Svenskithesource
commented
1 year ago I'm not sure what you mean, why wouldn't it be able to dump? Can you use a translator perhaps so it's easier for me to understand you.
Closed fr0zenrain closed 1 year ago
Svenskithesource
commented
1 year ago I'm not sure what you mean, why wouldn't it be able to dump? Can you use a translator perhaps so it's easier for me to understand you.
fr0zenrain
commented
1 year ago What I mean is that armor_exit will be re-encrypt function again. How to ensure that the code object in memory dump is decrypted? If the target program involves GUI, including button clicks, why can this method dump the complete code object after decryption.Why there is no need to hook armor_exit to prevent it from re-encrypt again. In my case, I only got the decompiled backbone program.
Svenskithesource
commented
1 year ago Because I make it return before it reaches the __armor_exit__ function, which leaves it decrypted in memory.
fr0zenrain
commented
1 year ago Thanks! I see, it seems you didn't mention it in your write-ups.
fr0zenrain
commented
1 year ago how to make return directly? if i patch __armor_exit__ 's code, it crashed.may be it have a checksum verify.
llallum
commented
1 year ago @fr0zenrain the fix here is try to create another thread, then call the new code object.
from the README,we can know that test example is very simple,if my target program has a user-input and need click interactive,so i think it can't be dump, because the code decrypted will re-encrypted again quickly.in my test,i think so,any advice?thanks!