion in 'Windows XP / Older OS' started by crypto, Sep 16, 2009.

Tags:
  1. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    363
    10
    #1 crypto, Sep 16, 2009
    Last edited by a moderator: Apr 20, 2017

    Attached Files:

  2. icecold

    icecold MDL Novice

    Aug 25, 2009
    15
    1
    0
    #2 icecold, Sep 17, 2009
    Last edited by a moderator: Apr 20, 2017
  3. 911medic

    911medic MDL Guru

    Aug 13, 2008
    5,778
    489
    180
    #3 911medic, Sep 17, 2009
    Last edited: Sep 17, 2009
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    363
    10
    #4 crypto, Sep 17, 2009
    Last edited by a moderator: May 23, 2017
    (OP)
    The catalog file (oembios.cat) contains the hashes of the other oembios files. SignTool is used to compare those hashes against the files we want.
    The catalog file itself is digitally signed to prevent modifications.

    The goal is to verify the integrity of the files and make sure they have not been tampered or damaged.
    If you try to verify a file that is not in the catalog, verification will fail.
    If you try to verify a file that has been modified or damaged, verification will fail.
    Successful verification gives us a 100% certainty that the files are untouched.

    Of course, this doesn't tell us anything about the OEM. For that, you need to decrypt the oembios.dat file, which contains the SLP strings and memory ranges.
    This is exactly what I did and I have included the fully decrypted oembios.dat (as OEMBIOS_DAT.txt) for each of the known OEMBIOS file sets (see the Windows XP OEMBIOS archive).
     
  5. 911medic

    911medic MDL Guru

    Aug 13, 2008
    5,778
    489
    180
    #5 911medic, Sep 17, 2009
    Last edited by a moderator: May 23, 2017
    I understand the contents of the .dat files. I have used the tool by offon to decrypt the oembios files I need, but this requires them to be in the OS when booted, and was built a while ago.

    Do you have a tool or script to decrypt the file offline. This would be very good to have. If you do, care to share??
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    363
    10
    No, I don't have any tool or script to decrypt oembios.dat files. I just let MGADiag decrypt them for me. :D

    But now that you mention it, I may look into it.
     
  7. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,833
    1,748
    180
    #7 sebus, Sep 20, 2009
    Last edited: Sep 20, 2009
    +1 from me, would be really nice to have (even most - if not all known sets - are already decryptedin the sticky thread)
    I think freestyler could have such tool...
    Also there is a tool from xehqter at msfn forum (but I do not think it is offline)

    OEMBIOS Scanner v1.4.1 by Jeremy (xehqter)

    sebus
     
  8. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,833
    1,748
    180
    Bump!

    sebus
     
  9. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,502
    3,611
    120
    #9 FreeStyler, Sep 26, 2009
    Last edited: Mar 10, 2011
    You are right, i have such tool, the creator (xehqter) made me promise not to spread it publicly, and i am a man of my word

    Here is another one: http://forums.mydigitallife.net/thr...indows-2003-and-XP?highlight=compress+oembios
     
  10. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,833
    1,748
    180
  11. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,502
    3,611
    120
    #11 FreeStyler, Mar 10, 2011
    Last edited by a moderator: Apr 20, 2017
    crypto's scripts above fail when trying to run on another Platform, eg: Vista, Windows 7 and Windows Server 2008

    You can fix this by submitting the OS version to validate against (using the /o switch), eg:

    Windows XP
    Code:
    @echo off
    signtool.exe verify /v /o 2:5.1.2600 /a oembios.cat
    signtool.exe verify /o 2:5.1.2600 /c oembios.cat oembios.bin oembios.dat oembios.sig
    pause
    or

    Code:
    @echo off
    signtool.exe verify /v /o 2:5.1 /a oembios.cat
    signtool.exe verify /o 2:5.1 /c oembios.cat oembios.bin oembios.dat oembios.sig
    pause
    Windows Server 2003
    Code:
    @echo off
    signtool.exe verify /v /o 2:5.2.3790 /a oembios.cat
    signtool.exe verify /o 2:5.2.3790 /c oembios.cat oembios.bin oembios.dat oembios.sig
    pause
    or

    Code:
    @echo off
    signtool.exe verify /v /o 2:5.2 /a oembios.cat
    signtool.exe verify /o 2:5.2 /c oembios.cat oembios.bin oembios.dat oembios.sig
    pause
     
  12. LittlePro

    LittlePro MDL Novice

    Jan 19, 2017
    27
    2
    0
    #12 LittlePro, Feb 8, 2017
    Last edited: Feb 11, 2017
    Hi,
    Thanks to crypto, FreeStyler & all !
    Sir(s),
    I have run the XP OEMBIOS SET VERIFIER from within Windows 7 ulti sp1 x86 but the results are not very clear to me . One line on top of the result's text seems to be alarming (BOLD & CAPITAL) ! The exact text is :

    Verifying: OEMBIOS.CAT
    UNABLE TO VERIFY THIS FILE USING A CATALOG.
    SHA1 hash of file: 4C5184772340740DEB58077CD74DFD40E4AA26D7
    Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires: 12/31/2020 12:30:00 PM
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

    Issued to: Microsoft Windows Hardware Compatibility
    Issued by: Microsoft Root Authority
    Expires: 12/31/2002 12:30:00 PM
    SHA1 hash: 109F1CAED645BB78B3EA2B94C0697C740733031C

    Issued to: Microsoft Windows Hardware Compatibility Publisher
    Issued by: Microsoft Windows Hardware Compatibility
    Expires: 12/30/2002 12:30:00 PM
    SHA1 hash: 014C3D7F66B396D2250DD1D26ADBFF748B916B2A

    The signature is timestamped: 5/29/2002 12:48:51 AM
    Timestamp Verified by:
    Issued to: NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
    Issued by: NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
    Expires: 1/8/2004 5:29:59 AM
    SHA1 hash: 18F7C1FCC3090203FD5BAA2F861A754976C8DD25

    Issued to: VeriSign Time Stamping Service
    Issued by: NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
    Expires: 1/7/2004 5:29:59 AM
    SHA1 hash: 23348A128A2A9ABA478C9AAD1EC275F444F078D3

    Successfully verified: OEMBIOS.CAT

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0
    Successfully verified: OEMBIOS.BIN
    Successfully verified: OEMBIOS.DAT
    Successfully verified: OEMBIOS.SIG
    Press any key to continue . . .


    Please help me to understand !

    Thanks & Regards,
    LittlePro.
     
  13. LittlePro

    LittlePro MDL Novice

    Jan 19, 2017
    27
    2
    0
    #13 LittlePro, Feb 11, 2017
    Last edited: Feb 11, 2017
    Hi All,
    Its time to offer some help to the novice users (like me) in verifying OEMBIOS SETS and understand it as per this thread. we would be going with xp oembios sets verification.

    [CREDITS : crypto, FreeStyler & All ! ]

    Sir(s),
    1. make a system restore point first.
    2. extract OEMBIOS SET & crypto's archieve (the very first post) in the same folder.
    3. go to 4rd or 5th step according to the OS you are running the test from.
    4. if you are doing it from XP :
    Just run anyone of the two scripts (ending with .cmd extension) by double clicking and have the results.
    OR
    5. if you are doing it from OS other than XP (Vista,7,etc.),
    you would need to replace any one of the crypto's script files matter(with .cmd extension) , with the one provided by freeStyler for xp, (first post on this page), without any other change in the extracted folder. so here we go :
    (a) we would copy anyone of the two scripts/matter ,provided by FreeStyler for xp, to a document :wordpad, ms word, text,etc.
    (b) we would select & right click one of the crypto's scripts in the extracted folder and go for 'EDIT' (it will open in notepad)
    (c) now we would select the whole matter and delete it .
    (d) now we would use FreeStyler's matter (previously copied to a document) and paste it into the script and now we would save the script (with the original .cmd extension)
    (e) now we can run the script anytime and have the results.

    [CONCEPTS: the crypto's script checks the xp oembios set against the running OS, assuming it an xp OS which is not true (we are running script from other than xp). so it doesn't produce valuable results. but FreeStyler infused the xp code in the script and now it checks the oembios set against the code and the results are fine and valuable !
    we may change the name of the script but its not needed/matters, as long as its extension is '.cmd' (as originals).
    there is another way that we don't change the extracted folder/crypto's scripts .we would forget the crypto's scripts. instead ,we would make new script with freestyler's matter and just place it in the extracted folder. here is how we do it. (a) open a new notepad (b) paste the xp script matter provided by freeStyler (anyone of the two) in the notepad (c) save it as a file with extension '.cmd' (without quotes) (d) and finally, place the file in the extracted folder. now we can run this new script anytime and have the results. Likewise, notepad; different texts, formats,etc & different file extensions such as .bat,.cmd,etc are used altogether to perform different actions.]

    Are you getting capicom.dll/signtool errors in the results ? just wait a little !

    Thanks & Regards,
    LittlePro.
     
  14. LittlePro

    LittlePro MDL Novice

    Jan 19, 2017
    27
    2
    0
    #14 LittlePro, Apr 15, 2017
    Last edited: Apr 15, 2017
    Are you getting 'capicom.dll/signtool' errors in the results ? just wait a little !

    So, i am back here , sorry for the delay !

    the procedure involves : one download from the microsoft official website, extracting 'capicom.dll' and finally, placing & register it in folders as appropriate for 32 & 64 bit OS. (through all the process neglect Quotes i.e. ' ' & '' '')

    1. Download : google 'capicom.dll download' and go for Microsoft official download.

    Platform SDK Redistributable: CAPICOM
    Version:
    2.1.0.2
    File Name:
    capicom_dc_sdk.msi
    Date Published:
    9/26/2016
    File Size:
    1.8 MB
    ( don't need to go/care for further details, just download & follow here.
    it would work for 32 & 64 bit OS and Xp through windows 8 , don't know about Windows 10)

    2. extracting capicom.dll
    (first make a system restore point for precaution as always !)
    there are various ways to extract the downloaded file to get capicom.dll :
    (a) get one of them installed i.e. 7 zip, WinRar, HaoZip , Bandizip, PowerArchiver etc. archivers and use it (mine 7zip)
    (b) use portable dedicated tool 'Less MSIĆ©rables' or 'LessMSI' ( i think the best & easiest way from any point of view )
    (c)Extract An MSI File Using The Command Line i.e. from command prompt/ Run Box :

    msiexec /a pathtoMSIfile /qn TARGETDIR=pathtotargetfolder

    for eg. i have placed 'capicom_dc_sdk.msi' in 'c:\NewFolder1' and want to get it extracted to 'c:\NewFolder2' (both folders 'NewFolder1' & 'NewFolder2' were made temporarily in 'c:\' i.e. in c: root and not having any space in the name !)

    msiexec /a c:\NewFolder1\capicom_dc_sdk.msi /qn TARGETDIR=c:\NewFolder2

    and i get capicom.dll @ 'c:\NewFolder2\PFiles\Microsoft CAPICOM 2.1.0.2 SDK\Lib\x86\'

    3. placing & registering 'capicom.dll' ( this needs administrator's rights )

    (a) In 32 Bit OS :

    place capicom.dll in 'c:\Windows\System32' (obviously root and not a sub folder!) and find 'cmd.exe' there itself. Right click cmd.exe and go for 'Run as administrator' and then type 'regsvr32 capicom.dll' @ command prompt and press 'Enter' for eg.

    navigate to folder 'c:\Windows\System32' , place 'capicom.dll' there and find 'cmd.exe' there itself and run it as administrator and then register capicom.dll @ command prompt i.e.
    'c:\Windows\System32>regsvr32 capicom.dll' and press 'Enter'

    (b) similarly it has to be done in 64 bit OS, but the folder 'System32' is changed by 'SysWOW64' just next to 'System32' in 64 bit OS ! for eg.

    navigate to folder 'c:\Windows\SysWOW64', place capicom.dll there (in root & not in a sub folder, as above !). then find cmd.exe there itself and run it as administrator and then register capicom.dll @ command prompt i.e.
    'c:\Windows\SysWOW64>regsvr32 capicom.dll' & press 'Enter'.

    Now, run the scripts as told earlier and if everything done well, there should be no signtool/capicom.dll error anymore. it works for various capicom.dll issues and purposes.

    Thanks & Regards,
    LittlePro.