Unreal Engine Fallen Doll: Operation Lovecraft [v0.4.9 Cracked] [Project Helius]

[BupoTiling03-Retired]

I did but I have no idea about the programming stuff, I guess ill just have to wait until someone releasing it. Thank you for your help.

"Programming stuff" was never talked about.

 

[kangsgem2]

"Programming stuff" was never talked about.

I mean like the tutorial in #123, as a computer idiot it looks like programming to me I mean is not code and stuff but yah.

 

[BupoTiling03-Retired]

I mean like the tutorial in #123, as a computer idiot it looks like programming to me I mean is not code and stuff but yah.

That was for v16 and under. v17 had another protection. A check of the original MD5 of the binary. Showed nonymouse. v18 was funny to look at from an insider's POV (Princess Peach was moved to another castle and Mario could get a good chuckle if he noticed something about where she was (being cryptic because I don't hand out things, I try to teach)).

 

[kangsgem2]

That was for v16 and under. v17 had another protection. A check of the original MD5 of the binary. Showed nonymouse. v18 was funny to look at from an insider's POV (Princess Peach was moved to another castle and Mario could get a good chuckle if he noticed something about where she was (being cryptic because I don't hand out things, I try to teach)).

I can see you are trying to teach people but the reality is most of the people (including me) in here is just for pirated game. I did try to understand some of the stuff you mentioned and do it myself but it is something I searched on google and still don't understand. I can sense your desperate for people just shouting for cracks & questions and I appreciate the fact you releasing things later so developer can earn better. Anyhow thank you for your contribution.

 

[BupoTiling03-Retired]

I can see you are trying to teach people but the reality is most of the people (including me) in here is just for pirated game. I did try to understand some of the stuff you mentioned and do it myself but it is something I searched on google and still don't understand. I can sense your desperate for people just shouting for cracks & questions and I appreciate the fact you releasing things later so developer can earn better. Anyhow thank you for your contribution.

Thanks.

 

[daddybronkus]

Been beating my head against a proverbial wall trying to figure out how to crack .18 with little to no understanding of the subject matter. However, I think I've made some progress, though this is difficult for me to quantify as I have no idea what I'm doing.

I've gotten as far as finding the jmp rax, but I'm not sure what to do with this information. I've created a dump but it doesn't do much. (At the moment I am inordinately tired, I feel like I should elaborate on some of my steps thus far but for now I am incapable of doing so.)

All things considered, I'm a complete layman and figured I'd give it a shot trying to figure this all out. It has been interesting, though I'm certain there is a prerequisite body of knowledge that I am ignorant to. If ya'll would be willing, I'd appreciate it if someone could point me towards some literature or guides that would give me a better idea of what is going on here and how to use better use the information within the thread.

Spoiler: dumb questions

You don't have permission to view the spoiler content. Log in or register now.

I would appreciate some help, preferably candid directions with little room for misinterpretation, though I wholly understand if I am too far off the mark for consideration. In any case, thank you for reading and sorry if I'm too much of a dipshit.

 

[KodyJones]

Anyone know if the Valve Index will work with the VR?

 

[BupoTiling03-Retired]

Been beating my head against a proverbial wall trying to figure out how to crack .18 with little to no understanding of the subject matter. However, I think I've made some progress, though this is difficult for me to quantify as I have no idea what I'm doing.

I've gotten as far as finding the jmp rax, but I'm not sure what to do with this information. I've created a dump but it doesn't do much. (At the moment I am inordinately tired, I feel like I should elaborate on some of my steps thus far but for now I am incapable of doing so.)

All things considered, I'm a complete layman and figured I'd give it a shot trying to figure this all out. It has been interesting, though I'm certain there is a prerequisite body of knowledge that I am ignorant to. If ya'll would be willing, I'd appreciate it if someone could point me towards some literature or guides that would give me a better idea of what is going on here and how to use better use the information within the thread.

Spoiler: dumb questions

You don't have permission to view the spoiler content. Log in or register now.

I would appreciate some help, preferably candid directions with little room for misinterpretation, though I wholly understand if I am too far off the mark for consideration. In any case, thank you for reading and sorry if I'm too much of a dipshit.

Actually I thank you for reading. Not a dipshit, anyone who wants to learn is more than welcome and applauded. Check convo sent.

I can't give candid answers, it would only enable gimmies and n00bs. But I can guide you a bit. Maybe more-so in a conversation. As for this...

If you can take that jmp rax, you'll be at OEP. Be very specific to let that stack correction happen (the sub rsp after return to module) or you'll corrupt the stack. You can then dump it, no need to do anything else to it (technically). I don't expect most reverse-engineers to also know Unreal Engine, so I'll hand out this next bit. Once the dump is done, you'll need to determine the AES key for the Pak files. Google is your friend on this one. Easy guide out there. Unpack the Pak files and see if you can find any files (binary search all if that helps) that have to do with an MD5 hash...of the original executable. in v17 it was in Paralogue\Content\BP\GlobalFunctionLibrary.uexp. Bowser moved Princess Peach. See if you can find out where and replace that MD5 with your new MD5. Put the Pak files where they need to be (maybe download Epic Games Launcher and "make" a do-nothing game to determine file structure?) That'd be the bare minimum for a 'release'. You'd want to clean your dump up a bit so that most AVs don't grumble but it isn't necessary.

Btw if you are capable of getting to the jmp rax properly, you don't need to do any of it...since you can then just Run... And since the MD5 isn't changed at that point...see where I'm going? (That way if you can at least get there, you can play even if you can't release.) I'd like to urge that you continue this whole "teaching" thing. The more people learn to reverse-engineer, the stronger this forum can become. I don't spell things out, specifically to do exactly that, teach.

You can Google what OEP, EIP, and RIP are. Not hard. "reverse engineering oep eip rip" would get you in the right direction. I guess I can save you time... OEP is Original Entry Point (the start of an executable/library of code), IP is Instruction Pointer ("current line of code"), EIP is Extended IP (32-bit), RIP is 64-bit (Instruction Pointer, R doesn't have a defined meaning anymore).

Unreal Engine can use regular filesystem for loading content or a virtualized filesystem (where all the files for the game are packaged into a single file, a Pak file, usually encrypted with an AES key.)

v17 and v18 are 99% same for protection. Princess Peach has simply been moved to another castle. If you take a look at the old castle's decor...you should notice something funny (if you saw v16-v17 castle)

Look at v17, then look at my v17. Look at the structure of everything. That should help you regarding file structure...and for AES keys, Google is your friend here. Finding an AES key to an Unreal Pak...should be relatively easy.

 

[BupoTiling03-Retired]

Anyone know if the Valve Index will work with the VR?

Good question considering the game engine is Unreal Engine. I don't use VR so I've not monkeyed with Unreal Engine VR API (specifically enabling certain types or if there is any initialization needed per brand etc...) If you try it and it works, could you report back?

 

[KodyJones]

Good question considering the game engine is Unreal Engine. I don't use VR so I've not monkeyed with Unreal Engine VR API (specifically enabling certain types or if there is any initialization needed per brand etc...) If you try it and it works, could you report back?

Contemplating Oculus vs Index atm, but I'll lyk! Thank you

 

[WhyDoesMyLifeSuck]

Actually I thank you for reading. Not a dipshit, anyone who wants to learn is more than welcome and applauded. Check convo sent.

I can't give candid answers, it would only enable gimmies and n00bs. But I can guide you a bit. Maybe more-so in a conversation. As for this...

If you can take that jmp rax, you'll be at OEP. Be very specific to let that stack correction happen (the sub rsp after return to module) or you'll corrupt the stack. You can then dump it, no need to do anything else to it (technically). I don't expect most reverse-engineers to also know Unreal Engine, so I'll hand out this next bit. Once the dump is done, you'll need to determine the AES key for the Pak files. Google is your friend on this one. Easy guide out there. Unpack the Pak files and see if you can find any files (binary search all if that helps) that have to do with an MD5 hash...of the original executable. in v17 it was in Paralogue\Content\BP\GlobalFunctionLibrary.uexp. Bowser moved Princess Peach. See if you can find out where and replace that MD5 with your new MD5. Put the Pak files where they need to be (maybe download Epic Games Launcher and "make" a do-nothing game to determine file structure?) That'd be the bare minimum for a 'release'. You'd want to clean your dump up a bit so that most AVs don't grumble but it isn't necessary.

Btw if you are capable of getting to the jmp rax properly, you don't need to do any of it...since you can then just Run... And since the MD5 isn't changed at that point...see where I'm going? (That way if you can at least get there, you can play even if you can't release.) I'd like to urge that you continue this whole "teaching" thing. The more people learn to reverse-engineer, the stronger this forum can become. I don't spell things out, specifically to do exactly that, teach.

You can Google what OEP, EIP, and RIP are. Not hard. "reverse engineering oep eip rip" would get you in the right direction. I guess I can save you time... OEP is Original Entry Point (the start of an executable/library of code), IP is Instruction Pointer ("current line of code"), EIP is Extended IP (32-bit), RIP is 64-bit (Instruction Pointer, R doesn't have a defined meaning anymore).

Unreal Engine can use regular filesystem for loading content or a virtualized filesystem (where all the files for the game are packaged into a single file, a Pak file, usually encrypted with an AES key.)

v17 and v18 are 99% same for protection. Princess Peach has simply been moved to another castle. If you take a look at the old castle's decor...you should notice something funny (if you saw v16-v17 castle)

Look at v17, then look at my v17. Look at the structure of everything. That should help you regarding file structure...and for AES keys, Google is your friend here. Finding an AES key to an Unreal Pak...should be relatively easy.

As someone who's only assembly experience was with a STM32 in ARM, I find it pleasantly surprising that a fucking porn game of all things has been the motivator of my dive into a more profound understanding of x86 and the technology I use every day.
As the saying goes, if I have seen further it is because I have thought with my penis.

Thank you sensei.

 

[Nero28]

I cant waiting, some one have crack?

 

[BupoTiling03-Retired]

As someone who's only assembly experience was with a STM32 in ARM, I find it pleasantly surprising that a fucking porn game of all things has been the motivator of my dive into a more profound understanding of x86 and the technology I use every day.
As the saying goes, if I have seen further it is because I have thought with my penis.

Thank you sensei.

Oh I love ARM...low power, used everywhere, easy to build your own projects...Ah. My first experience with ARM was revengineering Motorola (now Arris) SB61XX Series Cable Modems and developing a firmware for them. Good times.

I cant waiting, some one have crack?

If you can't wait, crack it yourself. Read this thread and the Fallen Doll thread. Plenty of hints...

 

[Nero28]

Oh I love ARM...low power, used everywhere, easy to build your own projects...Ah. My first experience with ARM was revengineering Motorola (now Arris) SB61XX Series Cable Modems and developing a firmware for them. Good times.

If you can't wait, crack it yourself. Read this thread and the Fallen Doll thread. Plenty of hints...

if I weren’t stupid, then maybe 6% of 100% could have tried, but there is nothing to be done about it ((man, give me a present for my lonely birthday))

 

[BupoTiling03-Retired]

if I weren’t stupid, then maybe 6% of 100% could have tried, but there is nothing to be done about it ((man, give me a present for my lonely birthday))

I've been told most guys try to pull that with hookers and wives. Doesn't work for them and doesn't work for me. xD Besides, I think nonymouse got my hint and did it. Hoping so. They just had a chance to look at it. Woo!

*Edit* Yep. I give the floor to nonymouse, he noticed and has done it. Nice to pass the torch.

 

[PoEbalu]

holy shit it lag ! 16 was smooth,but 17...the fuk they did with it ?

 

[zohan9222]

holy shit it lag ! 16 was smooth,but 17...the fuk they did with it ?

2x female char and rip gpu

 

[PoEbalu]

ended up turning off shadows,even on medium it lag like shit.

2x female char and rip gpu

doubt that,since 16 was no indication whatsoever on any quality level. now it lag regardless.

 

[nonymouse]

Following BupoTiling03-Retired advice I am still cleaning up the files for a proper release.
Expect a cleaned up release to come in a few days time.

In the meantime. I would highly encourage people to try to run it by themselves using the guides Bupo has shared, no need to do everything just the OEP jump in the debugger is enough to get it working for yourself. Its simple and pretty rewarding.

Plus as they have mentioned that some time should be allowed for the dev to generate revenue from their games.

 

[BupoTiling03-Retired]

ended up turning off shadows,even on medium it lag like shit.

doubt that,since 16 was no indication whatsoever on any quality level. now it lag regardless.

Lag is supposedly fixed in v18 according to those Patreon posts.