Andoryuuta/test_rise_frida_save_dec.py

## test_rise_frida_save_dec.py
import frida # py -3 -m pip install frida
import sys
import struct

if __name__ == '__main__':
    device = frida.get_local_device()
    proc = [p for p in device.enumerate_processes() if p.name == 'MonsterHunterRise.exe']
    if len(proc) == 0:
        print('Rise not running!')
        sys.exit(1)

    session = frida.attach(proc[0].pid)

    script = session.create_script("""
    var baseAddr = Process.enumerateModules()[0].base;

    var unkContext = ptr(baseAddr).add(ptr(0xc092dd0));
    var viaRdsRdsEntry = ptr(baseAddr).add(ptr(0xc798128));

    var EngineAllocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb420)), 'pointer', ['uint64']);
    var EngineDeallocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb430)), 'uint64', ['pointer']);
    var EngineMemoryBeginSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ad90)), 'void', ['uchar']);
    var EngineMemoryEndSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ade0)), 'void', []);
    var GetREInstance = new NativeFunction(ptr(baseAddr).add(ptr(0x2b64770)), 'pointer', ['pointer', 'pointer']);
    var DecryptFunc = new NativeFunction(ptr(0x145711b80), 'bool', ['pointer', 'int64', 'int', 'int']);

    rpc.exports = {
        readFile: function(filedata, cryptBufSize) {
            var encryptedDataBuf = EngineAllocator(uint64(filedata.length));
            encryptedDataBuf.writeByteArray(filedata);

            var workBufSize = uint64(cryptBufSize).add(0x1FFFF).and(uint64("0xFFFFFFFFFFFE0000"));

            EngineMemoryBeginSegment(5);
            var allocatedWorkingBuffer = EngineAllocator(uint64(workBufSize));
            EngineMemoryEndSegment();

            // Create/get via.rds.rdsEntry class instance
            var pcDecryptorStruct = GetREInstance(unkContext.readPointer(), viaRdsRdsEntry.readPointer());

            pcDecryptorStruct.add(8*3).writeU64(uint64(allocatedWorkingBuffer.toString())); // allocated working buffer
            pcDecryptorStruct.add(8*4).writeU64(uint64(encryptedDataBuf.toString())); // encrypted data pointer
            pcDecryptorStruct.add(8*5).writeU64(uint64(filedata.length)); // encrypted data size

            var result = DecryptFunc(pcDecryptorStruct, 1, 1, 1);
            EngineDeallocator(allocatedWorkingBuffer);
            EngineDeallocator(encryptedDataBuf);

            return allocatedWorkingBuffer.readByteArray(cryptBufSize+4);
        }
    }
    """)
    script.load()

    filename = sys.argv[1]
    with open(filename, 'rb') as f:
        header = f.read(16)

        # Split the body from the 12-byte trailer.
        # only the body is encrypted.
        tmp = f.read()
        body = tmp[:len(tmp)-12]
        trailer = tmp[len(tmp)-12:]


        crypt_buf_size, unk0, murmur_hash = struct.unpack('<III', trailer)

        dec_data = script.exports.read_file(list(body), crypt_buf_size)

        with open(filename + '_dec_body.bin', 'wb') as outf:
            outf.write(dec_data)
	import frida # py -3 -m pip install frida
	import sys
	import struct

	if __name__ == '__main__':
	device = frida.get_local_device()
	proc = [p for p in device.enumerate_processes() if p.name == 'MonsterHunterRise.exe']
	if len(proc) == 0:
	print('Rise not running!')
	sys.exit(1)

	session = frida.attach(proc[0].pid)

	script = session.create_script("""
	var baseAddr = Process.enumerateModules()[0].base;

	var unkContext = ptr(baseAddr).add(ptr(0xc092dd0));
	var viaRdsRdsEntry = ptr(baseAddr).add(ptr(0xc798128));

	var EngineAllocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb420)), 'pointer', ['uint64']);
	var EngineDeallocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb430)), 'uint64', ['pointer']);
	var EngineMemoryBeginSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ad90)), 'void', ['uchar']);
	var EngineMemoryEndSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ade0)), 'void', []);
	var GetREInstance = new NativeFunction(ptr(baseAddr).add(ptr(0x2b64770)), 'pointer', ['pointer', 'pointer']);
	var DecryptFunc = new NativeFunction(ptr(0x145711b80), 'bool', ['pointer', 'int64', 'int', 'int']);

	rpc.exports = {
	readFile: function(filedata, cryptBufSize) {
	var encryptedDataBuf = EngineAllocator(uint64(filedata.length));
	encryptedDataBuf.writeByteArray(filedata);

	var workBufSize = uint64(cryptBufSize).add(0x1FFFF).and(uint64("0xFFFFFFFFFFFE0000"));

	EngineMemoryBeginSegment(5);
	var allocatedWorkingBuffer = EngineAllocator(uint64(workBufSize));
	EngineMemoryEndSegment();

	// Create/get via.rds.rdsEntry class instance
	var pcDecryptorStruct = GetREInstance(unkContext.readPointer(), viaRdsRdsEntry.readPointer());

	pcDecryptorStruct.add(8*3).writeU64(uint64(allocatedWorkingBuffer.toString())); // allocated working buffer
	pcDecryptorStruct.add(8*4).writeU64(uint64(encryptedDataBuf.toString())); // encrypted data pointer
	pcDecryptorStruct.add(8*5).writeU64(uint64(filedata.length)); // encrypted data size

	var result = DecryptFunc(pcDecryptorStruct, 1, 1, 1);
	EngineDeallocator(allocatedWorkingBuffer);
	EngineDeallocator(encryptedDataBuf);

	return allocatedWorkingBuffer.readByteArray(cryptBufSize+4);
	}
	}
	""")
	script.load()

	filename = sys.argv[1]
	with open(filename, 'rb') as f:
	header = f.read(16)

	# Split the body from the 12-byte trailer.
	# only the body is encrypted.
	tmp = f.read()
	body = tmp[:len(tmp)-12]
	trailer = tmp[len(tmp)-12:]


	crypt_buf_size, unk0, murmur_hash = struct.unpack('<III', trailer)

	dec_data = script.exports.read_file(list(body), crypt_buf_size)

	with open(filename + '_dec_body.bin', 'wb') as outf:
	outf.write(dec_data)