Skip to content

Instantly share code, notes, and snippets.

@esterTion esterTion/PRCN-restore-dll.php
Last active Aug 28, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
PRCN-restore-dll.php
<?php
/*
* Semi-auto restore Princess Connect ReDive (PC-DMM) C# dll
* Step I: Run game and use Live RAM Caputurer ( http://www.forensicswiki.org/wiki/Belkasoft_Live_RAM_Capturer )
* Step II: Use volatility to <pslist> and then <ramdump> ( https://github.com/volatilityfoundation/volatility )
* Step III: Use this script
*/
if (!file_exists('Assembly-CSharp.dll')) {
echo 'no dll';
exit;
}
if (empty($argv[1]) || !file_exists($argv[1])) {
echo 'no input';
exit;
}
echo "Reading zero gaps...";
$out = fopen('Assembly-CSharp.dll', 'rb+');
$offset = 0;
$blocks = 0;
$zb = str_repeat("\0", 16);
$zeroblocks = [];
while(1) {
$chk = fread($out, 16);
if ($chk == '') break;
if ($chk == $zb) {
$blocks++;
} else {
if ($blocks > 5) {
$zeroblocks[] = [
'start' => $offset - $blocks*16,
'end' => $offset,
'len' => $blocks*16
];
}
$blocks = 0;
}
$offset += 16;
}
usort($zeroblocks, function ($b, $a) {return $a['len'] - $b['len'];});
$biggestgap = $zeroblocks[0];
//print_r($biggestgap);
if ($biggestgap['len'] < 1024*1024) {
echo "too small gap: ".$biggestgap['len'];
exit;
}
echo "found at 0x".dechex($biggestgap['start'])." len: 0x".dechex($biggestgap['len'])."\n";
echo "Finding keyword offset...";
exec('D:/cygwin64/bin/grep -F TUTORIAL_MAIN_STORY_RELEASE -b -m 1 -o -a '.$argv[1], $output);
if (empty($output)) {
echo 'empty search';
exit;
}
$inoffset = intval(explode(':', $output[0])[0]);
echo "memory dump: 0x".dechex($inoffset).', ';
$output = [];
exec('D:/cygwin64/bin/grep -F TUTORIAL_MAIN_STORY_RELEASE -b -m 1 -o -a Assembly-CSharp.dll', $output);
if (empty($output)) {
echo 'empty search';
exit;
}
$outoffset = intval(explode(':', $output[0])[0]);
echo "original file: 0x".dechex($outoffset)."\n";
echo "Applying...\n";
$in = fopen($argv[1], 'rb');
fseek($in, $inoffset - ($outoffset - $biggestgap['start']), SEEK_SET);
fseek($out, $biggestgap['start'], SEEK_SET);
for ($i = 0; $i < $biggestgap['len']; $i += 16) {
if ($i % 4096 == 0)printf("\r%x", $biggestgap['start'] + $i);
$buf = fread($in, 16);
fwrite($out, $buf);
}
echo "\nDone\n";
Raw
prcn.bat
@echo off
start E:\Game\DMM\priconner\PrincessConnectReDive.exe
start F:\Game\RamCapturer\RamCapture64.exe
echo Wait for dump complete
pause
D:\cygwin64\bin\sh.exe prcn.sh
taskkill /im PrincessConnectReDive.exe
taskkill /im RamCapture64.exe
pause
Raw
prcn.sh
#!/bin/sh
process="$(tasklist | /bin/grep -F 'PrincessC')"
pid=${process#* }
while [[ "$pid" != "${pid# }" ]]; do pid="${pid# }"; done
while [[ "$pid" != "${pid% *}" ]]; do pid="${pid% *}"; done
cd ..
for memfile in ../Game/RamCapturer/*.mem; do
a=a
done
echo $pid
echo $memfile
py -2 vol.py --profile=Win7SP1x64 memdump -D dll -f $memfile -p $pid
cd dll
echo "copy dll"
/usr/bin/cp -f /cygdrive/E/Game/DMM/priconner/PrincessConnectReDive_Data/Managed/Assembly-CSharp.dll ./
/usr/bin/cp -f Assembly-CSharp.dll Assembly-CSharp-ori.dll
php restore-dll.php $pid.dmp
/usr/bin/rm -f $pid.dmp $memfile
Raw
update.sh
#!/bin/sh
if [[ $1 == "" || ! -e $1/Assembly-CSharp.dll ]]; then exit; fi
set -x
cd dll
cp ../$1/Assembly-CSharp.dll ./
git add Assembly-CSharp.dll
git commit -m $1
git push origin dll
cd ../Assembly-CSharp
git rm -r -- . >/dev/null
set +x
echo "Wait for dump"
read
cp -r -- ../$1/Assembly-CSharp/* .
set -x
git add .
git commit -m $1
git push origin master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.