nova789 Posted June 26, 2022 Posted June 26, 2022 View File ArmDot 2022.6.0 Unpack the exe to find the key! If you would give a brief explanation on how you unpacked it. The exe has max protections and will pop up a messagebox once you enter the correct password. Protections added to this: Hide String, Control Flow, Obfuscate Name, Obfuscate NameSpaces, Virtualize code. Submitter nova789 Submitted 06/22/2022 Category UnPackMe (.NET)
Solution blank Posted July 1, 2022 Solution Posted July 1, 2022 Solution: Spoiler i can resolve this <> =) . Mind the \n in the middle. Pretty sneaky, as the key cannot be entered from the keyboard, just copy-pasted. How I found it: Looking at the entry point, it's clear that the main form is named HKDSKJASKJAKSIUASKDJH ArmDot seems to split the code in multiple methods, and it stores pointers to these in static arrays. Here is the one that's relevant for us: Clicking on the methods reveals what the code for each does. Without getting into too much details, here are some of the actions these methods do: access the password textbox, load the original string in memory from a byte array, convert the bytes into string, concatenate two strings, append a \n to a string, append a dot, and check the equality between two strings. The Click event handler seems to be DNNdTokenAppContainerSid, and the method pointers from above are used here. So I put a breakpoint on each reference to the pointer array. Running the code, I figured in which order these methods are called, and with what parameters. It also seems that there is an object array that kind of emulates the stack. dnSpy calls this array3: Spoiler Keeping an eye on this array3 might be useful There are some antidebug checks, but they are useless as dnSpy can hook them. Following the code, we can see that the entered password is compared to one that is stored in a type field. Each time we try to validate the password, another \n is added to this field, so the password keeps changing. Entering the right password reveals the success message: 1
Rextor Posted July 3, 2022 Posted July 3, 2022 On 7/1/2022 at 8:08 PM, blank said: There are some antidebug checks, but they are useless as dnSpy can hook them. anti debug check used to change pass code in debug and non-debug time.
blank Posted July 4, 2022 Posted July 4, 2022 16 hours ago, Rextor said: anti debug check used to change pass code in debug and non-debug time. That might be the case, I saw the two debugger methods. However, from what I saw while stepping through the code, they both return false anyway, so I guess dnSpy is hooking them to return false. And the password I found works both when I run it through dnSpy and without a debugger. So I guess I found the right one. But I haven't fully recovered the code as you seem to have done here.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now