Unreal Engine Fallen Doll: Operation Lovecraft [v0.4.9 Cracked] [Project Helius]

[dafafa]

Hey Bupo instead of bumping my head trying to crack it with 0 starting knowledge on pretty much everything, are there some resources, books, places that you can suggest where to learn this stuff from the beginning?
Of course i get that i can just google it, but since you are so knowledgeable maybe you can point me to the most efficient resources.

 

[BupoTiling03-Retired]

Hey Bupo instead of bumping my head trying to crack it with 0 starting knowledge on pretty much everything, are there some resources, books, places that you can suggest where to learn this stuff from the beginning?
Of course i get that i can just google it, but since you are so knowledgeable maybe you can point me to the most efficient resources.

Google is the most efficient. xD Eh, Tuts4You is good. Another good resource would be Micro$hit's PE Format.

 

[Dyatlov]

This is my first attempt at reverse engineering, and I've never touched a assembly code before, so it looks chinese to me xD

Thanks for your tutorial. I was following it, i'm stuck at this part

Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.

Is this the correct jump ? after setting rip (assuming rip and eip is the same) to this jump, i was stepping over but i didn't find a jmp rax instead i received a EXCEPTION_ACCESS_VIOLATION after stepping through about 14 lines



also i'm not sure if i understood this part "let it execute until it returns to main executable, step over the stack pointer add"
how do i know if it has returned to the main executable ?

i can't see a add sp, i googled and found rsp means Register Stack pointer. i'm not sure if it's same as add sp

 

[BupoTiling03-Retired]

You forgot to let it load the library. Right now, you're in the Kernel. You're not looking for the JMP yet. When it RETs back to Paralogue module, you'll see what you need to. Notice the module you're in, title of your debugger says it all. (You're very close btw...you'll probably laugh once you figure it out. Very glad you're this far. ) Remember to let it Load the protection and then let it Return to the main module... SP means Stack Pointer (16-bit). ESP means Extended Stack Pointer (32-bit), RSP means Register Stack Pointer (64-bit). Though technically, 64-bit registers never actually have that name-prefix. We just go with it. (It'll probably be easier for you to use "Step Over" instructions when in the Kernel btw.) I use shortcut keys, much faster stepping into/over/blablabla.

 

[badboyqq22]

@ [USER = 765911] BupoTiling03-退休[/ USER]
“跳过堆栈指针添加。在导致加载EKC6420的调用之前，你会在上面看到一个jmp。设置EIP跟随”

上面是什么意思，我怎么找到jmp？

 

[BupoTiling03-Retired]

@BupoTiling03-Retired
"step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow"

what's mean above,how i find jmp?

Scroll up? Make sure you correct your stack...or you'll crash. Very close (if it were a snake, it'd be biting you)...but remove img..

 

[Dyatlov]

You forgot to let it load the library. Right now, you're in the Kernel. You're not looking for the JMP yet. When it RETs back to Paralogue module, you'll see what you need to. Notice the module you're in, title of your debugger says it all. (You're very close btw...you'll probably laugh once you figure it out. Very glad you're this far. ) Remember to let it Load the protection and then let it Return to the main module... SP means Stack Pointer (16-bit). ESP means Extended Stack Pointer (32-bit), RSP means Register Stack Pointer (64-bit). Though technically, 64-bit registers never actually have that name-prefix. We just go with it. (It'll probably be easier for you to use "Step Over" instructions when in the Kernel btw.) I use shortcut keys, much faster stepping into/over/blablabla.

I got it to work for myself this is the first time i reverse engineered anything. i wanted to learn it for a long time but never had the motivation to start.. haha

when I have free time again, I'm going to give a shot at making a crack, although i probably won't succeed

Thank you so much for the tutorial and help

 

[BupoTiling03-Retired]

I got it to work for myself this is the first time i reverse engineered anything. i wanted to learn it for a long time but never had the motivation to start.. haha

when I have free time, I will give a shot at making a crack, although i probably won't succeed

Thank you so much for the tutorial and help

Glad you could learn something from it all. Actually, if you were on v16, you could just dump it and it'd work. Sure it'd be professional to clean up the exe a bit but it'd work regardless. Since v17, another piece of protection was added. Not difficult but not for newcomers. Enjoy. How do you feel about that comment earlier, 10 hours nothing...and so close all along?

Also, I'd like for nonymouse to be the one to release v18, being the first one to learn how. They also know how to clean up the executable. Makes for less AVs flagging and fussing. They will probably release on Monday, giving the author a week to make his income.

 

[badboyqq22]

@ BupoTiling03-Retired
I have found jmp rax ,but run it crash. what's mean " correct your stack "

 

[BupoTiling03-Retired]

@BupoTiling03-Retired
I have found jmp rax ,but run it crash. what's mean " correct your stack "

It means use Google to figure out what a stack is. Then read what I said again. Correct your stack before trying to get to all of that.

 

[nonymouse]

Nice to see so many people are able to get it working now. I imagine they are just as excited about it as I was when it worked for me the first time as well

BupoTiling03-Retired this proves you are a good teacher, repeating the steps multiple times until people could make it this far

 

[BupoTiling03-Retired]

Nice to see so many people are able to get it working now. I imagine they are just as excited about it as I was when it worked for me the first time as well

BupoTiling03-Retired this proves you are a good teacher, repeating the steps multiple times until people could make it this far

Thanks. Glad people can learn and grow. Btw I made a script for you.

 

[VLindemann]

I could probably give it a try but my daily life is already busy as hell so i'll wait for someone to upload it here yet good job everyone.I also occasionally i crack steam games for my personal use.

 

[BupoTiling03-Retired]

I could probably give it a try but my daily life is already busy as hell so i'll wait for someone to upload it here yet good job everyone.I also occasionally i crack steam games for my personal use.

Heh, same. If you can remove SteamDRM, you can easily do this.

 

[156_163_146_167]

After two afternoons of trying and reading a lot of hints in this thread, I think I might have done it. The reason I say I might is that I have an exe now that I can run and it skips the activation dialogue. The problem is that the next thing I get is a few seconds of black screen and then it closes itself. And I don't know if this is due to me performing the crack incorrectly or some problem with the game itself. For what it's worth, the 0.17 crack works fine on my computer.

 

[BupoTiling03-Retired]

After two afternoons of trying and reading a lot of hints in this thread, I think I might have done it. The reason I say I might is that I have an exe now that I can run and it skips the activation dialogue. The problem is that the next thing I get is a few seconds of black screen and then it closes itself. And I don't know if this is due to me performing the crack incorrectly or some problem with the game itself. For what it's worth, the 0.17 crack works fine on my computer.

No, you performed it correctly. Half of it. The rest of the protection isn't in the executables. Look into the Pak files. The game is calling "Quit" to exit...for a reason. In fact, Page 17 has what you need.

 

[kukuyyaimak]

Ok

I found jmp rax What should I do next? I don't understand these things.

 

[BupoTiling03-Retired]

You need to come to jmp rax by natural means (with the exception of taking the one jmp above that call to load the protection). Besides, this all assumes you have some experience reverse-engineering/computer-literacy.

 

[156_163_146_167]

No, you performed it correctly. Half of it. The rest of the protection isn't in the executables. Look into the Pak files. The game is calling "Quit" to exit...for a reason. In fact, Page 17 has what you need.

Hmm. Some posts lead me to believe I could just run it at that point without having to mess with the pak files. Guess I'll keep looking.

 

[BupoTiling03-Retired]

Hmm. Some posts lead me to believe I could just run it at that point without having to mess with the pak files. Guess I'll keep looking.

You misunderstood. If you work on the original file, sure. A dump, no because of MD5-change. Page 17 has your answer.