Update version 2, 20.05.12: A program to recompile bootmgr.exe into bootmgr, ready for booting: http://reboot.pro/fi...mgr-recompiler/ or http://www.mediafire...d9pyrn578bvxbww
It uses RtlCompressBuffer and RtlGetCompressionWorkSpaceSize in ntdll.dll. The parameters are supplied through an inputbox, and is the CompressionFormatAndEngine bitmask. It can be supplied in decimal or in hex (prefixed with 0x). Obviously, you must run the attached program in Windows 8, unless you just want compression with LZNT1. Explanation of the possible valid parameters:
COMPRESSION_FORMAT_NONE = 0x0000 COMPRESSION_FORMAT_DEFAULT = 0x0001 COMPRESSION_FORMAT_LZNT1 = 0x0002 COMPRESSION_FORMAT_XPRESS = 0x0003 COMPRESSION_FORMAT_XPRESS_HUFF = 0x0004 COMPRESSION_ENGINE_STANDARD = 0x0000 COMPRESSION_ENGINE_MAXIMUM = 0x0100
So to compress with Xpress Huffman supply either 260 or 0x104.
Basic structure of bootmgr:
1. 16-bit stub with code to unpack, evaluate and execute the compressed part. About 2x KB. 2. A 16 byte section with some information that the 16-bit stub evaluates 3. A tiny 8192 byte PE image, with unknown function. It's content is not evaluated. 4. The compressed 32-bit executable bootmgr.exe
This is in accordance with previous versions, but with the main difference being the compression engine used on the 32-bit executable. Another small difference is the small section right before the tiny PE image. Take a look at this image:
At offset 0x68a0 I have identified 4 values:
byte 1-4: a signature byte 5-8: the compressed size of bootmgr.exe byte 9-12: the uncompressed size of bootmgr.exe byte 13-16: the relative offset to the compressed data calculated from the start of this section (ie the signature)
When we modify the 32-bit executable, we must deal with an incorrect checksum of the executable as well as an invalidated digital signature. For the checksum the easiest is to just update it. To deal with the digital signature we have 2 options:
1. Configure TESTSIGNING in BCD on the entry for {bootmgr} or 2. Change code in bootmgr.exe to deactivate the check.
For the sake of a challenge we choose number 2 and modify code. First we remove the digital signature because it is no longer needed. The relevant parts to change for version 6.2.8250.0 is:
At VA 401263 change these 6 bytes:
0f8862020000 -> 909090909090(a conditional jump is nopped out)
Furthermore, to deactivate the signature check of winload.exe we need to change a few more bytes.
At VA 42935e change these 2 bytes:
7415 -> eb15(a conditional jump is changed to a short jump)
At VA 429385 change these 2 bytes:
7507 -> eb07(a conditional jump is changed to a short jump)
So to reassemble bootmgr after modification:
Use the above linked tool; http://reboot.pro/fi...mgr-recompiler/ or http://www.mediafire...d9pyrn578bvxbww
Have fun!