How security plugins for Autoplay Media Studio fail, pt.2

kao

Few weeks ago I wrote an article about misunderstood security in Autoplay Media Studio plugins. Two days later, author of DCrypto plugin released an updated version of the plugin. And just recently, he started to sell his plugin by making some pretty bold claims:

I present to you DCrypto with an advanced encryption that allows you to obfuscate your LUA 1.5 code in 256 Bit encryption with one of the best encryptions on the market, in addition to optimizing your source code, it will be protected with super protection.

Let's see how super this protection really is! 🙂
Read More

How security plugins for Autoplay Media Studio fail

kao

Every once in a while I encounter a strange anti-reverse engineering protection. Protection authors are so focused on improving one specific aspect of the protection that completely overlook other, much easier ways how the system can be defeated.

Their logic is like this - someone stole my code, I better protect it. I've heard that cryptography is good, so I'll use that. Oh no, someone stole my code again! Let me add another layer of encryption over it! Few days/weeks/months later - Those bloody hackers won't stop! Let me protect my encryption code with another encryption!

Facepalm.

What the authors should do instead is stop and think. What do I want to protect? Against whom? For how long? What kind of loss is acceptable to me?

Read More

Update of unpackers

kao

Enigma Virtual Box unpacker

There are plenty of changes.

  • Properly detect versions 9.50..9.90
  • Unpacks files packed with 9.80 and 9.90
  • Added command-line parameter "/nodiskspace", as requested by some users. If it crashes during unpacking because it ran out of disk space, it's your problem.
  • Unpacker properly handles invalid input filename

Molebox 2.x unpacker

  • Support more versions of very old Molebox
  • Unpacking files with digital signatures should be improved
  • Some rare bugs have been fixed

Autoplay Media Studio unpacker

  • Added support for AMS version 8.5.3.0.
  • Support for Imagine MemoryEx encrypted files, as requested by someone.

What is MemoryEx?

MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.

While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.

When you unpack such file, please pay attention to the "Found protected file" messages:

As you can see, unpacker created some .luac files.

Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.

Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:

return {
  info = {
    name = "Anderson M Santos",
    author = "dindroid.com",
    contact = "andersonnsantos36@gmail.com"
  },
  functions = {
    Install = function()
      function Stile_Sonbre_P()
        sHandl = Application.GetWndHandle()
        DLL.CallFunction(_SystemFolder .. "\\User32.dll", "SetClassLongA", sHandl .. ",-26," .. 131072, DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL)
        if Label.GetText("local") == "C:\\" then
          Label.SetText("local", _ProgramFilesFolder .. "\\Dindroid")
        end
        Image.Load("imico", _TempFolder .. "\\icon.tmp")
        Image.Load("imc", _TempFolder .. "\\bts_01.tmp")
      end
      function Install()
        Folder.Create(_ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator")
        File.Copy(_SourceFolder .. "\\Install\\*.*", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator", true, true, false, true, nil)
        sP = System.EnumerateProcesses()
        for j, file_path in pairs(sP) do
          file = String.SplitPath(file_path)
          if file.Filename .. file.Extension == "GNerator.exe" then
            File.Copy(file_path, _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\")
          end
        end
        Shell.CreateShortcut(String.Replace(_WindowsFolder, "Windows", "") .. "\\Users\\Public\\Desktop", "G-Nerator", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\GN.exe", "", "", _ProgramFilesFolder .. "\\Dindroid\\G-Nerator\\GN.exe", 0, SW_SHOWNORMAL, nil, "")
....

That's all folks, have fun using it!

As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! 🙂

Static unpacker for AutoPlay Media Studio files

kao

tl;dr version - it unpacks stuff. Feel free to leech and reupload. Report bugs here.

Unpacker for AutoPlay Media Studio

Introduction

It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor - The first cloud based software that decompiles everything!.

Wow, a magic tool that does everything! Sounds too good to be true.. 🙂 Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it's written in AutoPlay Media Studio, and that there is no working unpacker for that.

I should fix that - and have some fun in process!

Existing tools and research

First, I found a great blogpost by Xiaopang - I wholeheartedly recommend that you read it.

And then there's a AmsDec.exe by mohsen.
amsdec
Unfortunately, it only works for some files (supposedly - v8.1, v8.2) and shows weird messages in Persian language. And it's not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn't work for Reverzor.

How AutoPlay Media Studio works

So, let's see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:

As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!

Right... They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..

Unpacker needs to analyze EXE file, generate correct password and unzip files. If there's a cdd file, unzip that one too. And since it's that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. 🙂

Since there are several options how you can distribute files built by AutoPlay Media Studio, here's a quick reference:

  1. you have just a single application.exe;
  2. Such files can be generated using "Publish -> Web/Email executable" feature in AutoPlay Media Studio. Example file would be CardRecovery v
    6.10 Build 1210 AIO Installer -nelly-.exe

    Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.

  3. you have a folder with application.exe and application.cdd in a subfolder AutoPlay;
  4. These files are created using "Publish -> Hard drive folder" in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.

    There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

  5. you have application.exe and application.cdd files in the same folder;
  6. This happens when "Rename resource files" feature is enabled in AutoPlay Media Studio. It's one of those features that add fake security to the product:

    This option is designed to obscure the filenames of your resource files during publishing.

    This is a case of Users Sniffer. Similar to previous case, there's not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

Advanced use cases

But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:

  1. application.exe is packed and there is application.cdd file present.
  2. This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news - you don't need to be an unpacking wizard and properly unpack PCGuard to break their protection. It's enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.

    Step-by-step:
    1) Run and dump:
    challenge1
    2) When saving dump, keep the original filename. Otherwise my unpacker won't be able to find cdd file:
    challenge2
    3) Process dump with unpacker:
    challenge3

  3. application.exe is packed and there is no cdd file.
  4. This is the case of Reverzor. First you would need to unpack Enigma Virtual Box - for that you can use my other unpacker.. 😉 Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don't need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.

  5. application.exe is hacked and the cdd file is renamed to something else;
  6. This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
    idler
    There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.

Conclusion

This was a small weekend project for me. If it also helps you in some adventures, I'm happy. If it doesn't help you at all, I don't care. 🙂

Download the unpacker from:


Note - due to technical reasons it's compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:


<?xml version="1.0"?>
<configuration>
 <startup>
  <supportedRuntime version="v4.0"/>
 </startup>
</configuration>


And stay tuned for the upcoming post, where I'll explain how to write such unpacker from scratch!