UEFIExtract: Cannot get the uncompressed body of LzmaF86 section

[platomav]

Hello,

Given an UEFI image, my goal is to retrieve the uncompressed bodies of LZMA-F86 compressed sections. The LZMAF86 GUID is D42AE6BD-1352-4BFB-909A-CA72A6EAE889 (BDE62AD45213FB4B909ACA72A6EAE889), thus I decided to use UEFIFind followed by UEFIExtract.

UEFIFind_NE_A68 U30_1.42_06_20_2018.signed.flash header list BDE62AD45213FB4B909ACA72A6EAE889

UEFIFind returns the following:

• 9E21FD93-9C72-4C15-8C4B-E77F1DB2D792
• 299D6F8B-2EC9-4E40-9EC6-DDAA7EBF5FD9

UEFIExtract_NE_A68 U30_1.42_06_20_2018.signed.flash 9E21FD93-9C72-4C15-8C4B-E77F1DB2D792 -o output -m body -t 17

The above fails with Code 8 (I think it means FILE not found). I used type 17h to get the Volume image section in this example, which should be included within that GUID.

What is strange is that using either "-m all" or "-m info" does work. But not "-m body" or "-m header". And the only one which seems to work correctly is "-m info" because "-m all" appears to dump the entire image tree but with all other folders empty in terms of bodies, headers, info etc.

I also tried to use type 02h which is what UEFITool shows as the section type of the LzmaF86CustomDecompressGuid, but that never works (same error 8).

In general, the goal here is to get the exact same result as when using UEFITool, right-clicking LzmaF86CustomDecompressGuid and selecting "Extract body uncompressed". Moreover, choosing a section type 17h for example does not work for the 2nd GUID because it has no Volume image within. So, the type should be omitted (FF) but then nothing works.

Am I doing something wrong? I cannot really understand the output of UEFIExtract.

U30_1.42_06_20_2018.signed.zip

[NikolajSchlej]

Could not react sooner, but I'll check this out.