diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 00000000..e499d525
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,6 @@
+{
+    "files.associations": {
+        "*.md": "markdown",
+        "php_dec_interceptor.h": "c"
+    }
+}
\ No newline at end of file
diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c
index dd5bc651..160e2880 100644
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@@ -3,6 +3,8 @@
 #include "ext/standard/info.h"
 #include "php_dec_interceptor.h"
 #include <time.h>
+#include "main/php_streams.h"
+#include "ext/standard/php_smart_string.h"
 
 zend_op_array *(*prev_compile_file)(zend_file_handle *file_handle, int type) = NULL;
 zend_op_array *(*prev_compile_string)(zend_string *source_string, const char *filename) = NULL;
@@ -31,41 +33,44 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
         }
     }
 
-    // 判断是否是 install.php 或其他目标加密文件
     if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) {
+        char buffer[32769] = {0};  // 最多 32KB + null terminator
+        size_t len = 0;
+
         if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) {
-            // 通过 php_stream 读取内容（最多 10KB）
             php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb");
             if (stream) {
-                if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
-                    char buffer[10241] = {0};  // 额外 1 字节存 null terminator
-                    size_t len = php_stream_read(stream, buffer, 10240);
-
-                    if (len > 0 && log) {
-                        fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
-                        fprintf(log, "%.*s\n", (int)len, buffer);
-                    }
-                    php_stream_seek(stream, 0, SEEK_SET);  // 恢复位置
-                }
-                php_stream_close(stream);  // 不会关闭 file_handle->handle.fp，只是释放包装层
+                php_stream_seek(stream, 0, SEEK_SET);
+                len = php_stream_read(stream, buffer, 32768);
+                php_stream_seek(stream, 0, SEEK_SET);
+                php_stream_close(stream);
             } else if (log) {
                 fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL));
             }
         } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
             php_stream *stream = (php_stream *)file_handle->handle.stream.handle;
-            if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
-                char buffer[10241] = {0};
-                size_t len = php_stream_read(stream, buffer, 10240);
-
-                if (len > 0 && log) {
-                    fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
-                    fprintf(log, "%.*s\n", (int)len, buffer);
-                }
-                php_stream_seek(stream, 0, SEEK_SET);
-            }
+            php_stream_seek(stream, 0, SEEK_SET);
+            len = php_stream_read(stream, buffer, 32768);
+            php_stream_seek(stream, 0, SEEK_SET);
         } else if (log) {
             fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type);
         }
+
+        if (len > 0) {
+            // 写入独立文件
+            char path[512];
+            time_t now = time(NULL);
+            snprintf(path, sizeof(path), "/tmp/dec_interceptor_%ld_install.php", now);
+            FILE *out = fopen(path, "w");
+            if (out) {
+                fwrite(buffer, 1, len, out);
+                fclose(out);
+            }
+
+            if (log) {
+                fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] dumped to: %s (%zu bytes)\n", (long)time(NULL), path, len);
+            }
+        }
     }
 
     if (log) {