DELTA_HEADER_INFO Flags offset
stdin82 opened this issue · comments
For PA30 delta file, which offset the DELTA_HEADER_INFO Flags is located?
there is this file which has unusual Flags value, and it fail to expand
sxsexp64.exe driver.stl driver2.stl
Processing target path driver.stl
driver.stl => driver2.stl
File size 20377 bytes
DCN_HEADER found, querying delta info.
DELTA_HEADER_INFO
FileTypeSet 00000000000000F5
FileType 0000000000000001 (DELTA_FILE_TYPE_RAW)
Flags 000000000A060000
TargetSize 000000000000614D
TargetFileTime EED51080:01D99904
TargetHashAlgId 00008003
TargetHash->HashSize 00000010
TargetHash->Hash 311f43e318e3555bd5e86cd3010e3b50
i'm trying to modify the Flags to see if the file is originally incorrect, or the file format is changed/undocumented
the original file is plain PA30 file from Win10 CU Windows10.0-KB5028166-x64-baseless
https://uupdump.net/findfiles.php?id=49c101a1-1044-43d6-83ee-c8baebfa69a1&q=Windows%20KB
FileTypeSet from your output doesn't correspond to any known DELTA_FILE_TYPE_* values in msdelta.h and looks invalid. Forgive me it's DELTA_FILE_TYPE_SET_EXECUTABLES_3.
While TargetSize seems valid, HashAlgId is CALG_MD5 and the hash value are also looks valid. Combination of Flags looks invalid.
PA30 format is officially undocumented by MS. MsDelta API is very poorly documented and it is a quest to find info about it on their own website. As source of further RE you can try msdelta.dll (with symbols), unfortunately this stuff is written in modern crapware C++ which will complicate process.
I may update this tool to include more diagnostic messages, however do not expect any breaking changes, this tool was always just a side work result not something I'm interested in.
edit:
Your file contain the following combination of flags
DELTA_FLAG_IGNORE_FILE_SIZE_LIMIT | DELTA_FLAG_IGNORE_OPTIONS_SIZE_LIMIT | 0x02000000 | 0x08000000
meaning of 0x02000000 and 0x08000000 are unknown, at least they are not in my SDK files.
edit: Your file contain the following combination of flags
DELTA_FLAG_IGNORE_FILE_SIZE_LIMIT | DELTA_FLAG_IGNORE_OPTIONS_SIZE_LIMIT | 0x02000000 | 0x08000000
meaning of 0x02000000 and 0x08000000 are unknown, at least they are not in my SDK files.
Thanks
yes, that what i guessed too, but didn't find those unknown flags
driver.stl is the only file in the entire update with that unusual flag, so i'm keen to think it's malformed file
x86 version of driver.stl itself from Windows10.0-KB5028166-x86-baseless has correct flag and extract successfully
It turns out this is not a bug but Windows 11 update improvements. Internal Windows update now seems using new version of MsDelta API that is not documented and handling files like in issue starter post. These unknown flags combinations above seems indicate this new API usage.
Since this update component is an internal part of update stack it seems it only present in system during update process. The core library that does the stuff named "UpdateCompression.dll" and it is a new version of MsDelta.dll with only support to in-memory operations compared to Windows built-in MsDelta.dll that can also work directly with files.
I'll update SXSEXP to be able to use any suitable MsDelta API dll - just drop dll to the same folder as compiled exe and rename it to msdelta.dll. While they all export same core functions and their prototypes are not changed - it should work.
UpdateCompression.dll
SHA1 4640d741276d4cd7a4353147617b3fe42b2adb94
SHA256 f647bae4901c76148196adcdb000b65f3a8fc97925966378cd309f68b71c200d
Thanks :)
i wonder why they use it on Win10 updates where it doesn't exist
Win11 has it for 253xx canary builds range (including Server 23H2)
UpdateCompression.dll
SHA1 4640d741276d4cd7a4353147617b3fe42b2adb94 SHA256 f647bae4901c76148196adcdb000b65f3a8fc97925966378cd309f68b71c200d
Just download the latest file from here:
https://winbindex.m417z.com/?arch=insider&file=updatecompression.dll
arch=x86 for sxsexp32.exe, arch=x64 for sxsexp64.exe