my web server got infected by some sort of ransomware (not sure how it got in, but the machine was running older versions of apache/php). What I found were lots of README_FOR_UNLOCK.txt, ware.php, and .htaccess files, and the encrypted files (php source, some git repo files, mysql data files) had .fware extensions. After some digging I found the encryption php script (cli.php), and after some time I managed to de-obfuscate the source and figure out the (luckily) deterministic encryption key and managed to write a script for decrypting files. (I'm happy to provide the original scripts as well as my decryption scripts in case someone is interested.)
This seems to work fine for text files, but I did run into some issues with binary files in particular mysql database files that are pretty heavily corrupted. The reason seems to be that the code applies trim() to the file contents before encryption, removing any combination of bytes 0x00, 0x09, 0x0A, 0x0B, 0x0D, 0x20 at the beginning and end of the file, losing all that information. Since the files don't just have some random corrupted bytes somewhere, but missing pre-fixes and suffixes this understandably confuses the standard mysql tools quite a bit.
So my question is does anyone have experience recovering mysql files from something like this, and/or suggestions for how to go about recovering as much data as reasonably possible?
Thank you in advance