tl;dr version - it unpacks stuff. Feel free to leech and reupload. Report bugs here.
Introduction
It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor - The first cloud based software that decompiles everything!.
Wow, a magic tool that does everything! Sounds too good to be true.. 🙂 Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it's written in AutoPlay Media Studio, and that there is no working unpacker for that.
I should fix that - and have some fun in process!
Existing tools and research
First, I found a great blogpost by Xiaopang - I wholeheartedly recommend that you read it.
And then there's a AmsDec.exe by mohsen.
Unfortunately, it only works for some files (supposedly - v8.1, v8.2) and shows weird messages in Persian language. And it's not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn't work for Reverzor.
How AutoPlay Media Studio works
So, let's see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:
As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!
Right... They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..
Unpacker needs to analyze EXE file, generate correct password and unzip files. If there's a cdd file, unzip that one too. And since it's that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. 🙂
Since there are several options how you can distribute files built by AutoPlay Media Studio, here's a quick reference:
- you have just a single application.exe;
- you have a folder with application.exe and application.cdd in a subfolder AutoPlay;
- you have application.exe and application.cdd files in the same folder;
Such files can be generated using "Publish -> Web/Email executable" feature in AutoPlay Media Studio. Example file would be CardRecovery v
6.10 Build 1210 AIO Installer -nelly-.exe
Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.
These files are created using "Publish -> Hard drive folder" in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.
There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.
This happens when "Rename resource files" feature is enabled in AutoPlay Media Studio. It's one of those features that add fake security to the product:
This option is designed to obscure the filenames of your resource files during publishing.
This is a case of Users Sniffer. Similar to previous case, there's not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.
Advanced use cases
But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:
- application.exe is packed and there is application.cdd file present.
- application.exe is packed and there is no cdd file.
- application.exe is hacked and the cdd file is renamed to something else;
This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news - you don't need to be an unpacking wizard and properly unpack PCGuard to break their protection. It's enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.
Step-by-step:
1) Run and dump:
2) When saving dump, keep the original filename. Otherwise my unpacker won't be able to find cdd file:
3) Process dump with unpacker:
This is the case of Reverzor. First you would need to unpack Enigma Virtual Box - for that you can use my other unpacker.. 😉 Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don't need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.
This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.
Conclusion
This was a small weekend project for me. If it also helps you in some adventures, I'm happy. If it doesn't help you at all, I don't care. 🙂
Download the unpacker from:
Note - due to technical reasons it's compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:
<?xml version="1.0"?>
<configuration>
<startup>
<supportedRuntime version="v4.0"/>
</startup>
</configuration>
And stay tuned for the upcoming post, where I'll explain how to write such unpacker from scratch!
Any feedback on that cloudbased unpacker? Will it get its own small blogpost? Or is it completly useless?
I already posted response on BS forums a month ago, here's a recap:
Judging on previous projects by the same guy, it is a complete and utter crap.
Reverzor client doesn't do anything useful, just packs the files and sends them to the server. On server most likely they run Uniextract, Sothink SWF Decompiler, ILSpy, some Java decompiler and other freely available stuff, get the results, pack them and send the DL URL back to client.
please tech me u email address
It's at the bottom of the page.
One word ... SWEET! You did it again! Great!
Thanks for sharing your valuable work.
Best Regards,
Tony
I couldn't realize how to pack unpacked files to cdd file back? I try it with Winrar to zip archive use password from information at Unpacker[i] "Using password -******************" but after run .exe file I receive massage:"failed to extract project file to memory" Please help
It's an unpacker, it's designed only to extract files, not to add them back. 🙂
Most likely your problem is caused by password containing non-printable characters. Winrar encodes those characters differently than AutoPlay Media Studio.
I would try to add file without any password. I am guessing that it should work but haven't tested it myself.
If you still have some questions, please upload your software to mega.nz or mediafire.com, so that I can take a look at it.
Kao, you are absolutely right: it work without any password! it was my mistake to find and use password to get archive! Thanks a lot!
Happy to help!
Can I edit my project again in auto plag media studio
thanks, goord work
Thanks for this useful tool , i knew about it yesterday
i bypassed it, sorry
{hidden link}
Any tool can be broken with enough determination. 🙂 Congrats!
Since you didn't show how your learn.exe works, nobody can replicate your work. I'll update the unpacker if/when such modified files appear in the real life.
Bro dump process the operation could not be completed .
Access is denied .error
In auto play media studio exe file
Please upload the problematic file to mega.co.nz or mediafire.com and I will take a look at it.
I can't help you without seeing the file first.
Bro me send mega link in your email cheek project
{hidden link} auto play media this project exe not dump
Next time, please read the unpacker messages carefully. 🙂 Also, if you read "Advanced" part of the article, it explains exactly how to solve such problems.
File autorun.exe inside your DR-Backup.exe is packed and therefore my unpacker cannot process it automatically.
This is how you can solve the problem:
1) Try to unpack your DR-Backup.exe. My unpacker will extract most files and then complain about password.
2) Go to the folder with unpacked files and find autorun.exe and autorun.cdd. Copy them to another folder.
3) Unpack autorun.exe. It's packed with UPX, so unpacking is really simple. Google for tutorials, if you need them.
4) Now you should have unpacked autorun.exe and autorun.cdd in the same folder. Use my unpacker on autorun.exe, it will work just fine.
See the screenshot:
Thank you so so much
{hidden link}
Bro dump process the operation could not be completed .
Access is denied .error
In auto play media studio exe file not dump
(pe explorer) an other cracker software
plez help me
Please read "Advanced" part of the article, it explains exactly how to solve such problems.
Step 1 - unpack aio.exe. It's packed with PECompact. Google for unpack solutions, there are plenty of those.
Step 2 - rename aio.dll to aio.cdd.
Step 3 - run my unpacker, it will extract _fonts.dat, _proj.dat and _detect.dat.
Done!
Brother you've given us the material before we have been using a file to crack but this file is not cracking at all and any software
Thank you so so much brother
how to unpack PECompact
google pe unpacker not work
or youtube video not work
AIO.exe file
Plez Unpacker software link
Again - please read the blog post! 🙂
"Advanced use cases" shows step-by-step how to use PETools to dump process. That is all you need.
Information about unpacking new version AMS 8.5.3.0 - {hidden link}
Thank you, it's a very nice article! 🙂 Link for everyone else to read: https://habr.com/ru/post/451524/
If I get bored some day, I'll update my unpacker.
{hidden link}
plz help check my file & video
You did not unpack PECompact correctly. Either use automatic PECompact unpacker, find a Youtube video explaining how to unpack PECompact using x64dbg, or just run EXE and dump process memory as explained in my post section "Advanced use cases".
Once PECompact is removed, my tool will work OK:
please help me to save my aio.exe and cdd file from hack
please
hi
How can I edit the project within autoplay media studio, perhaps renaming the _proj.dat to proj.autoplay or something like that?
I'm sorry, it's not that simple as renaming something. 🙂
It would require writing a tool that converts _proj.dat back to a proper AMS project - but I don't have time or interest to work on such tool.
plz help check my file
{hidden link}
Hi Salam22, here are your unpacked files: https://mega.nz/file/ckoxmALK#STU3zCz5VG-3O5yxmhhBXUK_9ZageOWuobbMiwZIBB0
There are several challenges in unpacking. Solutions to those challenges are already covered in my article, so I'll just post a list here:
1) someone used hexeditor and changed string "pid" to "ped" in 3 places. That's why my unpacker cannot find the correct password;
2) autorun.exe is packed using PECompact. There are lots of tools that can unpack it.
3) there is a fake autorun.cdd. The real project file is called autorun.eex.
bro more help this file are packed {hidden link} but (peid) (RDGpacker) (exeinfo) show Detector The Enigma Protector [ Fake sign : Delphi ]
{hidden link}
plz help
plz help
It has nothing to do with my unpacker. You simply need to unpack Enigma Protector and extract the files from it. There are both scripts for OllyDbg and tools like Virtual File System Editor that can help you.
You should get IRAMS852cdd2dllPATCH.dll and IRAMS852cdd2dllPATCH.exe and the entire folder AutoPlay.
If you really want, you can rename IRAMS852cdd2dllPATCH.dll to IRAMS852cdd2dllPATCH.cdd and then my unpacker will work.
brooo this software Virtual File System Editor link plz google search not found
A demonstration of how to protect Lua source code, sorry the video got too long.
Example
{hidden link}
{hidden link}
Links from guest comments are automatically hidden. 🙂
Here are the links from the comment above:
https://www.facebook.com/AmsPlugins/videos/678660956368666 and https://www.mediafire.com/?fovdnpdjgnthlo6
NOTE: I haven't tested the files. Please be careful!
bro plz help me Download this file {hidden link}
after extract red Gide.txt file plz help
{hidden link}
not unpacke
Please read the article, especially the part about special cases. Your case is case #3 - "application.exe is hacked and the cdd file is renamed to something else;"
1) Find file Bin\Data\PackAdvanced. It is hidden, so you will need to change Windows Explorer settings to show hidden files.
2) Copy this file and put it next to PackAdvancedPlus.exe
3) Remove hidden, read-only and system attributes from the file.
4) Rename the file to PackAdvancedPlus.cdd
5) Run my unpacker and see that it works just fine.
Thank you bro thank you but all code is dll file lua to luac convert decrepit id not found my first message 21-5-11 Time 16:59 check out
Yes, but that problem is not related to my unpacker. It is a custom protection, and I will look when I have more free time.
Ok thank You bro
{hidden link}
plz help me brother
It's quite an interesting problem and I think I have found a solution. Please give me a few days to write an article about it.
Thank you brother
?????? Last kao reply
Please remember that I make these tools and write these articles in my free time. And I just don't have enough free time at the moment.
@Everyone, the reported problems have been fixed, please get updated version from https://lifeinhex.com/update-of-unpackers-2/
Thank you so so much brother
Hello brother. Need your help .. How edit the project within autoplay media studio and repack the file
My tool only unpacks files. It doesn't decompile _proj.dat back to Autoplay Media Studio project file.
As far as I know, there is no public tool which would help you with that.
Is there any possible way to do that ?
Everything is possible. But as I already said - there is no ready-made tool that you could use.
Help plz virtual.file.system.editor by extreme coder run eject remote.dll but how to extract target file like enigma protector
You can't. There are some scripts but no automatic tools for Enigma Protector.
new
{hidden link}
#
{hidden link}
#
{hidden link}
Lao, what is your question exactly?
my question is
how to unpacke this exe protection
this protection totally without normal cdd file?
Here's the main code for that installer: https://pastebin.com/A9rad4S9
Hard way is to learn how to devirtualize Luraph obfuscator, and then unpack lua code from dcrypt plugin.
Easy way is to use OllyDbg and put breakpoint on luaL_loadfile function. When breakpoint hits, check filename and copy the file.
Hey bro
Look at that
{hidden link}
Thanks, I will look at it someday. 🙂
My explanation why LuaEncrypt plugin is not secure at all: https://lifeinhex.com/how-security-plugins-for-autoplay-media-studio-fail/
{hidden link}
That link is about Unity3D and Lua, not about AutoPlay Media Studio. It's a nice blog nevertheless!
{hidden link}
Somebody promised a working AMS Decompiler and never delivered? What a surprise! 🙂
its possible
{hidden link}
look at thatbro
{hidden link}
{hidden link}
That's an interesting project, unfortunately it is a bit outdated.
(NEW)
{hidden link}
Autoplay2C from Imagine Programming. It's a really nice tool! 🙂
plz this topic
how to unpack ams plugin manually.
Thank you so much! The updated version unpacked my ancient project flawlessly.