Closed fr0zenrain closed 1 year ago
I'm not sure what you mean, why wouldn't it be able to dump? Can you use a translator perhaps so it's easier for me to understand you.
What I mean is that armor_exit will be re-encrypt function again. How to ensure that the code object in memory dump is decrypted? If the target program involves GUI, including button clicks, why can this method dump the complete code object after decryption.Why there is no need to hook armor_exit to prevent it from re-encrypt again. In my case, I only got the decompiled backbone program.
Because I make it return before it reaches the __armor_exit__
function, which leaves it decrypted in memory.
Thanks! I see, it seems you didn't mention it in your write-ups.
how to make return directly? if i patch __armor_exit__ 's code, it crashed.may be it have a checksum verify.
@fr0zenrain the fix here is try to create another thread, then call the new code object.
from the README,we can know that test example is very simple,if my target program has a user-input and need click interactive,so i think it can't be dump, because the code decrypted will re-encrypted again quickly.in my test,i think so,any advice?thanks!