[Question] In W8-1 and W2012 R2 manifests are packed. How to extract them to XMLtext?

Discussion in 'Windows 8' started by moderate, Sep 5, 2013.

  1. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    #1 moderate, Sep 5, 2013
    Last edited: Sep 5, 2013
    Hello,
    under W8-1 and W2012 R2 the manifests stored in:

    %windir%\winsxs\manifests\

    are compressed to some DAT format starting with strings:

    DCM and A30

    (in Total Commander Viewer).

    Pls how to extract them to plain text XML?

    Thanks...
     
  2. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    Not just .manifest files, but some components that aren't installed by default (the TFTP client, for example) are compressed/encrypted (more or less) the same way.

    I went crazy Googling around trying to figure out the format, but gave up in disgust after a few days. The only thing I could think of would be to hook CBS with OllyDbg to figure out what's going on, but I'll leave that to someone with more knowledge on the subject than I. :(

    Sorry I can't be more help. Rest assured, I'm just as frustrated as you by this 'development'. :mad:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    #3 SuperBubble, Sep 22, 2013
    Last edited: Sep 22, 2013
    Bump, for a damn good reason: (I think) I've identified the compression method - a bit of file comparison suggests it's a variation of Microsoft's semi-famous - but poorly-documented, since it's under patent - BDC (Binary Delta Compression).

    Does anyone know of a tool (besides EXPAND.EXE) that handles, or can at least tell us something about, BDC files?

    Bonus gun-jumping: I take it back: BDC (or at least the MS Patch API it's based upon) appears to be very well-documented. I'm slaving over a hot compiler as we speak (hurrah, a real language again after all that VBScript :D).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    I've tried expand.exe two weeks ago with no luck.
     
  5. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    #5 SuperBubble, Sep 22, 2013
    Last edited: Sep 22, 2013
    Because EXPAND.EXE only handles BDC in very specific situations - and this isn't one of them. :rolleyes:

    I'm currently writing some native code to interface directly to MSDELTA.DLL. Haven't made much headway yet. The file format is becoming clearer to me though: the first four bytes (DCM$01 or DCN$01 usually) appear to be flags for compression/decompression, and the rest is just a standard BDC PA30-format compressed file, similar to the components of a Windows update.

    If I don't make a breakthrough in the next hour or so, I'll shim MSDELTA.DLL, and trap the calls made during the install of the TFTP client on Windows 8.1. That should reveal everything. :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    Good, best will be Total Commander x64 plugin... :D
     
  7. NaiveUser

    NaiveUser MDL Senior Member

    Apr 14, 2011
    419
    522
    10
    good luck ! maybe I'll also have a try later in case you didnt work it out :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,803
    90
    Epiiiiiiiiiic!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,680
    10,124
    210
  11. NaiveUser

    NaiveUser MDL Senior Member

    Apr 14, 2011
    419
    522
    10
    Excellent ! Can you post a standalone exe that can extract a .manifest files ? :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    Good job, SewerBubble :))
     
  13. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,633
    15,538
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    #14 SuperBubble, Sep 22, 2013
    Last edited: Sep 26, 2013
    Gather around children, Aunty Mel has a present for all you good little boys and girls... :hug2:

    Bonus DON'T TOUCH THIS BUGGY CRAP: Superseded by the vastly superior (and updated!) version kept here.
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    Nice, at least somebody has worked today :))

    Thanks...
     
  16. redroad

    redroad MDL Guru

    Dec 2, 2011
    5,326
    6,009
    180
  17. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    however, it doesn't want to extract the files :p

    ext.jpg
     
  18. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,680
    10,124
    210
    I'm in no way an expert on winsxs package extraction stuff, but are the files you are trying to extract, copied from the winsxs folder?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,650
    2,154
    90
    I got your point. I'll try it again directly on W2012 R2 installation without copying the files elsewhere...
     
  20. SuperBubble

    SuperBubble MDL Member

    Nov 18, 2011
    148
    250
    10
    Ze Bubble has screwed up. I freely admit it.

    moderate's right. I've screwed up badly. :eek:

    There are two, slightly different, kinds of compression used in WinSxS: (what I call) the 'M1' method (used by .manifest files), and the 'N1' method (used by everything else, it seems). It was a mistake to ignore that four-byte header... :eek:

    My tool, as it is, only handles 'N1' compression. I've been working on it for the last few hours, and I'm not sure what's wrong. These are the possibilities, in increasing order of 'badness'.

    • Bug in my decompression routine. Unlikely, since it works on N1 just fine;
    • M1 isn't a truly 'source-less' delta. Most likely, just need find the source file the delta applies to, and the file will decompress;
    • M1 is a noticeably different method to N1. Unlikely, but I'm really paranoid it could be true. :fear:
    Results pending...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...