ArmDot 2022.1.0 [Maximum Preset Including VM]

Your goal is to devirtualize and unpack the file completely;

• No partial unpack,
• No patching.

File Information

Submitter BlackHat

Submitted 01/16/2022

Category UnPackMe (.NET)

View File

Compared to other vms, ArmDot is extremely simple, and one of the easiest ones to unpack I've ever seen.

The virtualised code is stored within structs with initial value. Every method has it's own struct containing virtualised code and IntPtr[] with pointers to all methods that will be called within the method.

Now we need to clean up a bit one thing armdot does is this "else if (5 >= b) { if (5 <= b)" which can be simplified to "if(b == 5)" now within methods we have code blocks associated with certain number in the case above 5.

With this we can arrange the code the way it's supposed to be.

Then we have to figure out what code block corresponds to what op code, interesting thing they've done for calls is that every method has it's unique opcode.

Now that that is arranged convert calli to call example of calli looks like this " calli(BlackHatAnonymous.BlackHat(), InProcessServerExecutionEngineException.GetInArgEnumInstallerDeploymentProperties[*(int*)(ptr + num3)]); " if we look at the value to which pointer points to we can see this 0500000002... "05" is the code of the code block and "00000002" is the index of method in GetInArgEnumInstallerDeploymentProperties which is of type IntPtr[];

Now devirtualise.

The only thing left to do now is a bit of cleaning. Remove proxy methods, remove all the vm stuff, remove the resources and boom unpacked.

In my opinion, based on the unpack me above, armdot is very easy to unpack and is definitely not worth 300$.

 

BH_Sample_2022.1_p_cleaned.exe

Unpacked.

Level: 3/10

ArmDot virtualization same as CIL, easy but need time to make a full tool for that.

Please report if you find any problem in my task.

 

BH_Sample_2022.1_Pro.NoArmDot.rar