Jump to content

ArmDot 2022.6.0


nova789
Go to solution Solved by blank,

Recommended Posts

nova789

ArmDot 2022.6.0


Unpack the exe to find the key! If you would give a brief explanation on how you unpacked it.

The exe has max protections and will pop up a messagebox once you enter the correct password.

Protections added to this: Hide String, Control Flow, Obfuscate Name, Obfuscate NameSpaces, Virtualize code.


 

Link to comment
  • Solution

Solution:

Spoiler
i can resolve this <> =)
.

Mind the \n in the middle. Pretty sneaky, as the key cannot be entered from the keyboard, just copy-pasted.

How I found it:

  1. Looking at the entry point, it's clear that the main form is named HKDSKJASKJAKSIUASKDJH
  2. ArmDot seems to split the code in multiple methods, and it stores pointers to these in static arrays. Here is the one that's relevant for us:
    image.png.64c5d4c28bbc57b6a34c94f229a37dbc.png
    Clicking on the methods reveals what the code for each does. Without getting into too much details, here are some of the actions these methods do: access the password textbox, load the original string in memory from a byte array, convert the bytes into string, concatenate two strings, append a \n to a string, append a dot, and check the equality between two strings.
  3. The Click event handler seems to be DNNdTokenAppContainerSid, and the method pointers from above are used here. So I put a breakpoint on each reference to the pointer array.
  4. Running the code, I figured in which order these methods are called, and with what parameters. It also seems that there is an object array that kind of emulates the stack. dnSpy calls this array3:
    Spoiler

    image.png.bef75cf37698fcb27a5e1a4978792380.png


    Keeping an eye on this array3 might be useful
  5. There are some antidebug checks, but they are useless as dnSpy can hook them.
  6. Following the code, we can see that the entered password is compared to one that is stored in a type field. Each time we try to validate the password, another \n is added to this field, so the password keeps changing.
  7. Entering the right password reveals the success message:
    image.png.da8bee84512e8311ff67db9c0e456b31.png
  • Like 1
Link to comment
Rextor
On 7/1/2022 at 8:08 PM, blank said:

There are some antidebug checks, but they are useless as dnSpy can hook them.

anti debug check used to change pass code in debug and non-debug time.

image.png.6a5f76740c3b41afe9487e6506b1e7d4.png

Link to comment
16 hours ago, Rextor said:

anti debug check used to change pass code in debug and non-debug time.

image.png.6a5f76740c3b41afe9487e6506b1e7d4.png

That might be the case, I saw the two debugger methods. However, from what I saw while stepping through the code, they both return false anyway, so I guess dnSpy is hooking them to return false. And the password I found works both when I run it through dnSpy and without a debugger. So I guess I found the right one. But I haven't fully recovered the code as you seem to have done here.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...