Open the crackme in your favorite PE browser.

View the file resources.

Locate RCDATA and find the main resource. In this case it is "__"

Open the crackme in OllyDbg.

Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ;  UNICODE "___"

Follow the reference into the code.

Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.

We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)

Once the break is hit, step over the call.

Follow EAX in the dump window. This is the executable decrypted from the "__" resource.

Save the memory region, do any fixes needed based on how you save the region etc.

You should now have the real executable.

Open the new file you dumped in a .NET disassembler such as ILSpy.

View the files managed resources and save the resource '_' in this case, to disk as a new executable.

This new file is the real obfuscated crackme file fully removed from the loaders.

After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法