Unreal Engine Fallen Doll: Operation Lovecraft [v0.4.9 Cracked] [Project Helius]

[Red_7285]

xeko82 NukaCola On the Codex post, I guess you could argue that the perfect daughter could be anything ranging from a baby to a college student (or roughly 18 years younger than the parents). But writing "provide childless couples with comfort"... yea that's way too fishy At least throw in 'adult daughter' in there or something haha.

On a side note NukaCola , I don't think xeko82 means you're for or against the content, but that steam will see it as "that category".

Has it actually been confirmed that there will be sexual content involving Galatea at all?

Would be very surprising and weird if there wasn't. Given that the "can't reveal model, clothes aren't ready" delay reason was used quite a bit. And there was no mention that Galatea would be in a different class from the other characters that get added to the lineup. And in the state the game is currently in, there would be no point to add her in a scene viewer with only an Idle animation or something.

edit:
In the post "Character Spotlight: Galatea, Part II"

Side Note:
Instead of deployed at Archimedes orbital station, Galatea will be doing detective work in the colony and provide information on the case. There is no sexual scenes related to her if you do not choose to play as her.

 

[hoangvazquez]

How to take a key ?

 

[Deleted member 1378207]

How to take a key ?

the only way for now is to pay the developer on patreon, but if you're here that's not an option for you. So you can only wait untill someone decides to crack the new version or to play the old version which is cracked and doesn't require a key. If you downloaded a the game from here and it still requires a key then you're dumb

 

[Katsuie]

Can someone post the new update? <3

 

[Echo82]

Humm. I'm surprised Patreon let that pass. Why you speaking like I'm again loli content? Maybe you should see my hentai watched list. I'm just worry about the developer being ban from the platform that is all.

I never said you're against loli content. I have plenty of saved hentai and I loved Oni Chichi so, depending on how the characters look, I'm not against it either. But it's been clear from, from the Patreon, that this character is of the loli type and will have optional sexual content. I will decide how I personally feel about the character when I get to try it. I don't care if other people play and fap to her; it's their decision to do so, as it's a game/sim after all.

Can someone post the new update? <3

The update has been posted and the instructions on how to do so are as well. It's up to people to figure out how to do. Currently there is not a public posted.

 

[Deleted member 1378207]

Can someone post the new update? <3

If you want it you have to crack it and cracking it it's no joke... Even with the guides posted here it's hella difficult

 

[yomamasass]

If you want it you have to crack it and cracking it it's no joke... Even with the guides posted here it's hella difficult

I mean has anyone even tried after funog1 came? BupoTiling03-Retired gave some explanations on this thread long time ago (im trying to find them atm) i know some programming but even with that cracking stuff is witchcraft. Maybe we should all gather all the info that was shared before on the thread and make something out of it. Although i won't be much help than just sharing ideas like everyone else, i am simply too dumb for this shit.

 

[OKMijnuhb123]

Conglomerating all the info on how to crack a game like this would be very useful. I would probably even attempt to do it myself if I just knew where to even start.

 

[Hissatsu69]

funog1 was kind enough to post the info earlier in this thread. I went ahead and dug it up:

I understand where you are coming from, but they were never my instructions. They were bupos.
156_163_146_167 made a post a long while back with the important information, that or search the posts made by "BupoTiling03-Retired" to get the info. That is all we were really given to work off of. Using that information and a little learning from some google searches nets quite a bit. I can wholly say the way bupo delivered his information was the only reason I decided to even try, not a walkthrough that you follow and don't learn from but just enough to get you on the track to learn it for yourself. I can call this thread my gateway to disassembly, before I had never even touched a debugger let alone cracked a program. While I still know very little about reverse engineering, I have taken what I learned from this and applied it onto other things. As I type I'm trying to figure out how someone managed to bypass a patreon authentication check for another game by pulling apart a dll file. From getting AES keys to paks so I can decensor some japanese unreal games to pulling the password out of the Timestamps game for extracting the images in storage.vngine, I wouldn't have known how to do any of that without this thread.

I am willing to help those that are trying to learn, but I have gotten some stupid conversation starters ranging from the typical begging about a step by step guide to one person who demanded a pdf with pictures explaining on how to do it "or else..." so I tend to look over my conversations with a judgemental mindset.

Shifting focus a little bit, I managed to patch the Ekc6420.dll to punch itself in the face. With it there is no longer a need for creating new exes for the game which means no reason to trigger the reimplemented md5 check. Did I mention it seems to work recursively? Works on older versions of the game, works on the original Fallen Doll game(which has an older version of Eleckey), heck it works on the most recent version of Eleckey(2.0.9.20 as of writing this) at least anything made using the 30 day trial of it... as long as it is 64bit. They seem to have a different approach to x86 programs and didn't bother looking into it.

For anyone else that makes their own exes this is quite easy to do if you dick around the same region you pay attention to when dumping the exe.
Again, only done because I learned something from this thread.

You must be registered to see the links

tl:dr: this post wasn't for tl:dr's

There you go... I wish good luck and good fortune to you, friend... for all our leeching mofo's sake.

 

[Echo82]

funog1 was kind enough to post the info earlier in this thread. I went ahead and dug it up:

There you go... I wish good luck and good fortune to you, friend... for all our leeching mofo's sake.

That part really isn't it. What I had posted is what he went over, but his post was deleted. I only have that part because I was discussing it with my fellow computer science classmates, on Discord.

The steps are ""Open up in any x64 debugger, BP on LoadLibraryA, remove ALL BPs on target, run, on first break of LoadLibraryA it should be trying to load EK's dll. Search for OEP, set new origin, dump, fix IAT and rebuild.""

 

[Hissatsu69]

Well damn... The link he references has 2 more links; both of which work. You sound like you know more about it than I do, so, for now, I'ma see myself out.

 

[Echo82]

Well damn... The link he references has 2 more links; both of which work. You sound like you know more about it than I do, so, for now, I'ma see myself out.

One of them references a post I no longer can find. The other references what I posted below.

I don't use WinDbg. OllyDbg or x96Dbg or Ida (other archs). This being x64, use x96Dbg. If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)...

If you set any BPs on an executable protected by ElecKey, it'll muss it up. "bp LoadLibraryA". Allow the kernel to load it, let it execute until it returns to main executable, step over the add sp. You'll see a jmp just above. Set EIP to follow, continue until you see a jmp *ax (rax, eax). That is your jump to OEP. Step, at OEP. Dump. 60 seconds tops.

IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.

Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT...)

*Oh, the v17 above is v17a VR. So for some, it'll just close/not work.

my university doesn't teach reverse engineering and I wasn't about to tell my classmates about Fallen Doll. We discussed reverse engineering to an extent but, while I don't mind talking about this topic with people online, I'm not about to discuss hot girls getting raped by some creatures and why I want to get this stuff for free. I learned a bit about reverse engineering but I haven't put enough effort into it when I have other subjects that I need to pass. lol

I had just opt not to renew my Patreon. So when the next version comes out I'll be able to put more effort into seeing what cracking. I don't know how difficult the start of the semester will be with Covid-19. We'll see...

Edit: Found a useful addition since I am re-reading the thread

I suppose the next step might need a little hinting. This is an Unreal Engine-based game. Its assets are cooked into uassets. Sometimes they're packaged into a single file. Sometimes encrypted. Research into decrypting them with the key (I gave you the key for pak file decryption in a few posts ago). Then look into the cute little (yes author of the game, I know by your behavior that you're reading these forums and trying to counter my unpack) ./Content/BP/GlobalFunctionLibrary, specifically about file hashes. I'll give you a hint. It should have the same hash it had before...and with the key I gave you, you can repak. (Because this protection is in the game...if that hasn't clicked yet.)

edit 2: Maybe this is that other post? I guess having F95 to show me 100 posts per page screws with things.

Reply:



I am always glad when someone tries to learn and grow. The information is relevant to FallenDoll and Paralogue (or anything else that uses ElecKey protection...). I posted the information in various places on the FallenDoll thread. Here is a decent summary:

This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.

IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.

Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT which is easier than rebasing...)

If in doubt, install Epic Games Launcher and make a 'do nothing' game just to compare executables. Remember, first executable is just a loader for second. .\WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe is actual game.

 

[yoohen]

seem hard to crack but I will try

 

[noconsent]

sorry to disappoint you, but the guy who cracked the game stopped doing it publicly 'cause the community on this thread is toxic

Wow so this went from being one the best threads to depressing, real quick. 2020 just keeps getting worse.

 

[OldManBobb]

seem hard to crack but I will try

I hope you manage cause I need my porn dammit

 

[noconsent]

seem hard to crack but I will try

I'm rooting for you

 

[NukaCola]

Maybe if you all apologize to funog1 and make blood oath to never post a stupid comment in this thread ever again he will have a change of heart and release the crack on 10 August

 

[Despicable Thief]

Maybe if you all apologize to funog1 and make blood oath to never post a stupid comment in this thread ever again he will have a change of heart and release the crack on 10 August

who said bad to funog1? fuck that damn guy. Cant believe it. Funog1 is my hope

 

[Kaho543]

seem hard to crack but I will try

I'm rooting for you too

 

[BupoTiling03-Retired]

This game is probably a 1/10 for difficulty cracking.

It's not something spontaneous really, just a slow buildup of people with terrible reading comprehension over the last few months. But the people from the past few days are a new breed of ignorant. People complain about my choice of filehost when I have on multiple occasions asked opinions about other ones with little to no response. Then you have people who somehow missed the cracked version on the MAIN POST and end up downloading the View attachment 729845 and think they are doing it right? I swear I did hear a snap noise though when I read the comment about downloading the crack from a different website. Not because it was on a different website(idgaf how far it propagates), but because this person saw this thread, bypassed the main post again, couldn't find the game so went looking elsewhere... I mean the format for every thread on this site is main post WITH links...

Anyways, I may be done providing the cracks for people but I'm not done tinkering. This game was my entry point to the world of disassembly(totally unintentional pun) and while it makes my head hurt I find it fun. In that vein I think I came up with a new way to crack the game without touching the exe which means no worrying about the md5 check, I think it might work between versions too but I don't have any other versions on hand to test with so I can't confirm that one. I may have been a little hasty when I said "you don't have to worry about me anymore " it's more like "you don't have to worry about me monthly". I know there are a few other capable people in this thread that can get the cracks out so you aren't losing much.

I don't know if BupoTiling03-Retired still watches this thread but if you do, shoot me a message please. I want to pick your brain about my idea. It's probably very unrefined. Also if anyone has good resources for dis/assembly I would be appreciative. It took me way to long to realize that a call adds 8bytes to the stack...

See, my earlier posts were all about "the build up" of "DOI" gimmies. ("Give Me"s) Not a new breed of ignorant, by the way, the same breed out there. Just becoming more aware of it. I don't Watch threads anymore if they're past a month since my last comment OR they piss me off, but someone pointed these out to me today. Calls don't add 8 bytes to the stack. They push the Instruction Pointer to the stack. Depending on mode (16-bit, 32-bit, 64-bit, it is either 2 bytes, 4 bytes, 8 bytes, etc...) Quick ref:

You must be registered to see the links

Depends on architecture and mode... osdev.org, read up on ASM stuff. If you thought your brain hurt before...this'll violate it. I find it to be casual conversation pieces or merely refresher.

You must be registered to see the links

. If you want more materials, check out the system development guides from each vender (highly recommend AMD over Intel, ESPECIALLY FOR THEIR MANUALS ON X86 ARCHITECTURE, Intel is junk all around, always has been). I would also suggest you use osdev to write your own MBR bootloader and get into long-mode. You'll learn more about how things go on than anything. Yes I'm telling you to not use Grub, etc. Do it the hard, old-school way. Invaluable. Use Bochs, btw. Compile it yourself to support what you need, then fire away. Nothing beats having your own code running with no reliance on anything. Pure ASM, text editor, nasm compiler, beautiful. I say use Bochs because of the GUI Debugger.

I understand where you are coming from, but they were never my instructions. They were bupos.
156_163_146_167 made a post a long while back with the important information, that or search the posts made by "BupoTiling03-Retired" to get the info. That is all we were really given to work off of. Using that information and a little learning from some google searches nets quite a bit. I can wholly say the way bupo delivered his information was the only reason I decided to even try, not a walkthrough that you follow and don't learn from but just enough to get you on the track to learn it for yourself. I can call this thread my gateway to disassembly, before I had never even touched a debugger let alone cracked a program. While I still know very little about reverse engineering, I have taken what I learned from this and applied it onto other things. As I type I'm trying to figure out how someone managed to bypass a patreon authentication check for another game by pulling apart a dll file. From getting AES keys to paks so I can decensor some japanese unreal games to pulling the password out of the Timestamps game for extracting the images in storage.vngine, I wouldn't have known how to do any of that without this thread.

I am willing to help those that are trying to learn, but I have gotten some stupid conversation starters ranging from the typical begging about a step by step guide to one person who demanded a pdf with pictures explaining on how to do it "or else..." so I tend to look over my conversations with a judgemental mindset.

Shifting focus a little bit, I managed to patch the Ekc6420.dll to punch itself in the face. With it there is no longer a need for creating new exes for the game which means no reason to trigger the reimplemented md5 check. Did I mention it seems to work recursively? Works on older versions of the game, works on the original Fallen Doll game(which has an older version of Eleckey), heck it works on the most recent version of Eleckey(2.0.9.20 as of writing this) at least anything made using the 30 day trial of it... as long as it is 64bit. They seem to have a different approach to x86 programs and didn't bother looking into it.

For anyone else that makes their own exes this is quite easy to do if you dick around the same region you pay attention to when dumping the exe.
Again, only done because I learned something from this thread.

You must be registered to see the links

tl:dr: this post wasn't for tl:dr's

That is why I did things the way I did. The more popular you become, the more gimmies come out. You'll end up hating it. You'll feel bad for them but at the same time entirely frustrated with their entire lack. Remember when I fussed that you posted an exact walkthrough? It was to stop gimmies and make them do some work...to better all reverse-engineers and make the community stronger. Instead of everyone coming to one master fisherman, they could all become it. Less work for the master fisherman and they can take care of themselves. As for EK, the reason I didn't bother patchiing EK's dlls is because the protection is still there and runs. I'm against that kind of behavior. Sometimes their are miners there, or ads being loaded in the background, etc, not to mention they sometimes change and get updated. Learning how to work on the protection to remove it entirely was the better teaching-point. You've done well so far. Glad you were able to develop yourself unlike most gimmies. You're far off from the Denuvo and others I wipe my butt with after eating spicy food, but you may get there someday. Most definitely faster than a gimmie that stands still.

Thank you for replying and for linkng that post. I have always been interested about the world of cracking and, as a developer, I see it as an opportunity to learn something new related to what I'm doing. My problem with cracking was finding useful infos about how to start. I tried in the past browsing this thread to get some "intel" but I was'nt able to pull the right informations. In the post you linked I found at least something where to start looking though, so thanks. I might finally start try messing around with cracking and reverse engineering

Search all of our (me, funog1) posts on this thread for information about THIS DRM. As for reverse-engineering, you've no idea how much you're going to have to learn to comprehend and do the things scene-groups do. Many things relevant to the early 1990s will need to be learned too. They were the golden scene days.

*Edit* For the slew of people who just contacted me, I am Retired to the masses. projectheliu doesn't have to worry about me either. By the way projectheliu, if you implemented any of the things I suggested you'd easily delay. See how simple it'd be? Told you. You wouldn't even need ElecKey. You could also customize the Pak compression and cryptographic routines (7z out of box is good enough and can encrypt). You'd probably set back anyone. 7z is GPL too. *shrug* I would also seriously not rely on Steam's DRM. It is incredibly easy to get around.