# Decompress Manifests files found in the WinSxS folder



## TristanLeBoss (Apr 27, 2016)

Hello,

I am wondering how to decompress the *.manifest files which can be found in the Windows\WinSxS folder.

Since Windows 8, those file are null-delta compressed. (cf. http://i1.blogs.technet.com/b/askco...ng-reduction-of-windows-footprint-part-2.aspx)

The Delta Compression APIs are explained on this page: https://msdn.microsoft.com/en-us/library/bb417345.aspx
Basically, the compression is relative to a source file: the compressed file is kind of a compressed diff. You need to have the original file and the compressed file (the delta).
But, you can also use it as a simple compressor without providing a source file (NULL).

I successfully made a small test program in C++ to compress/decompress a file using MSDelta API (CreateDelta, GetDelataInfo & ApplyDelta). The compressed file (the delta) starts with "PA30" bytes.

Unfortunately, the manifest files starts with "DCM\x01PA30" and if I try to use the GetDeltaInfo function on a manifest file, it fails. If I remove the "DCM\x01" bytes, the GetDeltaInfo function works but the ApplyDelta function fails with error 13 (Invalid data).

So, I found the DLL responsible for the manifest compression is "wcp.dll". Inside this DLL, 2 functions are interesting:

[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@@Z
-> this one contains the "DCM\x01" string
[email protected]@[email protected]@[email protected]@[email protected][email protected]@@[email protected]@Z

Thanks to IDA Hex-rays, I can confirm these functions uses the MSDelta APIs for sure. But I'm a bit lost when I try to find out what differs from a basic compression.

Is someone talented enough in RE to help me find out?

Thanks


----------



## MagicAndre1981 (Apr 28, 2016)

try lzmsexpand from Alex Ionescu:

https://twitter.com/aionescu/status/597520706876801024


----------



## TristanLeBoss (May 3, 2016)

MagicAndre1981 said:


> try lzmsexpand from Alex Ionescu:
> 
> https://twitter.com/aionescu/status/597520706876801024

Click to collapse



Thanks. It was not exactly the right tool (even if I may need it at some point) but thanks to you I found the right tool:

http://forums.mydigitallife.info/th...ty-SxS-Package-Extractor-(Updated-2013-09-30)

http://forums.mydigitallife.info/threads/48613-Aunty-Mel-s-Cheap-And-Nasty-SxS-File-Expander


----------



## blala (Sep 17, 2017)

Just dropping in to say i wrote a working tool for this task 
You can find it here: https://github.com/smx-smx/wcpex


```
$ ./wcpex.exe amd64_avc.inf_31bf3856ad364e35_10.0.15063.0_none_bd6d26a0caecd0e5.manifest
Size: 349
Type is 4
InitializeDeltaCompressor: 0x00000000
LoadFirstResourceLanguageAgnostic: 0x00000000
==> Dictionary
 >6A230000 00000000 6A230000 00000000< j#......j#...... zX
 >A090CC9A F87F0000<                   ........         zX
DeltaDecompressBuffer: 0x00000000
==> Out Blob
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0" copyright="Copyright (c) Microsoft Corporation. All Rights Reserved.">
  <assemblyIdentity name="avc.inf" version="10.0.15063.0" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" type="driverUpdate" />
  <dependency discoverable="no" resourceType="Resources">
    <dependentAssembly dependencyType="prerequisite">
      <assemblyIdentity name="avc.inf.Resources" version="10.0.15063.0" processorArchitecture="amd64" language="*" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" />
    </dependentAssembly>
  </dependency>
  <file name="avc.inf" sourceName="avc.inf" importPath="$(build.nttree)\driver_infs\">
    <infFile xmlns="urn:schemas-microsoft-com:asm.v3" />
    <asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:Transforms>
        <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
      <dsig:DigestValue>yWTFi0fUQfXTtMUaxUpUiaO+HxxSBrmdNsqbzrssmcg=</dsig:DigestValue>
    </asmv2:hash>
  </file>
  <file name="avc.sys" sourceName="avc.sys" importPath="$(build.nttree)\">
    <signatureInfo>
      <signatureDescriptor DRMLevel="1300" />
    </signatureInfo>
    <asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:Transforms>
        <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
      <dsig:DigestValue>qqYc6rf3aSzmaAkhgEu+5iZZq6TliVhqK5SRGx2ahqg=</dsig:DigestValue>
    </asmv2:hash>
  </file>
  <file name="avcstrm.sys" sourceName="avcstrm.sys" importPath="$(build.nttree)\">
    <asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:Transforms>
        <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
      <dsig:DigestValue>k8NVRLU9Ch+8vDFl2lQZsnfUWCyjWPxFvq5YPCRB/hY=</dsig:DigestValue>
    </asmv2:hash>
  </file>
  <deployment xmlns="urn:schemas-microsoft-com:asm.v3" />
</assembly>
```


----------

