31 Dec 2021

Update of unpackers

Enigma Virtual Box unpacker

There are plenty of changes.

  • Properly detect versions 9.50..9.90
  • Unpacks files packed with 9.80 and 9.90
  • Added command-line parameter "/nodiskspace", as requested by some users. If it crashes during unpacking because it ran out of disk space, it's your problem.
  • Unpacker properly handles invalid input filename

Molebox 2.x unpacker

  • Support more versions of very old Molebox
  • Unpacking files with digital signatures should be improved
  • Some rare bugs have been fixed

Autoplay Media Studio unpacker

  • Added support for AMS version 8.5.3.0.
  • Support for Imagine MemoryEx encrypted files, as requested by someone.

What is MemoryEx?

MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.

While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.

When you unpack such file, please pay attention to the "Found protected file" messages:

As you can see, unpacker created some .luac files.

Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.

Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:

That's all folks, have fun using it!

As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! smile

19 thoughts on “Update of unpackers

  1. Hello, i want to unpack an .exe file but none of these unpackers worked, whats the solution for my problem?
    The file in question is this:
    {hidden link}

    • Hi,
      your file is packed first with Molebox 2.x and then Enigma Protector. There is no automatic unpacker for Enigma Protector.

      If you manually unpack Enigma Protector, then my unpacker will be able to unpack Molebox and extract all the files.

      Easier solution would be to use Virtual File System Editor by Extreme Coders. It will unpack all embedded files but not the main executable.

      • Hello kao , just want to ask about Virtual file System Editor - By Extreme coders. Is it the same method in your unpacker?

        • No, they are totally different.

          Virtual File System Editor needs you to run the file and then extracts data files from process memory. Benefits - it can handle unknown protections or combinations of packers. Drawbacks - it can't unpack main file and it's not safe to use on malicious files.

          All my unpackers are static - they never run the file. So, they are safer to use but can only extract files from known protections. They can also extract main file and bundled registry keys.

  2. Great, after upgrading the latest version of enigma 0.59, the exe that could not be unpacked before can finally be unpacked, I hope it gets better and better!

  3. Hey Kao! Nice to see you still updating Enigma VB Unpacker, i got a file which DIE said it's Enigma VB, but can't unpack it with your tools.. do you think it's a different protector? If you could tell me a way to get it i would be so glad, thanks.

    Here is the file: {hidden link}

      • As it happens quite often, DIE is wrong. :) Your file is protected with Themida.

        EDIT: possibly Themida in combination with Enigma Protector. In either case, it's not Enigma VirtualBox.

          • As far as I know, there are no automatic tools or scripts for x64 Themida and Enigma. You would have to make your own.

            I don't have such tools either, so there is not much I can help you with.

  4. Plus, the file is .NET (csharp), so.. we don't need to use any script at all, don't we? Just trying to dump it.

  5. Nice work on these tools. I think this is the first LH tool I've seen.
    Just a remark; you forgot to unpack the assemblies in the LH file.

    • Hi,
      it's rare to see a protection author to visit my blog. Welcome! :)

      I did not unpack embedded assemblies because I was unaware of such feature. I'll happily update the unpacker - just need to find some example file first..

      • Hi :) MemoryEx can load LH modules compiled with IMXLH, they are designed for modularity and less about protection. The "protection" is more obfuscation and a bonus, but the intended purpose was deploying modules of code that include a lot of MemoryEx features (FFI, OS interfacing, structure definitions etc).

        I also do occasional malware/sample analysis and for that purpose I also wrote an unpacker that unpacks AMS8 binaries back to .autoplay project files, therefore I am interested in such tooling. I'm currently also in the process of writing a vastly featured lua disassembler (luadis) that can output information about compiled Lua chunks with some static analysis.

        I'm obviously not going to give away the exact format of LH files, however an LH module consists of a Lua chunk (which you have found), none or many assembled pieces of machine code (x86, relocatable) and a verification section that prevents the default MemoryEx build from loading a file in certain situations. You can generate samples yourself if you install the free version of IMXLH, here's some source code of LH modules with machine code routines: {hidden link}

        It would be cool if you'd pitch me an email if you have a version that works on the assemblies too.

  6. Seems like EVBunpacker unable to extract new images from the game credited by RPG MZ. Just like

    %\www\img\pictures\1アイリン普通3.png failed, probably corrupted executable!
    [+] File "C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
    [x] Extraction of file
    C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png` failed, probably corrupted executable!

    This pack is related to RPG MZ and image formats in that could include encrypted format like ".rpgmvp" ".png_" or just simple ".png"
    I'm frustrating and I don't know why .png can't be extracted. Maybe the actual formats of those images is ".png_" and the "_" is undetectable in common extractor. None of the images in this game pack could be extracted.

    Here is the link of the game
    {hidden link}

    • Hi CHANS,
      it's working fine for me, no errors:
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通.png", size=0x6C57
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通2.png", size=0x6C5C
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通3.png", size=0x6DBC
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ2.png", size=0x6D0A
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ笑.png", size=0x6BF7

      I'd still love to fix the issue if possible.

      Could you please try this test version of unpacker and tell me what error message you get?
      I would expect something like these:

      [x] ForceDirectories F:\%DEFAULT FOLDER%\ failed!

      or

      [x] Problem on line 3, message Cannot create file "F:\%DEFAULT FOLDER%\notification_helper.exe". Access is denied

      Once we know why it's failing for you, I'll try to figure out the proper fix.

      • I found that errors only occur in extracting on desktop but work fine on D: and E:

        When extract the game on desktop:
        [x] Problem on line 3, message Cannot create file "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png". Access Denial.
        [x] Extraction of file C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png failed, probably corrupted executable!
        [+] File "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ヒュプノ.png", size=0x51E9

Leave a Reply to CHANS Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

 −  four  =  5