A publisher? for a porn game? what kind of clown world are we living in. But in all seriousness i appreciate him giving the game to people who aren’t able to pay for it
Unreal Engine Abandoned Fallen Doll [v1.31] [Project Helius]
- Thread starter Muff Diver
- Start date
I'm using v1.30 and can't find any dance option... Except on Tools there's Pole Dance...
- Jul 1, 2017
- 3,919
- 4,587
Isn't pole dance is the only dance animation this game ever have? I followed this game since 2017 and I don't recall there is another dance option exist.
- Apr 1, 2018
- 78
- 97
Sure you're not thinking of Waifu Sex Simulator? That one has lots of dances...
As far as I remember, the dance can be choose, which dance I mean is Opening Dance...
And to choose those dance is from BGM/Music session (if I'm not mistaken) ...
And to choose those dance is from BGM/Music session (if I'm not mistaken) ...
- Jun 8, 2017
- 457
- 670
I do remember dancing. I don't know how you'd trigger it, but it used to be that when you start a new day she'd dance on the stage. No idea if that's still in the game, and I haven't played the latest version yet.
- Jan 17, 2019
- 68
- 104
It's still in the game but now it works in a different way. You have to buy the dancing pole and then use it. And I think that there is only one dance. Pretty good one anyway imao
- Aug 19, 2018
- 437
- 796
Okay guys, I've got some bad news. Sadly I was unable to bypass the license mechanism. The main EXE doesn't play well with IDA or Ghidra and I wasn't able to figure out where the DLL calls are made in it to check the license key.
I also tried modifying the DLL files themselves, but when I did that it just complained they were missing, so I couldn't get it to work. It'll take someone more experienced than me to crack it.
Otherwise there might be some way to work around it by taking a valid license key file and using Wireshark to figure out what's being sent back and forth, and a fake local server to always send that valid message back to the game to trick it into thinking it's valid, but I don't have a key, and I'm not sure how easy that is to do. It would also require some thinking on how to prevent people from accidentally just opening it and contacting the real server which could end up invalidating it for everyone.
I also tried modifying the DLL files themselves, but when I did that it just complained they were missing, so I couldn't get it to work. It'll take someone more experienced than me to crack it.
Otherwise there might be some way to work around it by taking a valid license key file and using Wireshark to figure out what's being sent back and forth, and a fake local server to always send that valid message back to the game to trick it into thinking it's valid, but I don't have a key, and I'm not sure how easy that is to do. It would also require some thinking on how to prevent people from accidentally just opening it and contacting the real server which could end up invalidating it for everyone.
- May 11, 2018
- 105
- 103
Well some form of anti debugging code was a given i posted about this a few pages back it's even in the faq for the drm used here, anyway thx for at least trying maybe someone with some real cracking experience (which i lack as well unfortunately) can pick it up.
my 1st idea to approach this drm shit was building a fake server too. since this should be more future prone to coming versions (no cracking anew on new versions). until now i sniffed the traffic between client and server to get a rough idea of the communication between it and also build a fake server which talks with the client and lets me play around with the data a little. problem is i don't have a dump of a successfull activation to replicate it. So i need a free key for some minutes or a wireshark capture.
pm me if you can help
pm me if you can help
- Aug 19, 2018
- 437
- 796
We should also do this soon, as there's a high likelihood they'll implement HTTPS on their activation server at some point, which would probably prevent sniffing that traffic.
tsl/ssl crypto shouldn't be that much of a hassle since currently my fake server is actually a man in the middle. Only if the server uses an authentication certificate (X.509.3), that could become a real problem.
- May 5, 2019
- 10
- 0
I'm a new patreon and now I regret doing that. After putting in the activation code, I cannot start the game. I feel so scammed right now.
- Mar 18, 2018
- 335
- 371
Give the code to drpavelcia he'll take your revenge! Though jokes on a side you should talk with project helius via email or patreon comment section, they trying to reply to these kind of problems much as possible.
- Jul 1, 2017
- 3,919
- 4,587
Like other I'm trying to find a way to crack this but I'm no expert at all. First time that I try on a profesionnal protection.
I played with fiddler but I'm also stuck because I don't have any valid unused license.
I messed a bit with the server answer trying to change the <MaxActivation> but to no use. It's like the client doesn't care about what the server says in the first request.
In the second request I can see <LicenseKey /> in the answer and I guess when the MaxActivation isn't reached, we can get some data here. The best message I could have was "Invalid License Key! (0x003f89)" when trying to fill the empty LicenseKey and changing the error code.
What I'm wondering about is this RegistrationID and RegIDTran and what role they have in the activation process.
Finding a way to force the activation is probably the easiest way because trying to isolate the game from the DRM looks almost impossible.
I still have to reverse Eck32/6420.dll and continue to look for the C# disassembly of deactivation.exe but it's a lot of work.
I played with fiddler but I'm also stuck because I don't have any valid unused license.
I messed a bit with the server answer trying to change the <MaxActivation> but to no use. It's like the client doesn't care about what the server says in the first request.
In the second request I can see <LicenseKey /> in the answer and I guess when the MaxActivation isn't reached, we can get some data here. The best message I could have was "Invalid License Key! (0x003f89)" when trying to fill the empty LicenseKey and changing the error code.
What I'm wondering about is this RegistrationID and RegIDTran and what role they have in the activation process.
Finding a way to force the activation is probably the easiest way because trying to isolate the game from the DRM looks almost impossible.
I still have to reverse Eck32/6420.dll and continue to look for the C# disassembly of deactivation.exe but it's a lot of work.
- Aug 19, 2018
- 437
- 796
I think I know what you might be hitting. I believe there's 2 programs making requests: The "Deactivation.exe" and the actual game "Shipping" something exe. Monitor the requests made by the shipping exe, that's the one doing the actual license check to launch the game. The Deactivation exe is only doing a check to see if the license exists or not, and I think that one you can actually bypass with the dnspy tool.
What we basically need to do is tell the shipping exe when it makes a request, "yes, your license key is valid".
For reversers:
Protection: ElecKey 2.X Internet, Enterprise, or Ultimate.
Very old and unusual protection I have not heard of until now. Simply spoofing the callback upon sending a key to Deactivation.exe will most likely not be enough as there may be another check in FallenDoll.exe. Note that FallenDoll.exe gets the activation app to launch from KCAP.ini. Simply returning "true" in Deactivation.exe was not enough for me from my experiments.
Searching the internet I have been able locate some versions of ElecKey 2.X, however since the protection is not really used that widely, the only two links were from ~2009-2010, and their download link has expired long ago, as expected.
The way I see it is the following 2 options:
Option 1:
Figure out the key generation scheme from how it checks the activation key. From the Deactivation.exe, a keycheck can be found:
this.Kc = new KeyCheck(1721994409u, 1, 0, 0, "KPKWFJ5BLS7L4HQVGLXXTEGF", Application.ExecutablePath);
, where "KPKWFJ5BLS7L4HQVGLXXTEGF" is the "InitLicenseKey", aka. most likely product code.
Using this, it is very likely a proper key can be generated, however the method "buttonActivate_Click" should be patched appropriately to not make a call to the server. I highly doubt any kind of asymmetric key algorithms are used in the process of key generation.
Option 2:
Unpack FallenDoll.exe and patch out the licensing. I do not possess an unpacker that can handle it though.
Either way, regardless of option 1 or 2, patching seems inevitable. Option 1 (from the looks of it) seems to require patching of Deactivation.exe only, whereas option 2 will require patching of FallenDoll.exe.
Protection: ElecKey 2.X Internet, Enterprise, or Ultimate.
Very old and unusual protection I have not heard of until now. Simply spoofing the callback upon sending a key to Deactivation.exe will most likely not be enough as there may be another check in FallenDoll.exe. Note that FallenDoll.exe gets the activation app to launch from KCAP.ini. Simply returning "true" in Deactivation.exe was not enough for me from my experiments.
Searching the internet I have been able locate some versions of ElecKey 2.X, however since the protection is not really used that widely, the only two links were from ~2009-2010, and their download link has expired long ago, as expected.
The way I see it is the following 2 options:
Option 1:
Figure out the key generation scheme from how it checks the activation key. From the Deactivation.exe, a keycheck can be found:
this.Kc = new KeyCheck(1721994409u, 1, 0, 0, "KPKWFJ5BLS7L4HQVGLXXTEGF", Application.ExecutablePath);
, where "KPKWFJ5BLS7L4HQVGLXXTEGF" is the "InitLicenseKey", aka. most likely product code.
Using this, it is very likely a proper key can be generated, however the method "buttonActivate_Click" should be patched appropriately to not make a call to the server. I highly doubt any kind of asymmetric key algorithms are used in the process of key generation.
Option 2:
Unpack FallenDoll.exe and patch out the licensing. I do not possess an unpacker that can handle it though.
Either way, regardless of option 1 or 2, patching seems inevitable. Option 1 (from the looks of it) seems to require patching of Deactivation.exe only, whereas option 2 will require patching of FallenDoll.exe.
I don't think that generating a key will work. As far as I understand that ElecKey, every key is generated by the guy who made the protected software (Project Helius in this case) and registered in some kind of database of the dev of ElecKey (Sciensoft).
Hope You get what I try to say. English isn't my native language as You may have guessed already^^.
When You purchase a license of ElecKey to use in Your product, You will be sent a unique version of the tools. Unique in the way, that there is a unique key coded into it, where the trial version of ElecKey all use some 1111111-11111 like key. Maybe this "KPKWFJ5BLS7L4HQVGLXXTEGF" Zyrix found is exactly this unique key? If so, maybe it's possible to use the trial version of ElecKey, hex the standard key to the one from Fallen Doll and uncrypt Fallen Doll , thus removing any traces of drm completely.
As for the RegIDTran and RegistrationID sections in the network traffic:
My guess is that they somehow identify the product (Fallen Doll in this case). Since there is no other data pointing out what the request is all about except the key itself. So either every key must be unique worlwide, even between different products using ElecKey or the mentioned sections are just some product code. If we are unlucky, this is some machine identification generated unique to the machine. That would make it impossible to solve the whole thing with a fake server alone. Let's find out!
The ID sent by my machine is
<RegIDTran>EM864EEC5RSUNURB</RegIDTran>
the ID returned by the server is
<RegistrationID>WYZQ03TX71B75RQ2</RegistrationID>
these are the same regardless the key I used (HKV5-754M-XG5B-86I3-7NGH or QE9O-5RSX-3M1L-CPZH-SLK7).
Anyone want to compare these to the ones sent by his own machine pls?
So the <RegistrationID> stuff is based on the file C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD, which is a 512bytes file generated by FallenDoll.exe at first start and seems to contain a random generated key representing the machine. Also it contains some information about the file system it's generated for to prevent copying of that file to another computer (tested with ram disks mounted to C:\ProgramData\Key-Base). Maybe this file will also contain the key for decrypting FallenDoll.exe once registration is done.
I still have no clue about what <RegIDTran> is for. In my last traffic captures it was another one than posted above, but didn't change during the tests. So it's maybe some date related thing for keeping track of license transactions or something.
Hope You get what I try to say. English isn't my native language as You may have guessed already^^.
When You purchase a license of ElecKey to use in Your product, You will be sent a unique version of the tools. Unique in the way, that there is a unique key coded into it, where the trial version of ElecKey all use some 1111111-11111 like key. Maybe this "KPKWFJ5BLS7L4HQVGLXXTEGF" Zyrix found is exactly this unique key? If so, maybe it's possible to use the trial version of ElecKey, hex the standard key to the one from Fallen Doll and uncrypt Fallen Doll , thus removing any traces of drm completely.
As for the RegIDTran and RegistrationID sections in the network traffic:
The ID sent by my machine is
<RegIDTran>EM864EEC5RSUNURB</RegIDTran>
the ID returned by the server is
<RegistrationID>WYZQ03TX71B75RQ2</RegistrationID>
these are the same regardless the key I used (HKV5-754M-XG5B-86I3-7NGH or QE9O-5RSX-3M1L-CPZH-SLK7).
Anyone want to compare these to the ones sent by his own machine pls?
So the <RegistrationID> stuff is based on the file C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD, which is a 512bytes file generated by FallenDoll.exe at first start and seems to contain a random generated key representing the machine. Also it contains some information about the file system it's generated for to prevent copying of that file to another computer (tested with ram disks mounted to C:\ProgramData\Key-Base). Maybe this file will also contain the key for decrypting FallenDoll.exe once registration is done.
I still have no clue about what <RegIDTran> is for. In my last traffic captures it was another one than posted above, but didn't change during the tests. So it's maybe some date related thing for keeping track of license transactions or something.
Last edited: