Jump to content
Tuts 4 You

[DevirtualizeMe] ArmDot


freddy

Recommended Posts

Language : . NET
Platform : Windows
OS Version : Windows 7
Packer / Protector ArmDot

Description :

Devirtulize the Armdot virtualized code (I used virtualized option + encrypted strings).

Screenshot :

2019_05.04-04_09_39.png.2b3e14a257fc0af397fa4851bf660935.png

UnpackMe.protected.exe

Link to comment
Share on other sites

Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file

obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm

private void button1_Click(object sender, EventArgs e)
{
	int num = 0;
	if (num != 0)
	{
		object obj;
		char[] value = obj = new char[16];
		obj[0] = (2049885642 ^ 2049885579);
		obj[1] = (721969625 ^ 721969580);
		obj[2] = (1722827470 ^ 1722827450);
		obj[3] = (675984423 ^ 675984463);
		obj[4] = (1647779473 ^ 1647779505);
		obj[5] = (1793770717 ^ 1793770638);
		obj[6] = (640259843 ^ 640259958);
		obj[7] = (959731082 ^ 959731177);
		obj[8] = (1744869780 ^ 1744869879);
		obj[9] = (237600744 ^ 237600653);
		obj[10] = (492056264 ^ 492056251);
		obj[11] = (327956409 ^ 327956426);
		obj[12] = (688741927 ^ 688741953);
		obj[13] = (658212064 ^ 658211989);
		obj[14] = (454212694 ^ 454212666);
		obj[15] = (28756323 ^ 28756290);
		MessageBox.Show(new string(value));
	}
	else
	{
		object obj;
		char[] value2 = obj = new char[10];
		obj[0] = (1435200779 ^ 1435200842);
		obj[1] = (853162666 ^ 853162719);
		obj[2] = (2119875586 ^ 2119875702);
		obj[3] = (712244489 ^ 712244577);
		obj[4] = (1541140050 ^ 1541140082);
		obj[5] = (2107783153 ^ 2107783095);
		obj[6] = (1703953462 ^ 1703953495);
		obj[7] = (1864360465 ^ 1864360568);
		obj[8] = (2035746888 ^ 2035746852);
		obj[9] = (620298057 ^ 620298088);
		MessageBox.Show(new string(value2));
	}
}

 

  • Like 5
Link to comment
Share on other sites

And here is the fully deobfuscated file with strings decrypted 

i havent ran through de4dot since this will simplify your button click method to one messagebox.show

 

Unpacked.exe

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...