[DevirtualizeMe] ArmDot

[freddy]

Language : . NET
Platform : Windows
OS Version : Windows 7
Packer / Protector : ArmDot

Description :

Devirtulize the Armdot virtualized code (I used virtualized option + encrypted strings).

Screenshot :

UnpackMe.protected.exe

[cawk]

Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file

obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm

private void button1_Click(object sender, EventArgs e)
{
	int num = 0;
	if (num != 0)
	{
		object obj;
		char[] value = obj = new char[16];
		obj[0] = (2049885642 ^ 2049885579);
		obj[1] = (721969625 ^ 721969580);
		obj[2] = (1722827470 ^ 1722827450);
		obj[3] = (675984423 ^ 675984463);
		obj[4] = (1647779473 ^ 1647779505);
		obj[5] = (1793770717 ^ 1793770638);
		obj[6] = (640259843 ^ 640259958);
		obj[7] = (959731082 ^ 959731177);
		obj[8] = (1744869780 ^ 1744869879);
		obj[9] = (237600744 ^ 237600653);
		obj[10] = (492056264 ^ 492056251);
		obj[11] = (327956409 ^ 327956426);
		obj[12] = (688741927 ^ 688741953);
		obj[13] = (658212064 ^ 658211989);
		obj[14] = (454212694 ^ 454212666);
		obj[15] = (28756323 ^ 28756290);
		MessageBox.Show(new string(value));
	}
	else
	{
		object obj;
		char[] value2 = obj = new char[10];
		obj[0] = (1435200779 ^ 1435200842);
		obj[1] = (853162666 ^ 853162719);
		obj[2] = (2119875586 ^ 2119875702);
		obj[3] = (712244489 ^ 712244577);
		obj[4] = (1541140050 ^ 1541140082);
		obj[5] = (2107783153 ^ 2107783095);
		obj[6] = (1703953462 ^ 1703953495);
		obj[7] = (1864360465 ^ 1864360568);
		obj[8] = (2035746888 ^ 2035746852);
		obj[9] = (620298057 ^ 620298088);
		MessageBox.Show(new string(value2));
	}
}

 

[cawk]

And here is the fully deobfuscated file with strings decrypted 

i havent ran through de4dot since this will simplify your button click method to one messagebox.show

 

Unpacked.exe

[freddy]

Bravo champion!