Created
January 16, 2022 05:53
-
-
Save Andoryuuta/dd5894a5446ad867b60869c5dd8a0ad4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import frida # py -3 -m pip install frida | |
import sys | |
import struct | |
if __name__ == '__main__': | |
device = frida.get_local_device() | |
proc = [p for p in device.enumerate_processes() if p.name == 'MonsterHunterRise.exe'] | |
if len(proc) == 0: | |
print('Rise not running!') | |
sys.exit(1) | |
session = frida.attach(proc[0].pid) | |
script = session.create_script(""" | |
var baseAddr = Process.enumerateModules()[0].base; | |
var unkContext = ptr(baseAddr).add(ptr(0xc092dd0)); | |
var viaRdsRdsEntry = ptr(baseAddr).add(ptr(0xc798128)); | |
var EngineAllocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb420)), 'pointer', ['uint64']); | |
var EngineDeallocator = new NativeFunction(ptr(baseAddr).add(ptr(0x2bfb430)), 'uint64', ['pointer']); | |
var EngineMemoryBeginSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ad90)), 'void', ['uchar']); | |
var EngineMemoryEndSegment = new NativeFunction(ptr(baseAddr).add(ptr(0x2c0ade0)), 'void', []); | |
var GetREInstance = new NativeFunction(ptr(baseAddr).add(ptr(0x2b64770)), 'pointer', ['pointer', 'pointer']); | |
var DecryptFunc = new NativeFunction(ptr(0x145711b80), 'bool', ['pointer', 'int64', 'int', 'int']); | |
rpc.exports = { | |
readFile: function(filedata, cryptBufSize) { | |
var encryptedDataBuf = EngineAllocator(uint64(filedata.length)); | |
encryptedDataBuf.writeByteArray(filedata); | |
var workBufSize = uint64(cryptBufSize).add(0x1FFFF).and(uint64("0xFFFFFFFFFFFE0000")); | |
EngineMemoryBeginSegment(5); | |
var allocatedWorkingBuffer = EngineAllocator(uint64(workBufSize)); | |
EngineMemoryEndSegment(); | |
// Create/get via.rds.rdsEntry class instance | |
var pcDecryptorStruct = GetREInstance(unkContext.readPointer(), viaRdsRdsEntry.readPointer()); | |
pcDecryptorStruct.add(8*3).writeU64(uint64(allocatedWorkingBuffer.toString())); // allocated working buffer | |
pcDecryptorStruct.add(8*4).writeU64(uint64(encryptedDataBuf.toString())); // encrypted data pointer | |
pcDecryptorStruct.add(8*5).writeU64(uint64(filedata.length)); // encrypted data size | |
var result = DecryptFunc(pcDecryptorStruct, 1, 1, 1); | |
EngineDeallocator(allocatedWorkingBuffer); | |
EngineDeallocator(encryptedDataBuf); | |
return allocatedWorkingBuffer.readByteArray(cryptBufSize+4); | |
} | |
} | |
""") | |
script.load() | |
filename = sys.argv[1] | |
with open(filename, 'rb') as f: | |
header = f.read(16) | |
# Split the body from the 12-byte trailer. | |
# only the body is encrypted. | |
tmp = f.read() | |
body = tmp[:len(tmp)-12] | |
trailer = tmp[len(tmp)-12:] | |
crypt_buf_size, unk0, murmur_hash = struct.unpack('<III', trailer) | |
dec_data = script.exports.read_file(list(body), crypt_buf_size) | |
with open(filename + '_dec_body.bin', 'wb') as outf: | |
outf.write(dec_data) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment