Last active
March 27, 2021 18:57
-
-
Save esterTion/16630c4c1e4572fe124f577631e5dbc2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
* Semi-auto restore Princess Connect ReDive (PC-DMM) C# dll | |
* Step I: Run game and use Live RAM Caputurer ( http://www.forensicswiki.org/wiki/Belkasoft_Live_RAM_Capturer ) | |
* Step II: Use volatility to <pslist> and then <ramdump> ( https://github.com/volatilityfoundation/volatility ) | |
* Step III: Use this script | |
*/ | |
if (!file_exists('Assembly-CSharp.dll')) { | |
echo 'no dll'; | |
exit; | |
} | |
if (empty($argv[1]) || !file_exists($argv[1])) { | |
echo 'no input'; | |
exit; | |
} | |
echo "Reading zero gaps..."; | |
$out = fopen('Assembly-CSharp.dll', 'rb+'); | |
$offset = 0; | |
$blocks = 0; | |
$zb = str_repeat("\0", 16); | |
$zeroblocks = []; | |
while(1) { | |
$chk = fread($out, 16); | |
if ($chk == '') break; | |
if ($chk == $zb) { | |
$blocks++; | |
} else { | |
if ($blocks > 5) { | |
$zeroblocks[] = [ | |
'start' => $offset - $blocks*16, | |
'end' => $offset, | |
'len' => $blocks*16 | |
]; | |
} | |
$blocks = 0; | |
} | |
$offset += 16; | |
} | |
usort($zeroblocks, function ($b, $a) {return $a['len'] - $b['len'];}); | |
$biggestgap = $zeroblocks[0]; | |
//print_r($biggestgap); | |
if ($biggestgap['len'] < 1024*1024) { | |
echo "too small gap: ".$biggestgap['len']; | |
exit; | |
} | |
echo "found at 0x".dechex($biggestgap['start'])." len: 0x".dechex($biggestgap['len'])."\n"; | |
echo "Finding keyword offset..."; | |
exec('D:/cygwin64/bin/grep -F TUTORIAL_MAIN_STORY_RELEASE -b -m 1 -o -a '.$argv[1], $output); | |
if (empty($output)) { | |
echo 'empty search'; | |
exit; | |
} | |
$inoffset = intval(explode(':', $output[0])[0]); | |
echo "memory dump: 0x".dechex($inoffset).', '; | |
$output = []; | |
exec('D:/cygwin64/bin/grep -F TUTORIAL_MAIN_STORY_RELEASE -b -m 1 -o -a Assembly-CSharp.dll', $output); | |
if (empty($output)) { | |
echo 'empty search'; | |
exit; | |
} | |
$outoffset = intval(explode(':', $output[0])[0]); | |
echo "original file: 0x".dechex($outoffset)."\n"; | |
echo "Applying...\n"; | |
$in = fopen($argv[1], 'rb'); | |
fseek($in, $inoffset - ($outoffset - $biggestgap['start']), SEEK_SET); | |
fseek($out, $biggestgap['start'], SEEK_SET); | |
for ($i = 0; $i < $biggestgap['len']; $i += 16) { | |
if ($i % 4096 == 0)printf("\r%x", $biggestgap['start'] + $i); | |
$buf = fread($in, 16); | |
fwrite($out, $buf); | |
} | |
echo "\nDone\n"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
start E:\Game\DMM\priconner\PrincessConnectReDive.exe | |
start F:\Game\RamCapturer\RamCapture64.exe | |
echo Wait for dump complete | |
pause | |
D:\cygwin64\bin\sh.exe prcn.sh | |
taskkill /im PrincessConnectReDive.exe | |
taskkill /im RamCapture64.exe | |
pause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
process="$(tasklist | /bin/grep -F 'PrincessC')" | |
pid=${process#* } | |
while [[ "$pid" != "${pid# }" ]]; do pid="${pid# }"; done | |
while [[ "$pid" != "${pid% *}" ]]; do pid="${pid% *}"; done | |
cd .. | |
for memfile in ../Game/RamCapturer/*.mem; do | |
a=a | |
done | |
echo $pid | |
echo $memfile | |
py -2 vol.py --profile=Win7SP1x64 memdump -D dll -f $memfile -p $pid | |
cd dll | |
echo "copy dll" | |
/usr/bin/cp -f /cygdrive/E/Game/DMM/priconner/PrincessConnectReDive_Data/Managed/Assembly-CSharp.dll ./ | |
/usr/bin/cp -f Assembly-CSharp.dll Assembly-CSharp-ori.dll | |
php restore-dll.php $pid.dmp | |
/usr/bin/rm -f $pid.dmp $memfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
if [[ $1 == "" || ! -e $1/Assembly-CSharp.dll ]]; then exit; fi | |
set -x | |
cd dll | |
cp ../$1/Assembly-CSharp.dll ./ | |
git add Assembly-CSharp.dll | |
git commit -m $1 | |
git push origin dll | |
cd ../Assembly-CSharp | |
git rm -r -- . >/dev/null | |
set +x | |
echo "Wait for dump" | |
read | |
cp -r -- ../$1/Assembly-CSharp/* . | |
set -x | |
git add . | |
git commit -m $1 | |
git push origin master |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment