So as i'm understood, we are going to start exe, let the elecKey load itself and do one round on cryptodefense, then let it load original game exe. After that we just set a new startpoint to game exe and do some other cleanup stuff?
Unreal Engine Fallen Doll: Operation Lovecraft [v0.4.9 Cracked] [Project Helius]
- Thread starter monroe
- Start date
- Jun 5, 2017
- 44
- 47
and you admit that some people have no time to study and they just want to play? For example, I come here not to study, but to download games and play them. so maybe someone will hack this unfortunate game and put it here and let people play. and those who want to study and have time for this, let me learn, I'm happy for them))
I'm sorry for English, it's google translator
- Jul 21, 2018
- 1,269
- 1,721
No, people come here to pirate games. Piracy requires some knowledge but I got tired of explaining crap over and over, rather simple <censored> too. After fulfilling all the requests I had from private users, I now just point anyone in the right direction and say good luck, no more. Don't like it, ignore it. *shrug*
Last edited:
- Jul 21, 2018
- 1,269
- 1,721
- Jun 5, 2017
- 44
- 47
millions of people download repack from torrents. and this does not mean that they should be able to do these repacks. I understand your point of view, it seems to me wrong, but you have the right to it
actually he talked about people that don't read simple instructions before asking some stupid questions
- Jun 5, 2017
- 44
- 47
Hey I'm having a go tooHi Bupo and thanks for your work and your share.
Is it possible for you to be more exhaustive on the way to crack the game ? Personally I have never used this kind of software
I open WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe in x64dbg and I go the Symbol pannel.
Then I search in the paralogue executable the symbol LoadLibraryA, right-click and add a BP on it :
View attachment 365195
Go back in the CPU pannel and then, I click on Run :
View attachment 365197
As expected I'm blocked on the LibraryA loading.
But it's the only thing I've been able to follow in your explanation :'(
I do not understand this part :
"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."
A little help would be welcomeespecially since it's very interesting!
I think we have to find a jump point before EKC6420 loads which we can find in the log tab
Which if you click on the address links to the CPU page where we can find a jmp point
The thing I don't get now is how to set EIP to follow?
I also don't know which is the main executable,
I assume its paralogue-win64-shipping but it only returns to this executable once early on before triggering EKC6420
- Jul 21, 2018
- 1,269
- 1,721
The jmp you're looking at is not related to anything you need at all.
Main executable is Paralogue-Win64-Shipping.
It's okay for Ekc6420 to load...or you can abort loading it entirely and maybe return back to the main module to have a look. Did you see that? :] So hopefully you remember to let it correct the stack after the call and then just follow that jmp above it.
Also, the final jmp (not the one you're looking for, just mentioning for sake) will be a jmp rax. RAX register will contain OEP.
Also... instead of just trying to stumble through...why not learn more about what you're doing so that you can comprehend and do more? :] I've mentioned many buzzwords... "OEP" "Breakpoint" "Register" "JMP" "RAX" "LoadLibraryA" ...
Last edited:
Thanks for pointing that out.
If I understand this correctly, essentially the DRM EKC6420 is the code that executes before the OEP, the OEP is where the game code starts running.
So essentially what we are trying to do is find a jmp point which loads the DRM in this case EKC6420, and modify it so instead of loading the EKC6420 jump to the OEP of the game code.
And we are looking for breakpoints when LoadLibraryA is called because it is a function that is called when a .dll or .exe is loaded.
Last edited:
- Mar 18, 2018
- 335
- 369
I found the oep and the game can run in the x64dbg,I use Scylla for dumping but dumped file cannot run,
I don't understand how to "Use original packed executable for IAT sizes " and "Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image ..."is for dumped file or the original executable ?
Hi BupoTiling03,
Thanks for the walk through on how we could do it ourselves. I had been going over the steps for couple of days now.
So the issue is that I followed your steps to bp LoadLibraryA, find OEP and dump exe, haven't been able to understand the IAT rebuilding stuff yet. However after doing this the dump file launches but crashes at launch for the latest version - 0.17a. However, I was able to successfully get the older version 0.16 following the exact same steps.
Are there any changes in the new version that's preventing the dump from running? or am I still missing something here?
Disclaimer: I had no idea what debugging or reverse engineering was before your guide on it. Thanks for this as well, I learnt a lot during the last few days.
Edit: Using x64dbg and Scylla for dump
Thanks for the walk through on how we could do it ourselves. I had been going over the steps for couple of days now.
So the issue is that I followed your steps to bp LoadLibraryA, find OEP and dump exe, haven't been able to understand the IAT rebuilding stuff yet. However after doing this the dump file launches but crashes at launch for the latest version - 0.17a. However, I was able to successfully get the older version 0.16 following the exact same steps.
Are there any changes in the new version that's preventing the dump from running? or am I still missing something here?
Disclaimer: I had no idea what debugging or reverse engineering was before your guide on it. Thanks for this as well, I learnt a lot during the last few days.
Edit: Using x64dbg and Scylla for dump
Last edited:
No, you don't execute every line, once you return to the main file after kernel, you need to go a few lines up and follow the jmp statement there and step till you reach the jmp rax. This prevents the license dialogue from triggering.
Its not running for me either, which is why I had posted looking for some help. I replied to you since you asked about the license box triggering.
Hi httx good work
Can you give us the right sequence of actions to (with screenshots and which buttons / functions to use) in order to reach your level of advancement ?
I understand the point of view of bupo but there are so many concepts that make it impossible for a novice to understand the problem.
In my case I know that I learn better by mimicking the whole process once and then understanding each of the actions.
Thanks guys
- Jul 21, 2018
- 1,269
- 1,721
I purposefully leave the last step out so as not to baby everything.
That's because there is a little extra for 0.17. Won't do it all for everyone. At least someone learned some stuff.
Judging by what you said, I know you're in the right way. Consider the following. The game does indeed load for you. You've compared ElecKey on both versions and nothing has changed in ElecKey... Now might be time to look into the game. To do that, decrypt and unpack the Pak files. Kindly don't post steps or screenshots for anything, mind. It'd be nice to step the forum up from "gimme gimme gimme" to competent people instead. I've spelt out so many times how to do Fallen Doll, Paralogue, even how to access encrypted Pak files. You're the first to find an OEP and dump. Glad you went through the work to try dumping 0.16.Oh and clarification for many: Ekc doesn't actually need to load. By the time the program calls LoadLibraryA...the .text module is already decrypted/unscrambled.
---
I suppose the next step might need a little hinting. This is an Unreal Engine-based game. Its assets are cooked into uassets. Sometimes they're packaged into a single file. Sometimes encrypted. Research into decrypting them with the key (I gave you the key for pak file decryption in a few posts ago). Then look into the cute little (yes author of the game, I know by your behavior that you're reading these forums and trying to counter my unpack) ./Content/BP/GlobalFunctionLibrary, specifically about file hashes.
I'll give you a hint. It should have the same hash it had before...and with the key I gave you, you can repak. (Because this protection is in the game...if that hasn't clicked yet.)
Last edited: