[masklinn]

> It replaced a JNZ with NOP NOP.

That's some good old-fashioned straightforward DRM cracking right there, I'm getting flashbacks from the 90s.

[kchoudhu]

Would ASLR have helped here? I feel like once they knew where the library was loaded in memory, all hope was lost.

[MichaelGG]

No, they we're already running code on the box with high enough permissions, so they're allowed to inspect processrs and do whatever is necessary. No C-like memory protection stuff matters at that point.

What would have prevented it was not letting them have root in the first place. Perhaps by running with Software Restriction Policies so only a whitelist of binaries can run in the first place.