Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

ArmDot 2022.6.0

Unpack the exe to find the key! If you would give a brief explanation on how you unpacked it.

The exe has max protections and will pop up a messagebox once you enter the correct password.

Protections added to this: Hide String, Control Flow, Obfuscate Name, Obfuscate NameSpaces, Virtualize code.

File Information

Submitter nova789

Submitted 06/22/2022

Category UnPackMe (.NET)

View File

ArmDot 2022.6.0

Solved by blank

Go to solution
  • 2 weeks later...
  • Solution

Solution:

Spoiler
i can resolve this <> =)
.

Mind the \n in the middle. Pretty sneaky, as the key cannot be entered from the keyboard, just copy-pasted.

How I found it:

  1. Looking at the entry point, it's clear that the main form is named HKDSKJASKJAKSIUASKDJH
  2. ArmDot seems to split the code in multiple methods, and it stores pointers to these in static arrays. Here is the one that's relevant for us:
    image.png.64c5d4c28bbc57b6a34c94f229a37dbc.png
    Clicking on the methods reveals what the code for each does. Without getting into too much details, here are some of the actions these methods do: access the password textbox, load the original string in memory from a byte array, convert the bytes into string, concatenate two strings, append a \n to a string, append a dot, and check the equality between two strings.
  3. The Click event handler seems to be DNNdTokenAppContainerSid, and the method pointers from above are used here. So I put a breakpoint on each reference to the pointer array.
  4. Running the code, I figured in which order these methods are called, and with what parameters. It also seems that there is an object array that kind of emulates the stack. dnSpy calls this array3:
    Spoiler

    image.png.bef75cf37698fcb27a5e1a4978792380.png


    Keeping an eye on this array3 might be useful
  5. There are some antidebug checks, but they are useless as dnSpy can hook them.
  6. Following the code, we can see that the entered password is compared to one that is stored in a type field. Each time we try to validate the password, another \n is added to this field, so the password keeps changing.
  7. Entering the right password reveals the success message:
    image.png.da8bee84512e8311ff67db9c0e456b31.png
On 7/1/2022 at 8:08 PM, blank said:

There are some antidebug checks, but they are useless as dnSpy can hook them.

anti debug check used to change pass code in debug and non-debug time.

image.png.6a5f76740c3b41afe9487e6506b1e7d4.png

16 hours ago, Rextor said:

anti debug check used to change pass code in debug and non-debug time.

image.png.6a5f76740c3b41afe9487e6506b1e7d4.png

That might be the case, I saw the two debugger methods. However, from what I saw while stepping through the code, they both return false anyway, so I guess dnSpy is hooking them to return false. And the password I found works both when I run it through dnSpy and without a debugger. So I guess I found the right one. But I haven't fully recovered the code as you seem to have done here.

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.