CREATE YOUR AI CUM SLUT ON CANDY.AI TRY FOR FREE
x
3.80 star(s) 64 Votes

edemim

New Member
Feb 11, 2019
8
1
So as i'm understood, we are going to start exe, let the elecKey load itself and do one round on cryptodefense, then let it load original game exe. After that we just set a new startpoint to game exe and do some other cleanup stuff?
 

tolylisii

Newbie
Jun 5, 2017
49
53
People need to learn...
and you admit that some people have no time to study and they just want to play? For example, I come here not to study, but to download games and play them. so maybe someone will hack this unfortunate game and put it here and let people play. and those who want to study and have time for this, let me learn, I'm happy for them))

I'm sorry for English, it's google translator
 

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,351
1,906
No, people come here to pirate games. Piracy requires some knowledge but I got tired of explaining crap over and over, rather simple <censored> too. After fulfilling all the requests I had from private users, I now just point anyone in the right direction and say good luck, no more. Don't like it, ignore it. *shrug*
 
Last edited:

tolylisii

Newbie
Jun 5, 2017
49
53
No, people come here to pirate games. Piracy requires some knowledge
millions of people download repack from torrents. and this does not mean that they should be able to do these repacks. I understand your point of view, it seems to me wrong, but you have the right to it
 

edemim

New Member
Feb 11, 2019
8
1
actually he talked about people that don't read simple instructions before asking some stupid questions
 

dmc2398

New Member
Dec 21, 2018
2
1
Hi Bupo and thanks for your work and your share.

Is it possible for you to be more exhaustive on the way to crack the game ? Personally I have never used this kind of software :)

I open WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe in x64dbg and I go the Symbol pannel.

Then I search in the paralogue executable the symbol LoadLibraryA, right-click and add a BP on it :

View attachment 365195

Go back in the CPU pannel and then, I click on Run :

View attachment 365197

As expected I'm blocked on the LibraryA loading.

But it's the only thing I've been able to follow in your explanation :'(

I do not understand this part :

"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."

A little help would be welcome:) especially since it's very interesting!
Hey I'm having a go too

I think we have to find a jump point before EKC6420 loads which we can find in the log tab
1565127274966.png

Which if you click on the address links to the CPU page where we can find a jmp point
1565127377806.png

The thing I don't get now is how to set EIP to follow?
I also don't know which is the main executable,
1565127584432.png

I assume its paralogue-win64-shipping but it only returns to this executable once early on before triggering EKC6420
 

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,351
1,906
Hey I'm having a go too

I think we have to find a jump point before EKC6420 loads which we can find in the log tab
View attachment 365460

Which if you click on the address links to the CPU page where we can find a jmp point
View attachment 365469

The thing I don't get now is how to set EIP to follow?
I also don't know which is the main executable,
View attachment 365472

I assume its paralogue-win64-shipping but it only returns to this executable once early on before triggering EKC6420
The jmp you're looking at is not related to anything you need at all.
Main executable is Paralogue-Win64-Shipping.
It's okay for Ekc6420 to load...or you can abort loading it entirely and maybe return back to the main module to have a look. Did you see that? :] So hopefully you remember to let it correct the stack after the call and then just follow that jmp above it.

Also, the final jmp (not the one you're looking for, just mentioning for sake) will be a jmp rax. RAX register will contain OEP.

Also... instead of just trying to stumble through...why not learn more about what you're doing so that you can comprehend and do more? :] I've mentioned many buzzwords... "OEP" "Breakpoint" "Register" "JMP" "RAX" "LoadLibraryA" ...
 
Last edited:

dmc2398

New Member
Dec 21, 2018
2
1
The jmp you're looking at is not related to anything you need at all.
Main executable is Paralogue-Win64-Shipping.
It's okay for Ekc6420 to load...or you can abort loading it entirely and maybe return back to the main module to have a look. Did you see that? :] So hopefully you remember to let it correct the stack after the call and then just follow that jmp above it.

Also, the final jmp (not the one you're looking for, just mentioning for sake) will be a jmp rax. RAX register will contain OEP.

Also... instead of just trying to stumble through...why not learn more about what you're doing so that you can comprehend and do more? :] I've mentioned many buzzwords... "OEP" "Breakpoint" "Register" "JMP" "RAX" "LoadLibraryA" ...
Thanks for pointing that out.

If I understand this correctly, essentially the DRM EKC6420 is the code that executes before the OEP, the OEP is where the game code starts running.

So essentially what we are trying to do is find a jmp point which loads the DRM in this case EKC6420, and modify it so instead of loading the EKC6420 jump to the OEP of the game code.

And we are looking for breakpoints when LoadLibraryA is called because it is a function that is called when a .dll or .exe is loaded.
 
Last edited:
  • Like
Reactions: 00Bob00

httx

New Member
Jul 16, 2019
5
5
The jmp you're looking at is not related to anything you need at all.
Main executable is Paralogue-Win64-Shipping.
It's okay for Ekc6420 to load...or you can abort loading it entirely and maybe return back to the main module to have a look. Did you see that? :] So hopefully you remember to let it correct the stack after the call and then just follow that jmp above it.

Also, the final jmp (not the one you're looking for, just mentioning for sake) will be a jmp rax. RAX register will contain OEP.

Also... instead of just trying to stumble through...why not learn more about what you're doing so that you can comprehend and do more? :] I've mentioned many buzzwords... "OEP" "Breakpoint" "Register" "JMP" "RAX" "LoadLibraryA" ...
I found the oep and the game can run in the x64dbg,I use Scylla for dumping but dumped file cannot run,
1565141668567.png 1565141761377.png

I don't understand how to "Use original packed executable for IAT sizes " and "Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image ..."is for dumped file or the original executable ?
 
  • Like
Reactions: 00Bob00

nonymouse

Newbie
Jan 4, 2018
19
71
Hi BupoTiling03,
Thanks for the walk through on how we could do it ourselves. I had been going over the steps for couple of days now.

So the issue is that I followed your steps to bp LoadLibraryA, find OEP and dump exe, haven't been able to understand the IAT rebuilding stuff yet. However after doing this the dump file launches but crashes at launch for the latest version - 0.17a. However, I was able to successfully get the older version 0.16 following the exact same steps.

Are there any changes in the new version that's preventing the dump from running? or am I still missing something here?

Disclaimer: I had no idea what debugging or reverse engineering was before your guide on it. Thanks for this as well, I learnt a lot during the last few days.

Edit: Using x64dbg and Scylla for dump
 
Last edited:

nonymouse

Newbie
Jan 4, 2018
19
71
What are you supposed to do with the OEP anyways? Even in the debugger, it'll trigger the license dialogue if you try to run it from that point.
No, you don't execute every line, once you return to the main file after kernel, you need to go a few lines up and follow the jmp statement there and step till you reach the jmp rax. This prevents the license dialogue from triggering.
 
  • Like
Reactions: 00Bob00

nonymouse

Newbie
Jan 4, 2018
19
71
I let the stack pointer update and redirected rip to that jump's address, stepped over all the way to jump rax and stepped into it. My program halted in the same place as the guy above you. What am I doing wrong?
Its not running for me either, which is why I had posted looking for some help. I replied to you since you asked about the license box triggering.
 

bichmout

New Member
Dec 3, 2017
3
4
I found the oep and the game can run in the x64dbg,I use Scylla for dumping but dumped file cannot run,
View attachment 365600 View attachment 365602

I don't understand how to "Use original packed executable for IAT sizes " and "Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image ..."is for dumped file or the original executable ?
Hi httx good work :)

Can you give us the right sequence of actions to (with screenshots and which buttons / functions to use) in order to reach your level of advancement ?

I understand the point of view of bupo but there are so many concepts that make it impossible for a novice to understand the problem.

In my case I know that I learn better by mimicking the whole process once and then understanding each of the actions.

Thanks guys
 

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,351
1,906
I found the oep and the game can run in the x64dbg,I use Scylla for dumping but dumped file cannot run,
View attachment 365600 View attachment 365602

I don't understand how to "Use original packed executable for IAT sizes " and "Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image ..."is for dumped file or the original executable ?
I purposefully leave the last step out so as not to baby everything.

Hi BupoTiling03,
Thanks for the walk through on how we could do it ourselves. I had been going over the steps for couple of days now.

So the issue is that I followed your steps to bp LoadLibraryA, find OEP and dump exe, haven't been able to understand the IAT rebuilding stuff yet. However after doing this the dump file launches but crashes at launch for the latest version - 0.17a. However, I was able to successfully get the older version 0.16 following the exact same steps.

Are there any changes in the new version that's preventing the dump from running? or am I still missing something here?

Disclaimer: I had no idea what debugging or reverse engineering was before your guide on it. Thanks for this as well, I learnt a lot during the last few days.

Edit: Using x64dbg and Scylla for dump
That's because there is a little extra for 0.17. Won't do it all for everyone. At least someone learned some stuff. :) Judging by what you said, I know you're in the right way. Consider the following. The game does indeed load for you. You've compared ElecKey on both versions and nothing has changed in ElecKey... Now might be time to look into the game. To do that, decrypt and unpack the Pak files. Kindly don't post steps or screenshots for anything, mind. It'd be nice to step the forum up from "gimme gimme gimme" to competent people instead. :) I've spelt out so many times how to do Fallen Doll, Paralogue, even how to access encrypted Pak files. You're the first to find an OEP and dump. Glad you went through the work to try dumping 0.16.

Oh and clarification for many: Ekc doesn't actually need to load. By the time the program calls LoadLibraryA...the .text module is already decrypted/unscrambled.

---

I suppose the next step might need a little hinting. This is an Unreal Engine-based game. Its assets are cooked into uassets. Sometimes they're packaged into a single file. Sometimes encrypted. Research into decrypting them with the key (I gave you the key for pak file decryption in a few posts ago). Then look into the cute little (yes author of the game, I know by your behavior that you're reading these forums and trying to counter my unpack) ./Content/BP/GlobalFunctionLibrary, specifically about file hashes. ;) I'll give you a hint. It should have the same hash it had before...and with the key I gave you, you can repak. (Because this protection is in the game...if that hasn't clicked yet.)
 
Last edited:
3.80 star(s) 64 Votes