ArmDot 2022.6.0

Unpack the exe to find the key! If you would give a brief explanation on how you unpacked it.

The exe has max protections and will pop up a messagebox once you enter the correct password.

Protections added to this: Hide String, Control Flow, Obfuscate Name, Obfuscate NameSpaces, Virtualize code.

File Information

Submitter nova789

Submitted 06/22/2022

Category UnPackMe (.NET)

View File

Solution:

Spoiler

i can resolve this <> =)
.

Mind the \n in the middle. Pretty sneaky, as the key cannot be entered from the keyboard, just copy-pasted.

How I found it:

1. Looking at the entry point, it's clear that the main form is named HKDSKJASKJAKSIUASKDJH
2. ArmDot seems to split the code in multiple methods, and it stores pointers to these in static arrays. Here is the one that's relevant for us:
   
   Clicking on the methods reveals what the code for each does. Without getting into too much details, here are some of the actions these methods do: access the password textbox, load the original string in memory from a byte array, convert the bytes into string, concatenate two strings, append a \n to a string, append a dot, and check the equality between two strings.
3. The Click event handler seems to be DNNdTokenAppContainerSid, and the method pointers from above are used here. So I put a breakpoint on each reference to the pointer array.
4. Running the code, I figured in which order these methods are called, and with what parameters. It also seems that there is an object array that kind of emulates the stack. dnSpy calls this array3:
   Spoiler

   

   
   Keeping an eye on this array3 might be useful
5. There are some antidebug checks, but they are useless as dnSpy can hook them.
6. Following the code, we can see that the entered password is compared to one that is stored in a type field. Each time we try to validate the password, another \n is added to this field, so the password keeps changing.
7. Entering the right password reveals the success message:
   

On 7/1/2022 at 8:08 PM, blank said:

There are some antidebug checks, but they are useless as dnSpy can hook them.

anti debug check used to change pass code in debug and non-debug time.

16 hours ago, Rextor said:

anti debug check used to change pass code in debug and non-debug time.

That might be the case, I saw the two debugger methods. However, from what I saw while stepping through the code, they both return false anyway, so I guess dnSpy is hooking them to return false. And the password I found works both when I run it through dnSpy and without a debugger. So I guess I found the right one. But I haven't fully recovered the code as you seem to have done here.