Jump to content











Photo
- - - - -

Bootmgr Offset Question


  • Please log in to reply
47 replies to this topic

#26 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 27 December 2011 - 02:00 PM

The file NTBOOT-2011-12-14.isoNTBOOT is a archiv.
7-zip expand this to NTBOOT.BAT. There is a section :NT6.HDD calling :NT6_BOOT.
No, I can't explain details. Hopefully another member can explain details.


I been playing around with NTBOOT most of the night. I like the fact its kinda stand alone as in you can extract the ISO and put the files on your root and use menu command from your main menu.lst to boot things. I am going to play around with it more today. Also been trying to read up on this wee(small grub4dos boot loader)...so much information I think my brain is going to explode! :blowup:

#27 steve6375

steve6375

    Platinum Member

  • Developer
  • 6765 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 27 December 2011 - 07:46 PM

The same method requires a setting for each different bootmgr.
A generic approach would be nice.

Next trial, use search replace:

title Windows 7 setup \\boot\\bc1 - search replace

#set configfile \boot\bc1

#based on JFX [url="http://sanbarrow.com/phpBB2/viewtopic.php?t=1807"]http://sanbarrow.com...opic.php?t=1807[/url]

#Bcdedit.exe /store \boot\bc1 /set {bootmgr} nointegritychecks 1

#use a non default directory at USB drive

set bootmgr=/boot/bootmgr

#set BCD_last_char=1



find --set-root --devices=h %bootmgr%

map --mem %bootmgr% (rd)

#

cat --locate="\x74\x03\xE9\x08\x00\x39\x56" --replace="\xEB\x08\xE9\x08\x00\x39\x56" (rd)+1



debug off

#flag at 0x60000 - 0 to do - other done

write 0x60000 0



#Vista SP0 bootmgr contains a unicode string \Boot\BCD, search '\BCD\x00'

checkrange 0 read 0x60000 && cat --locate="\\\x00B\x00C\x00D\x00\x00" --replace="\\\x00B\x00C\x001\x00\x00" (rd)+1 && write 0x60000 1

checkrange 1 read 0x60000 && echo Vista SP0



#Windows 7 SP0 and SP1 : search \x28\x43\x00\x44

#cat --locate="\x28\x43\x00\x44" --replace="\x28\x43\x00%BCD_last_char%" (rd)+1 && write 0x60000 2

checkrange 0 read 0x60000 && cat --locate="\x28\x43\x00D" --replace="\x28\x43\x001" (rd)+1 && write 0x60000 2

checkrange 2 read 0x60000 && echo Windows 7 SP0 or SP1



#Vista SP1, Vista SP1, Windows 7 RC Build 7100 : search \x43\x00\x44\x00

checkrange 0 read 0x60000 && cat --locate="\x43\x00\x44\x00" --replace="\x43\x001\x00" (rd)+1 && write 0x60000 3

checkrange 3 read 0x60000 && echo Vista SP1, Vista SP1, Windows 7 RC Build 7100





chainloader (rd)+1

root ()

boot

There is a generic string '74 03 E9 08 00 39 56' at all bootmgr.
I's appears once at different bootmgr files.
Unfortunately there is no generic search string for BCD file

How to use %BCD_last_char% at search replace?

At second glance:
a search and replace at \x74\x03 and a different fixed offset BC? may be nicer.

I think 'BCD' is stored as unicode, so you would need to search for

--locate="B\x00C\x00D\x00\x00"
you can use --replace with more or less bytes, it does not have be the exact same number of bytes in the replace 'string'.

#28 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 27 December 2011 - 09:27 PM

I think 'BCD' is stored as unicode, so you would need to search for


I thought it was too but I could be wrong. I have tried a ton of different ways to offset the bcd on the fly. I am going to take a small hour break and get back to it soon

#29 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 27 December 2011 - 10:34 PM

I think 'BCD' is stored as unicode

It's a clear string in Vista SP0. However string is compressed in later versions.
There is no matching unicode 'BCD' in later versions anymore.

Compare JFX's explanation.

Vista SP1 bootmgr 0x48830
00 42 00 8A 6F 00 08 74 02 48 43 00 44 00 98 08   .B.Šo..t.HC.D.˜.

  • laddanator likes this

#30 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 27 December 2011 - 10:43 PM

It's a clear string in Vista SP0. However string is compressed in later versions.
There is no matching unicode 'BCD' in later versions anymore.


Crap! Back to the drawing board... :chair:

Thanks for the info, cdob

#31 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 29 December 2011 - 11:25 AM

New approach:
use a short string to search and replace, however search at a part of bootmgr and use first hit only

title Windows 7 setup bootbc1

#use configfile bootbc1

#based on JFX http://sanbarrow.com/phpBB2/viewtopic.php?t=1807

#Bcdedit.exe /store bootbc1 /set {bootmgr} nointegritychecks 1

#use a non default directory at USB drive

set bootmgr=/boot/bootmgr



find --set-root --devices=h %bootmgr%

map --mem %bootmgr% (rd)

#ignore 16-Bit Stub checksum

cat --hex --locate=x74x3xE9x8x0x39x56 --replace=xEBx8xE9x8x0x39x56 (rd)+1

#half broken approach, works by chance at:

#Vista SP0, SP1, SP2 and Windows 7 beta 7000, RC 7100, SP0, SP1

#change chars CD from file name BCD                                            #   #

cat --hex --skip=0x48000 --length=0x18000 --number=1 --locate=Cx00D --replace=Cx001 (rd)+1

chainloader (rd)+1

root ()


#32 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 12:54 PM

New approach:
use a short string to search and replace, however search at a part of bootmgr and use first hit only


I like it and will try this today. My question is how would this offset to use the proper renumbered boot.wim?

Is this what this line does --number=1 as in boot1.wim --number=2 as in boot2.wim?

#33 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 29 December 2011 - 01:15 PM

My question is how would this offset to use the proper renumbered boot.wim?

Boot.wim is not part of bootmgr. No, Boot?.wim names won't work that way.

Boot.wim is part of bcd file. You have to change this file.

#34 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 01:46 PM

Boot.wim is part of bcd file. You have to change this file.


Right, but I have already changed mine to load the proper boot.wim. Example bc1...loads my boot1.wim. What I would like to do is use 1 bcd and on the fly change the to the proper numbered boot?.wim

My boot folder looks like this

bc1......
bc2
bc4
bc6
bcd

My source folder looks like this

boot1.wim....Win7x64(bc1)

boot2.wim....Win7x32(bc2)

boot4.wim....Vistax86(bc4)

boot6.wim.....Windows8(bc6)


This three are in the same in the plain bcd menu choices

Nod32.wim.....Nod32 Rescue(More Than 576 Ram)

32Bit.wim....DaRT 7.0 recovery x86

64Bit.wim.....DaRT 7.0 recovery x64

#35 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 29 December 2011 - 03:27 PM

My boot folder looks like this

bc1......
bc2

Do you like to call different bc? files?

Adjust the marked part
#   #

--replace=Cx001

BC1: --replace=Cx001
BC2: --replace=Cx002
BC3: --replace=Cx003

#36 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 03:49 PM

Do you like to call different bc? files?


No sir, I like your idea better. The way I listed above is how I have been doing it forever because I needed the plain bcd to load my nod and DaRT repair options(didn't want 100 things in the bcd menu) But I am going to give this a try.




--replace=Cx001



#37 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 04:02 PM

BC1: --replace=Cx001
BC2: --replace=Cx002
BC3: --replace=Cx003


Ok, deleted the bc1...bc2...bc4...bc4 from my boot folder and just left the bcd. I was thinking the above code was to offset the bcd to example bc1 or bc2 and so on, on the fly? When I booted this above command with just the bcd in the boot folder, I got

file: bootbc1

an error occurred




#Bcdedit.exe /store bootbc1 /set {bootmgr} nointegritychecks 1


I see this line has been rem as I like to call it. Is this line suppose to be active?


Update

If I add my modded bc? back to my boot folder, the code works and my install starts up fine

BC1: --replace=Cx001
BC2: --replace=Cx002
BC3: --replace=Cx003



#38 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 29 December 2011 - 07:32 PM

Ok, deleted the bc1...bc2...bc4...bc4 from my boot folder and just left the bcd.

Well, keep the files.

I was thinking the above code was to offset the bcd to example bc1 or bc2 and so on, on the fly?

Yes, it does set offset at bootmgr. It does calls different bc? files.
Hence you have to have different bc? files.

Example is about using

#use configfile bootbc1


I see this line has been rem as I like to call it. Is this line suppose to be active?

No, that's a remark to edit bootbc1 before.

If I add my modded bc? back to my boot folder, the code works and my install starts up fine

That's nice, works as designed.

#39 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 07:44 PM

Is this method

[b]
title Windows 7 setup bootbc1

#use configfile bootbc1

#based on JFX [url="http://sanbarrow.com/phpBB2/viewtopic.php?t=1807"]http://sanbarrow.com...opic.php?t=1807[/url]

#Bcdedit.exe /store bootbc1 /set {bootmgr} nointegritychecks 1

#use a non default directory at USB drive

set bootmgr=/boot/bootmgr



find --set-root --devices=h %bootmgr%

map --mem %bootmgr% (rd)

#ignore 16-Bit Stub checksum

cat --hex --locate=x74x3xE9x8x0x39x56 --replace=xEBx8xE9x8x0x39x56 (rd)+1

#half broken approach, works by chance at:

#Vista SP0, SP1, SP2 and Windows 7 beta 7000, RC 7100, SP0, SP1

#change chars CD from file name BCD											#   #

cat --hex --skip=0x48000 --length=0x18000 --number=1 --locate=Cx00D --replace=Cx001 (rd)+1

chainloader (rd)+1

root ()[/b]

is more accurate way to offset than the below way?

[b]
map --mem %bootmgr% (rd)

write --offset=0x105E (rd)+1 xEBx08

cat --hex --skip=0x54696 --length=1 --locate=D (rd)+1 && set offset=0x54696

cat --hex --skip=0x54735 --length=1 --locate=D (rd)+1 && set offset=0x54735

write --offset=%offset% (rd)+1 4

chainloader (rd)+1

root ()[/b]


#40 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 29 December 2011 - 08:23 PM

Is this method is more accurate way to offset than the below way?

That's a nice question.
Feel free to write a master thesis.
Consider string length, probability, fixed offset, Gaussian distribution and so on.

#41 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 29 December 2011 - 08:45 PM

That's a nice question.
Feel free to write a master thesis.
Consider string length, probability, fixed offset, Gaussian distribution and so on.


This must a joke, right? :) I wasn't criticizing, just wondering because both command seem to work fine but this seems to be neater as in the way it offsets.


cat --hex --locate=x74x3xE9x8x0x39x56 --replace=xEBx8xE9x8x0x39x56 (rd)+1

#half broken approach, works by chance at:

#Vista SP0, SP1, SP2 and Windows 7 beta 7000, RC 7100, SP0, SP1

#change chars CD from file name BCD																					 #   #

cat --hex --skip=0x48000 --length=0x18000 --number=1 --locate=Cx00D --replace=Cx001 (rd)+1

chainloader (rd)+1

root ()

Thanks for the info. :thumbsup:

#42 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 30 December 2011 - 03:40 AM

cdob, do you have another I could try? All the other codes work fine. I like all the codes so far.

#43 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 04 January 2012 - 11:24 PM

is more accurate way to offset than the below way?

This must a joke, right? :)

Translate previous reply to: I've no idea.

What's more accurate?
one char at a fixed location
a three char string within a give range

Another one: a three char string at a fixed location

title Windows 7 setup \\boot\\bc1

#set configfile \boot\bc1

#based on JFX http://sanbarrow.com/phpBB2/viewtopic.php?t=1807

#Bcdedit.exe /store \boot\bc1 /set {bootmgr} nointegritychecks 1

#use a non default directory at USB drive

set bootmgr=/boot/bootmgr



find --set-root --devices=h %bootmgr%

map --mem %bootmgr% (rd)

cat --hex --skip=0xE28 --length=0x1200 --locate=\x74\x3\xE9\x8\x0\x39\x56 --replace=\xEB\x8\xE9\x8\x0\x39\x56 (rd)+1



#Vista SP0, SP1, SP3

cat --hex --skip=0x54B6A --locate=C\x00D --length=3 (rd)+1 && set offset=0x54B6A

cat --hex --skip=0x4883A --locate=C\x00D --length=3 (rd)+1 && set offset=0x4883A

cat --hex --skip=0x48C20 --locate=C\x00D --length=3 (rd)+1 && set offset=0x48C20



#Windows 7 SP0, SP1

cat --hex --skip=0x54694 --locate=C\x00D --length=3 (rd)+1 && set offset=0x54694

cat --hex --skip=0x54733 --locate=C\x00D --length=3 (rd)+1 && set offset=0x54733



write --offset=%offset% (rd)+1 C\x001



chainloader (rd)+1

root ()
Recognice: Windows 7 beta is missing. Overall that's work to fill all matches.
A three char string within a give range may be less accurate, but match more (2008) bootmgr.
This results to: accurate contrary to flexiblity


A more flexible apporach would be nice.

#44 cdob

cdob

    Gold Member

  • Expert
  • 1402 posts

Posted 04 January 2012 - 11:44 PM

Another approach: a default bootmgr and bcd edited on the fly
Idea based on ntboot.bat by chenall http://chenall.net/post/ntboot/

Files at MBR USB drive

\BOOT\bootmgr
\BOOT\BOOT_WIM.gz
\sources\boot1.wim

That way, you may use a own bootmgr. Read: hasn't to be distributed.

BOOT_WIM.gz contains a 320kb floppy image. Files:

\BOOT\BCD
\BOOT\BOOT.SDI


Joakim created a 300kb BOOT.SDI file.
http://www.msfn.org/...ize-of-bootsdi/

Create a small BCD store
Spoiler
Drive letter c: refers to a 63 sectors offset partition at a fixed drive.
Adjust twice MBR signature to 0x53B753B7
http://diddy.boot-la...t/files/bcd.htm

Builded floppy image Attached File  BOOT_WIM.gz   5.26KB   430 downloads

menu.lst
title Windows 7 setup - \\sources\\boot1.wim - v03

#based on ntboot.bat by chenall http://chenall.net/post/ntboot/

#created by cdob

set bootmgr=/boot/bootmgr

set fd_ima=/boot/BOOT_WIM.gz

#load boot floppy image

find --set-root --devices=h %fd_ima%

map --mem %fd_ima% (rd)

# calculagte current drive, partition and number of physical disks

# http://cvwyg-blog.appspot.com/grub/GRUB4DOS5mlsy.htm

set /a cur_drv=*0x82A0&0x7F

set /a cur_pri=*0x829C>>16&0xFFFF

set /a hdn=*0x475&0xff

clear

echo

echo $[0105] Boot Windows 7 setup - /sources/boot1.wim From $[0102](hd%cur_drv%,%cur_pri%)$[0106] hdn %hdn%

echo



#read MBR signatur

dd if=(hd%cur_drv%)+1 of=(md) bs=1 count=4 skip=0x1b8 seek=0x60000

#get current partition offset

cat --length=0 ()-1

dd if=(md) of=(md) bs=1 count=8 skip=0x8290 seek=0x60004

#set MBR signatur and partition offset

cat --locate=\x53\xB7\x53\xB7 --replace=*0x60000 --hex=4 (rd)/BOOT/BCD

cat --locate=\0\x7E\0\0 --replace=*0x60004 --hex=8 (rd)/BOOT/BCD



#adjust boot*.wim: search bootNNNN insert boot0001 : boot0001.wim

#cat --hex --locate=b\x00o\x00o\x00t\x00N\x00N\x00N\x00N\x00 --replace=b\x00o\x00o\x00t\x00N\x00N\x00N\x001\x00 (rd)/BOOT/BCD

#

#adjust boot*.wim: search NNNN.w insert 1.wim0x00 : boot1.wim

cat --locate=N\x00N\x00N\x00N\x00.\x00w\x00 --replace=1\x00.\x00w\x00i\x00m\x00\x00\x00 (rd)/BOOT/BCD



#swap disks. result: hd0 internal hard disk - hd1 USB drive

#load bootmgr from USB drive

#set root to floppy drive

map --mem (rd) (fd0)

geometry (hd1) && geometry (hd0) && map (hd1) (hd0) && map (hd0) (hd1)

map --hook

find --set-root --devices=h %bootmgr%

chainloader %bootmgr%

root (fd0)

Some debug messages are possible at end. Fixed offset refers to attached
echo

echo validate boot1

##cat --locate=b\x00o\x00o\x00t\x001\x00 (fd0)/BOOT/BCD

echo MBR signature && cat --hex --skip=0x1F98 --length=4 (fd0)/BOOT/BCD

echo offset && cat --hex --skip=0x1F80 --length=8 (fd0)/BOOT/BCD

echo file name && cat --hex --skip=0x1FB8 --length=48 (fd0)/BOOT/BCD

echo

echo pause, press a key

pause

  • florin91 likes this

#45 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 22 January 2012 - 12:57 AM

Sorry, cdob, I missed all the above some how. I will test and report back

#46 laddanator

laddanator

    Frequent Member

  • Advanced user
  • 337 posts
  • Location:Virginia
  • Interests:Writing code and getting stuff to work when no one else can! Wrote a Windows Vista, 7, and 8 legal activation tool in VBscript and compiled it to exe. First project of this undertaking. Working on an AIO legal activation tool that includes XP.
  •  
    United States

Posted 22 January 2012 - 01:08 AM

Translate previous reply to: I've no idea.


I asked this



Is this method



title Windows 7 setup bootbc1
#use configfile bootbc1
#based on JFX http://sanbarrow.com...opic.php?t=1807
#Bcdedit.exe /store bootbc1 /set {bootmgr} nointegritychecks 1
#use a non default directory at USB drive
set bootmgr=/boot/bootmgr

find --set-root --devices=h %bootmgr%
map --mem %bootmgr% (rd)
#ignore 16-Bit Stub checksum
cat --hex --locate=x74x3xE9x8x0x39x56 --replace=xEBx8xE9x8x0x39x56 (rd)+1
#half broken approach, works by chance at:
#Vista SP0, SP1, SP2 and Windows 7 beta 7000, RC 7100, SP0, SP1
#change chars CD from file name BCD # #
cat --hex --skip=0x48000 --length=0x18000 --number=1 --locate=Cx00D --replace=Cx001 (rd)+1
chainloader (rd)+1
root ()

is more accurate way to offset than the below way?


map --mem %bootmgr% (rd)
write --offset=0x105E (rd)+1 xEBx08
cat --hex --skip=0x54696 --length=1 --locate=D (rd)+1 && set offset=0x54696
cat --hex --skip=0x54735 --length=1 --locate=D (rd)+1 && set offset=0x54735
write --offset=%offset% (rd)+1 4
chainloader (rd)
root ()


and this was your reply



That's a nice question.

Feel free to write a master thesis.
Consider string length, probability, fixed offset, Gaussian distribution and so on




and by the reply, I thought maybe I upset you and I would never. You have been tons of help and I don't disrespect folks that help me and this was my reply to your above master thesis reply.

This must a joke, right? ../public/style_emoticons/default/smile.png I wasn't criticizing, just wondering because both command seem to work fine but this seems to be neater as in the way it offsets.



:beer:

#47 SergeyZV

SergeyZV
  • Members
  • 1 posts
  •  
    Russian Federation

Posted 28 August 2013 - 06:46 PM

Has anyone found the offset values from Windows 8 WAIK bootmgr?



#48 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 28 August 2013 - 09:25 PM

I have a feeling that old trick broke when the new compression algorithm was implemented. But it's just a feeling and I never really looked for that thing specifically.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users