Posted by: Kai_LeRai | February 8, 2012

Security of Autoplay Media Studio

Originally designed as an autorun menu creator, Autoplay Media Studio allows for simple and quick program creation by using the powerful Lua-language in combination with its own proprietary code to make the whole endeavor more beginner friendly. However, unlike higher programming languages, script languages usually aren’t compiled and thus are easy targets for code thieves or hackers. Some users of AMS also earn money with the software they create, even though I have a hard time believing that the limited complexity the IDE allows would net much profit. In this case copyprotection becomes an additional factor.

Indigorose’s Security Policy

With code in script form, security features aren’t of much use unless you’re dealing with computer-illiterate users. So securing the own source code has always been an issue for AMS-users, yet Indigorose, the company behind the software, isn’t really helpful when it comes to that subject. On the contrary, it seems that talking about the ease of compromising their application isn’t exactly wanted at their forums. This is a silly attitude, since the exploits are kind of obvious to the run in the mill hacker. So knowing the weaknesses is the only way to prepare for the end users (aka the “developers”) and Indigorose themselves for future updates. It seems that the company has resignated by accepting the idea that their software is easily penetrable and that users are left alone to secure their software.

Forum censorship on security issues
A while ago a thread contained a sample project by one of the Indigorose staff members to showcase how an AMS-project might be secured. It contained an encrypted and compressed AMS 7.5 executable with a personalized password. Now, the sample was posted in order to let people have a go at it. It took me less than 5 minutes to get the password and hack the source code – and the best thing about it: I did it without using any 3rd party tools. Everything you need to gain access to the source code comes with windows.

You can download the sample project here. The archive contains the originally protected project along with my cracked version.

Hacked AMS 7.5 executable, protected with PCGuard

Anyway, I posted the password to the cdd-file in the thread, only to see the post removed shortly after by an admin. The challenge to crack the sample wasn’t removed however, making it look like the whole thing was uncrackable. For a customer who trusts Indigorose with such a claim this is blatant “truth enhancement”. By now the whole thread has been removed however. Probably, since the newer AMS 8 was released with new security features.

Security features of AMS
AMS stores the source code among a few other files in a cdd-container, which is nothing more than a renamed and password-protected zip. With every major AMS version the password length was increased. From AMS 7 to 8 the password length was even doubled and the character variety maximized to all possible hexadecimal values. While AMS 7 projects all use the same password, AMS 8 projects use different passwords which are generated upon exporting the project. Thinking this would be noteworthy, Indigorose isn’t exactly shy to promote this feature as a valuable security option to secure your content:

“NEW! Rolling Code Data Security
AutoPlay Media Studio 8 adds another layer of protection to your applications and scripts. A unique random encryption code is now generated every time you build your project, making “hacking” of your applications much more difficult. As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!”

Now, don’t be fooled by that fancy schmancy advertisement-tech-talk. Without wanting to go into detail, I can assure you that the same method that allowed me to hack and crack the AMS 7 sample, can be applied to AMS 8 projects. In fact, I created my own cdd-extractor which not just allows me to get the content of any AMS 7 and 8 project, but also to reset or change the password. Here’s a screenshot of one of my earlier versions:

My allround cdd manipulation tool for AMS 7 and 8 in action

It’s actually written with AMS to create that special sort of irony and no, it can’t be used to compromise itself. I know how to protect my projects. And no, I won’t release it, so don’t bother asking. Indigorose doesn’t seem to have the slightest idea of how to employ modern security measures to protect content from being compromised. Strange…many applications just manage to do that, namely games…

Ways of securing your project
Actually, I’m not going to tell you how to do that. I’m having way to much fun to mess with other people’s code. However, I’ll give you some leads what not to do:

Save yourself the money to encrypt executables with Molebox, PCguard or whatnot. The key lies not in the executable (in fact it does, but it isn’t needed). I didn’t decrypt the executable to crack the above sample. It’s way easier if you just have a clue what to do. Let’s be honest: if there’s someone who knows how to get the password from the executable, he’ll most likely also be able to get it through other means, since this already requires 2 more additional braincells than the average user has.

Don’t hype yourself up. No real developer uses AMS to actually develop a commercial product of moderate complexity that is being updated and supported over a longer period of time. There are people who do sell their AMS-based tools, but those are few and far in between the already few AMS-users. Also, I have yet to see a warez group crack and release an AMS-app. None of these guys give a shit about your app, so stop acting like people are crazy to steal your proprietary code that can’t be used with any other software.

Don’t cling to AMS. If you’re a noob, use it as a stepping stone to learn a real programming language. All the effort the few paranoid people undertake could very well go into learning how to use other great IDEs like Visual Basic, Lazarus or Visual C. This also ends the whole source stealing debate. Anyway, I’m not holding my breath for the next big security innovation of AMS 9. After 8 major version releases and 15 years in the market, Indigorose’s attempts at securing their software still equal those of early 90’s indie-games companies. They clearly showcased that they don’t employ any talents in the security department, so don’t keep your hopes up.

Once in a lifetime offer
Lost your source code? Need to update that project file just one last time? Or just want to see how others did what you can’t do? Contact me either in the comments or in my forum and I’ll help you out…for a price. No questions asked, no moral preaching, just send me the project and I’ll extract or update it for you. If you’re still crazy for securing your project, then I can also do that, so that even I won’t be able to hack or crack it.


%d bloggers like this: