Hello,
I am wondering how to decompress the *.manifest files which can be found in the Windows\WinSxS folder.
Since Windows 8, those file are null-delta compressed. (cf. http://ift.tt/1NABuBn)
The Delta Compression APIs are explained on this page: http://ift.tt/24kpKHy
Basically, the compression is relative to a source file: the compressed file is kind of a compressed diff. You need to have the original file and the compressed file (the delta).
But, you can also use it as a simple compressor without providing a source file (NULL).
I successfully made a small test program in C++ to compress/decompress a file using MSDelta API (CreateDelta, GetDelataInfo & ApplyDelta). The compressed file (the delta) starts with "PA30" bytes.
Unfortunately, the manifest files starts with "DCM\x01PA30" and if I try to use the GetDeltaInfo function on a manifest file, it fails. If I remove the "DCM\x01" bytes, the GetDeltaInfo function works but the ApplyDelta function fails with error 13 (Invalid data).
So, I found the DLL responsible for the manifest compression is "wcp.dll". Inside this DLL, 2 functions are interesting:
?CompressManifest@Rtl@Implementation@WCP@Windows@@ YAJK_NPEBU_LBLOB@@PEAUIRtlFile@14@@Z
-> this one contains the "DCM\x01" string
?DecompressManifest@Rtl@Implementation@WCP@Windows @@YAJKPEAV?$Auto@U_LBLOB@@@4@PEAK@Z
Thanks to IDA Hex-rays, I can confirm these functions uses the MSDelta APIs for sure. But I'm a bit lost when I try to find out what differs from a basic compression.
Is someone talented enough in RE to help me find out?
Thanks
I am wondering how to decompress the *.manifest files which can be found in the Windows\WinSxS folder.
Since Windows 8, those file are null-delta compressed. (cf. http://ift.tt/1NABuBn)
The Delta Compression APIs are explained on this page: http://ift.tt/24kpKHy
Basically, the compression is relative to a source file: the compressed file is kind of a compressed diff. You need to have the original file and the compressed file (the delta).
But, you can also use it as a simple compressor without providing a source file (NULL).
I successfully made a small test program in C++ to compress/decompress a file using MSDelta API (CreateDelta, GetDelataInfo & ApplyDelta). The compressed file (the delta) starts with "PA30" bytes.
Unfortunately, the manifest files starts with "DCM\x01PA30" and if I try to use the GetDeltaInfo function on a manifest file, it fails. If I remove the "DCM\x01" bytes, the GetDeltaInfo function works but the ApplyDelta function fails with error 13 (Invalid data).
So, I found the DLL responsible for the manifest compression is "wcp.dll". Inside this DLL, 2 functions are interesting:
?CompressManifest@Rtl@Implementation@WCP@Windows@@ YAJK_NPEBU_LBLOB@@PEAUIRtlFile@14@@Z
-> this one contains the "DCM\x01" string
?DecompressManifest@Rtl@Implementation@WCP@Windows @@YAJKPEAV?$Auto@U_LBLOB@@@4@PEAK@Z
Thanks to IDA Hex-rays, I can confirm these functions uses the MSDelta APIs for sure. But I'm a bit lost when I try to find out what differs from a basic compression.
Is someone talented enough in RE to help me find out?
Thanks
from xda-developers http://ift.tt/24kpM2g
via IFTTT
No comments:
Post a Comment