Jump to content
Tuts 4 You
  • 0
freddy

[DevirtualizeMe] ArmDot

Question

freddy

Language : . NET
Platform : Windows
OS Version : Windows 7
Packer / Protector ArmDot

Description :

Devirtulize the Armdot virtualized code (I used virtualized option + encrypted strings).

Screenshot :

2019_05.04-04_09_39.png.2b3e14a257fc0af397fa4851bf660935.png

UnpackMe.protected.exe

Share this post


Link to post

3 answers to this question

Recommended Posts

  • 1
cawk

Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file

obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm

private void button1_Click(object sender, EventArgs e)
{
	int num = 0;
	if (num != 0)
	{
		object obj;
		char[] value = obj = new char[16];
		obj[0] = (2049885642 ^ 2049885579);
		obj[1] = (721969625 ^ 721969580);
		obj[2] = (1722827470 ^ 1722827450);
		obj[3] = (675984423 ^ 675984463);
		obj[4] = (1647779473 ^ 1647779505);
		obj[5] = (1793770717 ^ 1793770638);
		obj[6] = (640259843 ^ 640259958);
		obj[7] = (959731082 ^ 959731177);
		obj[8] = (1744869780 ^ 1744869879);
		obj[9] = (237600744 ^ 237600653);
		obj[10] = (492056264 ^ 492056251);
		obj[11] = (327956409 ^ 327956426);
		obj[12] = (688741927 ^ 688741953);
		obj[13] = (658212064 ^ 658211989);
		obj[14] = (454212694 ^ 454212666);
		obj[15] = (28756323 ^ 28756290);
		MessageBox.Show(new string(value));
	}
	else
	{
		object obj;
		char[] value2 = obj = new char[10];
		obj[0] = (1435200779 ^ 1435200842);
		obj[1] = (853162666 ^ 853162719);
		obj[2] = (2119875586 ^ 2119875702);
		obj[3] = (712244489 ^ 712244577);
		obj[4] = (1541140050 ^ 1541140082);
		obj[5] = (2107783153 ^ 2107783095);
		obj[6] = (1703953462 ^ 1703953495);
		obj[7] = (1864360465 ^ 1864360568);
		obj[8] = (2035746888 ^ 2035746852);
		obj[9] = (620298057 ^ 620298088);
		MessageBox.Show(new string(value2));
	}
}

 

  • Like 3

Share this post


Link to post
  • 0
cawk

And here is the fully deobfuscated file with strings decrypted 

i havent ran through de4dot since this will simplify your button click method to one messagebox.show

 

Unpacked.exe

  • Like 2
  • Thanks 1

Share this post


Link to post
  • 0
freddy

Bravo champion!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...