Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DELTA_HEADER_INFO Flags offset #6

Closed
stdin82 opened this issue Jul 15, 2023 · 6 comments
Closed

DELTA_HEADER_INFO Flags offset #6

stdin82 opened this issue Jul 15, 2023 · 6 comments
Labels
enhancement

Comments

@stdin82
Copy link

stdin82 commented Jul 15, 2023

For PA30 delta file, which offset the DELTA_HEADER_INFO Flags is located?

there is this file which has unusual Flags value, and it fail to expand

sxsexp64.exe driver.stl driver2.stl
Processing target path  driver.stl
driver.stl => driver2.stl
File size               20377 bytes

DCN_HEADER found, querying delta info.


DELTA_HEADER_INFO

 FileTypeSet            00000000000000F5
 FileType               0000000000000001 (DELTA_FILE_TYPE_RAW)
 Flags                  000000000A060000
 TargetSize             000000000000614D
 TargetFileTime         EED51080:01D99904
 TargetHashAlgId        00008003
 TargetHash->HashSize   00000010
 TargetHash->Hash       311f43e318e3555bd5e86cd3010e3b50

i'm trying to modify the Flags to see if the file is originally incorrect, or the file format is changed/undocumented

the original file is plain PA30 file from Win10 CU Windows10.0-KB5028166-x64-baseless
https://uupdump.net/findfiles.php?id=49c101a1-1044-43d6-83ee-c8baebfa69a1&q=Windows%20KB

file.zip
@hfiref0x
Copy link
Owner

hfiref0x commented Jul 19, 2023
edited
Loading

FileTypeSet from your output doesn't correspond to any known DELTA_FILE_TYPE_* values in msdelta.h and looks invalid. Forgive me it's DELTA_FILE_TYPE_SET_EXECUTABLES_3.

While TargetSize seems valid, HashAlgId is CALG_MD5 and the hash value are also looks valid. Combination of Flags looks invalid.

PA30 format is officially undocumented by MS. MsDelta API is very poorly documented and it is a quest to find info about it on their own website. As source of further RE you can try msdelta.dll (with symbols), unfortunately this stuff is written in modern crapware C++ which will complicate process.

I may update this tool to include more diagnostic messages, however do not expect any breaking changes, this tool was always just a side work result not something I'm interested in.

edit:
Your file contain the following combination of flags

DELTA_FLAG_IGNORE_FILE_SIZE_LIMIT | DELTA_FLAG_IGNORE_OPTIONS_SIZE_LIMIT | 0x02000000 | 0x08000000

meaning of 0x02000000 and 0x08000000 are unknown, at least they are not in my SDK files.

@stdin82
Copy link
Author

stdin82 commented Jul 19, 2023
edited
Loading

edit: Your file contain the following combination of flags

DELTA_FLAG_IGNORE_FILE_SIZE_LIMIT | DELTA_FLAG_IGNORE_OPTIONS_SIZE_LIMIT | 0x02000000 | 0x08000000

meaning of 0x02000000 and 0x08000000 are unknown, at least they are not in my SDK files.

Thanks
yes, that what i guessed too, but didn't find those unknown flags

driver.stl is the only file in the entire update with that unusual flag, so i'm keen to think it's malformed file
x86 version of driver.stl itself from Windows10.0-KB5028166-x86-baseless has correct flag and extract successfully

@abbodi1406 abbodi1406 mentioned this issue Aug 25, 2023
Open
@hfiref0x hfiref0x reopened this Dec 13, 2023
@hfiref0x
Copy link
Owner

It turns out this is not a bug but Windows 11 update improvements. Internal Windows update now seems using new version of MsDelta API that is not documented and handling files like in issue starter post. These unknown flags combinations above seems indicate this new API usage.

Since this update component is an internal part of update stack it seems it only present in system during update process. The core library that does the stuff named "UpdateCompression.dll" and it is a new version of MsDelta.dll with only support to in-memory operations compared to Windows built-in MsDelta.dll that can also work directly with files.

I'll update SXSEXP to be able to use any suitable MsDelta API dll - just drop dll to the same folder as compiled exe and rename it to msdelta.dll. While they all export same core functions and their prototypes are not changed - it should work.

hfiref0x added a commit that referenced this issue Dec 13, 2023
@hfiref0x
v 1.4.1
289bf9b 
Address #6
@hfiref0x
Copy link
Owner

UpdateCompression.dll

SHA1 4640d741276d4cd7a4353147617b3fe42b2adb94
SHA256 f647bae4901c76148196adcdb000b65f3a8fc97925966378cd309f68b71c200d

@stdin82
Copy link
Author

stdin82 commented Dec 13, 2023

Thanks :)
i wonder why they use it on Win10 updates where it doesn't exist
Win11 has it for 253xx canary builds range (including Server 23H2)

@justanotheranonymoususer
Copy link

UpdateCompression.dll

SHA1 4640d741276d4cd7a4353147617b3fe42b2adb94 SHA256 f647bae4901c76148196adcdb000b65f3a8fc97925966378cd309f68b71c200d

Just download the latest file from here:
https://winbindex.m417z.com/?arch=insider&file=updatecompression.dll

arch=x86 for sxsexp32.exe, arch=x64 for sxsexp64.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justanotheranonymoususer @hfiref0x @stdin82