"Disassemble" Self-Extracting Updates, HotFixes?

[LoneCrusader]

Is there a way to "disassemble" a self-extracting update or hotfix to see what specific instructions are carried out by the installer?

I know how to simply "unpack" them with WinZip or WinRAR, etc, but I would like to be able to see the steps performed by the installer.

I also know that most of what goes on is controlled by the .INF file inside, from examining them and also from reading some documentation on IEXPRESS at MDGx's.

However, I have encountered a couple of updates that perform other tasks that are not listed in the .INF, and I'd like to see how they're doing it.

[CharlesF]

Have you tried Universal Extractor?

But the last version is not running on Windows 98

[submix8c]

I'm not sure if ResourceHacker would show what you want. WEXTRACT is the prepended module; other data/processing is created during the IEXPRESS process. Been a while since I fiddled with it (IEXPRESS, I mean).

[LoneCrusader]

Have you tried Universal Extractor?

But the last version is not running on Windows 98

I gave it a try with version 1.5, no luck. It wouldn't even extract files from one particular update that dates from the IE3 era, and can be opened with WinZip or WinRAR

I'm not sure if ResourceHacker would show what you want. WEXTRACT is the prepended module; other data/processing is created during the IEXPRESS process. Been a while since I fiddled with it (IEXPRESS, I mean).

I'll take a look at things with ResourceHacker, I looked some of the files over with another tool that dencorso referenced in another thread (MiTeC EXE Explorer) and it will show what program or INF is set to run, which helps some, but still isn't exactly what I need.

Edited February 4, 2011 by LoneCrusader

[submix8c]

In ResourceHacker - RCDATA. If you "dump" the whole area, the name you give it comes out as "x.RC" (x=name). Open with Notepad and the same Names as seen in the Hacker appear; some pieces are messages, one is usually the actual CAB that you can extract with ZIP/RAR, some are "modules" embedded (one example is a "version checking" module).

Suggest you investigate WEXTRACT (google, whatever...) for more info. In addition, attempt to find the particular IEXPRESS ("wextract") version involved and "play with it". Give a "fix name.exe" that you may be investigating and I'll see what I can dig up...

Rough explanation of IEXPRESS (various versions)-

1 - Run it, giving all info/files (including the INF/Program-to-run)

2 - Makecab (usually that version) "called" to CAB the files/inf/etc.

3 - WEXTRACT appended at front-end to "self-extract" and run the "commands" given

Rough explanation (again, been a while...)

EDIT @CharlotteTheHarlot - see bold above...

Edited February 5, 2011 by submix8c

[CharlotteTheHarlot]

Is there a way to "disassemble" a self-extracting update or hotfix to see what specific instructions are carried out by the installer?

I know how to simply "unpack" them with WinZip or WinRAR, etc, but I would like to be able to see the steps performed by the installer.

I also know that most of what goes on is controlled by the .INF file inside, from examining them and also from reading some documentation on IEXPRESS at MDGx's.

However, I have encountered a couple of updates that perform other tasks that are not listed in the .INF, and I'd like to see how they're doing it.

Please post a link to an example file.

[LoneCrusader]

Give a "fix name.exe" that you may be investigating and I'll see what I can dig up...

Please post a link to an example file.

When I first posted this thread, I was working with W95Y2K.EXE and W95EURO.EXE, trying to slipstream the updated files inside and so on. I have since learned a bit more about them.

First, W95Y2K.EXE makes a lot of registry modifications, and these are not contained in W95Y2K.INF, so I was wondering how these were achieved. I now know from MiTeC EXE Explorer that "Y2KSETUP.EXE" is being run instead of W95Y2K.INF, so obviously that executable is responsible for the changes, but that doesn't help me when it comes to slipstreaming.

Second, I was having trouble getting the Euro € character to be properly available in Windows 95 after slipstreaming the updated files from W95EURO.EXE. I found out that "EUROPAT.EXE" was being called instead of EURO.INF. I thought the EUROPAT executable was responsible for manually patching some file, but I have discovered this was the result of differences amongst various versions of GDI.EXE and/or GDI32.DLL, and a possibly "crippled" HotFix.

So, the Euro problem has been worked around, at least for the moment, but the Y2K registry entries still remain a mystery.

I have now also encountered another problem. A self-extracting executable SETUPSLT.EXE (inside WIN95_22.CAB, also Here NOTE the linked version is SLIGHTLY different) is set to run in SETUPC.INF during Windows 95 installation. It contains an old version of REGSVR32.EXE. I slipstreamed a newer version (from SPEU.EXE) into my 95 CABs, and now I'm getting a "Version Conflict" prompt during install. When SETUPSLT is called, It asks me to keep my newer file, which obviously I want to do. It is called with the /Q switch in SETUPC.INF already, and changing it to "/Q:A" "/Q /A" or any of the standard switch combinations either

a)causes an error and SETUPSLT will close without installing (/Q:A), or

b)it will "appear" to run, and not give an error, but actually does nothing at all (/Q /A).

So now, I am faced with dealing with the Version Prompt during every install, or trying to "hack" SETUPSLT to accept the proper switches, or repack SETUPSLT without the old version of REGSVR32.EXE inside.

Edited February 6, 2011 by LoneCrusader

[dencorso]

SETUPSLT.EXE is an SFX Installer, which can be opened with WinRAR or 7-Zip. It contains PEDCAB1.INF, which runs REGSVR32.EXE. I'd say you should modify PEDCAB1.INF, and then recompile the SFX Installer...

[LoneCrusader]

I'd say you should modify PEDCAB1.INF, and then recompile the SFX Installer...

Agreed

But I have no clue how to do that.

I can extract the files and modify the .INF, no problem, but other than some quick reading about IEXPRESS, I know nothing about compiling an installer.

[dencorso]

Both WinRAR and 7-Zip can do that. Read their respective documentation carefully. SFX installer is the keyword.

[rloew]

I'd say you should modify PEDCAB1.INF, and then recompile the SFX Installer...

Agreed

But I have no clue how to do that.

I can extract the files and modify the .INF, no problem, but other than some quick reading about IEXPRESS, I know nothing about compiling an installer.

Resource Hacker can replace the CAB file inside the Installer as well as change the Command executed.

Edited February 7, 2011 by rloew

[submix8c]

Resource Hacker can replace the CAB file inside the Installer as well as change the Command executed.

FYI (a follow-up and "easy way" for you) -

ResHack will export all RCData to a folder of your choosing - give any name you like to the "*.RC" file it wants to create. The largest file (usually) will be the ".CAB" - append that to the name (the name of the INF inside?), unpack it, replace what you want, repack it (MakeCab will do, I believe - you could use the CabPack GUI I've pointed out before), and re-insert this way -

1 - Select to replace a Resource

2 - Browse to Repacked CAB

3 - Give full Resource info as follows - "RCData : CABINET : 1033"

* - Note - above is Resource Type, Name, and Language (you're smart enough to understand the reference )

[rloew]

Resource Hacker can replace the CAB file inside the Installer as well as change the Command executed.

FYI (a follow-up and "easy way" for you) -

ResHack will export all RCData to a folder of your choosing - give any name you like to the "*.RC" file it wants to create. The largest file (usually) will be the ".CAB" - append that to the name (the name of the INF inside?), unpack it, replace what you want, repack it (MakeCab will do, I believe - you could use the CabPack GUI I've pointed out before), and re-insert this way -

1 - Select to replace a Resource

2 - Browse to Repacked CAB

3 - Give full Resource info as follows - "RCData : CABINET : 1033"

* - Note - above is Resource Type, Name, and Language (you're smart enough to understand the reference )

Extracting the CAB as a Binary Image is simpler than extracting all of the RCData.

[LoneCrusader]

Resource Hacker can replace the CAB file inside the Installer as well as change the Command executed.

FYI (a follow-up and "easy way" for you) -

ResHack will export all RCData to a folder of your choosing - give any name you like to the "*.RC" file it wants to create. The largest file (usually) will be the ".CAB" - append that to the name (the name of the INF inside?), unpack it, replace what you want, repack it (MakeCab will do, I believe - you could use the CabPack GUI I've pointed out before), and re-insert this way -

1 - Select to replace a Resource

2 - Browse to Repacked CAB

3 - Give full Resource info as follows - "RCData : CABINET : 1033"

* - Note - above is Resource Type, Name, and Language (you're smart enough to understand the reference )

Ahh, the thrill of victory!

I successfully modified SETUPSLT.EXE, removing the old REGSVR32.EXE and the reference to it in the .INF. Now it installs without any prompts or errors.

And, to add to the success, I have successfully modified the IE5SETUP.EXE from IE 5.5 SP2 to install the Windows Desktop Update by default. No more installing IE4 and then having to upgrade again to IE5.5 for 95 users who want the update.

See here for more info on this.

Section: "Installing Windows Desktop Update...."

All changes listed in Method #2 have been integrated into this new installer.

Tested successfully on Windows 95C OSR 2.5.

[submix8c]

? getting (in firefox)

Loading file

You want to load the following file

http://rapidshare.com/files/446958992/Ie5setup.zip475 KB

What did I do wrong?

NM - Just click "Free" and goes to "download". Well, that just "un-confused" me...

I'll check this out on a "bare-bones" Win95RTM/No-IE just for fun... (may fail due to "updates not installed"?)

edit - Had a supposed "full" download already and it was somewhat different than evolt/oldversion (both the same file) that you must have used. Figured that out after this comparison.

Source = IE 5.5 SP2Full - EVOLT
Target = IE55SP2-CUSTOM - MINE 
COMPARISON MESSAGES - 19 of 19
IE55SP2-CUSTOM\AOLSUPP.CAB  Contents, Size Different
IE55SP2-CUSTOM\AXA2.CAB     Contents, Size Different
IE55SP2-CUSTOM\BRANDING.CAB Contents, Size Different
IE55SP2-CUSTOM\IE4MFC40.CAB Contents, Size Different
IE55SP2-CUSTOM\IE5SETUP.EXE Contents, Size Different
IE55SP2-CUSTOM\IECIF.CAB    Contents, Size Different
IE55SP2-CUSTOM\IEDATA.CAB   Contents, Size Different
IE55SP2-CUSTOM\IEDATAJA.CAB Contents, Size Different
IE55SP2-CUSTOM\IESETUP.INI  Contents, Size Different
IE55SP2-CUSTOM\MSN_AUTH.CAB Contents, Size Different
IE55SP2-CUSTOM\VGX.CAB      Contents, Size Different
IE55SP2-CUSTOM\WEBFLDRS.CAB Contents, Size Different
IE 5.5 SP2Full\IE501DOM.EXE Source File Not Found
IE 5.5 SP2Full\MMSSETUP.CAB Source File Not Found
IE55SP2-CUSTOM\ACTSETUP.CAB Target File Not Found
IE55SP2-CUSTOM\IE5OEM.EXE   Target File Not Found
IE55SP2-CUSTOM\IEAK5.EXE    Target File Not Found
IE55SP2-CUSTOM\IEAK5CD.EXE  Target File Not Found
IE55SP2-CUSTOM\IEAK5OPT.CAB Target File Not Found

Haven't been able to get a comprehensive list of IE5.5sp2 to see if I have a "goobered" "MINE". Any "searchers" out there able to scare up one, maybe from an original CD?

Best I can find is MMSSETUP is listed by MS as IE5.5 (no SP), noting it's "Messenger" and IE501DOM is 128-bit Encryption. Guess, I'll go ahead and test a "Full" on the VM (brb...)

Edited February 9, 2011 by submix8c