Static unpacker for AutoPlay Media Studio files

kao

tl;dr version - it unpacks stuff. Feel free to leech and reupload. Report bugs here.

Unpacker for AutoPlay Media Studio

Introduction

It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor - The first cloud based software that decompiles everything!.

Wow, a magic tool that does everything! Sounds too good to be true.. 🙂 Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it's written in AutoPlay Media Studio, and that there is no working unpacker for that.

I should fix that - and have some fun in process!

Existing tools and research

First, I found a great blogpost by Xiaopang - I wholeheartedly recommend that you read it.

And then there's a AmsDec.exe by mohsen.
amsdec
Unfortunately, it only works for some files (supposedly - v8.1, v8.2) and shows weird messages in Persian language. And it's not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn't work for Reverzor.

How AutoPlay Media Studio works

So, let's see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:

As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!

Right... They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..

Unpacker needs to analyze EXE file, generate correct password and unzip files. If there's a cdd file, unzip that one too. And since it's that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. 🙂

Since there are several options how you can distribute files built by AutoPlay Media Studio, here's a quick reference:

  1. you have just a single application.exe;
  2. Such files can be generated using "Publish -> Web/Email executable" feature in AutoPlay Media Studio. Example file would be CardRecovery v
    6.10 Build 1210 AIO Installer -nelly-.exe

    Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.

  3. you have a folder with application.exe and application.cdd in a subfolder AutoPlay;
  4. These files are created using "Publish -> Hard drive folder" in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.

    There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

  5. you have application.exe and application.cdd files in the same folder;
  6. This happens when "Rename resource files" feature is enabled in AutoPlay Media Studio. It's one of those features that add fake security to the product:

    This option is designed to obscure the filenames of your resource files during publishing.

    This is a case of Users Sniffer. Similar to previous case, there's not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

Advanced use cases

But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:

  1. application.exe is packed and there is application.cdd file present.
  2. This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news - you don't need to be an unpacking wizard and properly unpack PCGuard to break their protection. It's enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.

    Step-by-step:
    1) Run and dump:
    challenge1
    2) When saving dump, keep the original filename. Otherwise my unpacker won't be able to find cdd file:
    challenge2
    3) Process dump with unpacker:
    challenge3

  3. application.exe is packed and there is no cdd file.
  4. This is the case of Reverzor. First you would need to unpack Enigma Virtual Box - for that you can use my other unpacker.. 😉 Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don't need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.

  5. application.exe is hacked and the cdd file is renamed to something else;
  6. This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
    idler
    There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.

Conclusion

This was a small weekend project for me. If it also helps you in some adventures, I'm happy. If it doesn't help you at all, I don't care. 🙂

Download the unpacker from:


Note - due to technical reasons it's compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:


<?xml version="1.0"?>
<configuration>
 <startup>
  <supportedRuntime version="v4.0"/>
 </startup>
</configuration>


And stay tuned for the upcoming post, where I'll explain how to write such unpacker from scratch!

80 thoughts on “Static unpacker for AutoPlay Media Studio files

    1. I already posted response on BS forums a month ago, here's a recap:

      Judging on previous projects by the same guy, it is a complete and utter crap.

      Reverzor client doesn't do anything useful, just packs the files and sends them to the server. On server most likely they run Uniextract, Sothink SWF Decompiler, ILSpy, some Java decompiler and other freely available stuff, get the results, pack them and send the DL URL back to client.

  1. One word ... SWEET! You did it again! Great!
    Thanks for sharing your valuable work.

    Best Regards,
    Tony

  2. I couldn't realize how to pack unpacked files to cdd file back? I try it with Winrar to zip archive use password from information at Unpacker[i] "Using password -******************" but after run .exe file I receive massage:"failed to extract project file to memory" Please help

    1. It's an unpacker, it's designed only to extract files, not to add them back. 🙂

      Most likely your problem is caused by password containing non-printable characters. Winrar encodes those characters differently than AutoPlay Media Studio.

      I would try to add file without any password. I am guessing that it should work but haven't tested it myself.

      If you still have some questions, please upload your software to mega.nz or mediafire.com, so that I can take a look at it.

  3. Kao, you are absolutely right: it work without any password! it was my mistake to find and use password to get archive! Thanks a lot!

    1. Any tool can be broken with enough determination. 🙂 Congrats!

      Since you didn't show how your learn.exe works, nobody can replicate your work. I'll update the unpacker if/when such modified files appear in the real life.

  4. Bro dump process the operation could not be completed .
    Access is denied .error
    In auto play media studio exe file

    1. Please upload the problematic file to mega.co.nz or mediafire.com and I will take a look at it.

      I can't help you without seeing the file first.

    1. Next time, please read the unpacker messages carefully. 🙂 Also, if you read "Advanced" part of the article, it explains exactly how to solve such problems.

      Autorun is packed
      File autorun.exe inside your DR-Backup.exe is packed and therefore my unpacker cannot process it automatically.

      This is how you can solve the problem:
      1) Try to unpack your DR-Backup.exe. My unpacker will extract most files and then complain about password.
      2) Go to the folder with unpacked files and find autorun.exe and autorun.cdd. Copy them to another folder.
      3) Unpack autorun.exe. It's packed with UPX, so unpacking is really simple. Google for tutorials, if you need them.
      4) Now you should have unpacked autorun.exe and autorun.cdd in the same folder. Use my unpacker on autorun.exe, it will work just fine.

      See the screenshot:
      After unpacking autorun

  5. {hidden link}
    Bro dump process the operation could not be completed .
    Access is denied .error
    In auto play media studio exe file not dump
    (pe explorer) an other cracker software
    plez help me

    1. Please read "Advanced" part of the article, it explains exactly how to solve such problems.

      Step 1 - unpack aio.exe. It's packed with PECompact. Google for unpack solutions, there are plenty of those.
      Step 2 - rename aio.dll to aio.cdd.
      Step 3 - run my unpacker, it will extract _fonts.dat, _proj.dat and _detect.dat.
      Done!

  6. Brother you've given us the material before we have been using a file to crack but this file is not cracking at all and any software

  7. how to unpack PECompact
    google pe unpacker not work
    or youtube video not work
    AIO.exe file
    Plez Unpacker software link

    1. Again - please read the blog post! 🙂

      "Advanced use cases" shows step-by-step how to use PETools to dump process. That is all you need.

    1. You did not unpack PECompact correctly. Either use automatic PECompact unpacker, find a Youtube video explaining how to unpack PECompact using x64dbg, or just run EXE and dump process memory as explained in my post section "Advanced use cases".

      Once PECompact is removed, my tool will work OK:
      end result

  8. How can I edit the project within autoplay media studio, perhaps renaming the _proj.dat to proj.autoplay or something like that?

    1. I'm sorry, it's not that simple as renaming something. 🙂

      It would require writing a tool that converts _proj.dat back to a proper AMS project - but I don't have time or interest to work on such tool.

    1. Hi Salam22, here are your unpacked files: https://mega.nz/file/ckoxmALK#STU3zCz5VG-3O5yxmhhBXUK_9ZageOWuobbMiwZIBB0

      There are several challenges in unpacking. Solutions to those challenges are already covered in my article, so I'll just post a list here:
      1) someone used hexeditor and changed string "pid" to "ped" in 3 places. That's why my unpacker cannot find the correct password;
      2) autorun.exe is packed using PECompact. There are lots of tools that can unpack it.
      3) there is a fake autorun.cdd. The real project file is called autorun.eex.

  9. bro more help this file are packed {hidden link} but (peid) (RDGpacker) (exeinfo) show Detector The Enigma Protector [ Fake sign : Delphi ]
    {hidden link}
    plz help

    1. It has nothing to do with my unpacker. You simply need to unpack Enigma Protector and extract the files from it. There are both scripts for OllyDbg and tools like Virtual File System Editor that can help you.

      You should get IRAMS852cdd2dllPATCH.dll and IRAMS852cdd2dllPATCH.exe and the entire folder AutoPlay.

      If you really want, you can rename IRAMS852cdd2dllPATCH.dll to IRAMS852cdd2dllPATCH.cdd and then my unpacker will work.

  10. A demonstration of how to protect Lua source code, sorry the video got too long.
    Example
    {hidden link}
    {hidden link}

    1. Please read the article, especially the part about special cases. Your case is case #3 - "application.exe is hacked and the cdd file is renamed to something else;"

      1) Find file Bin\Data\PackAdvanced. It is hidden, so you will need to change Windows Explorer settings to show hidden files.
      2) Copy this file and put it next to PackAdvancedPlus.exe
      3) Remove hidden, read-only and system attributes from the file.
      4) Rename the file to PackAdvancedPlus.cdd
      5) Run my unpacker and see that it works just fine.

  11. Thank you bro thank you but all code is dll file lua to luac convert decrepit id not found my first message 21-5-11 Time 16:59 check out

    1. Yes, but that problem is not related to my unpacker. It is a custom protection, and I will look when I have more free time.

    1. It's quite an interesting problem and I think I have found a solution. Please give me a few days to write an article about it.

    1. Please remember that I make these tools and write these articles in my free time. And I just don't have enough free time at the moment.

  12. Hello brother. Need your help .. How edit the project within autoplay media studio and repack the file

    1. My tool only unpacks files. It doesn't decompile _proj.dat back to Autoplay Media Studio project file.

      As far as I know, there is no public tool which would help you with that.

  13. Help plz virtual.file.system.editor by extreme coder run eject remote.dll but how to extract target file like enigma protector

  14. my question is
    how to unpacke this exe protection
    this protection totally without normal cdd file?

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

 −  two  =  6