CREATE YOUR AI CUM SLUT ON CANDY.AI TRY FOR FREE
x

loser boy

New Member
Jun 15, 2017
6
12
They said something about getting a publisher a while ago (dont ask why) so probably the publisher forced them to put DRM. Before the lets say project lead(?) Offered to even email you a link for the game if you messaged him on patreon because you couldnt pay.
A publisher? for a porn game? what kind of clown world are we living in. But in all seriousness i appreciate him giving the game to people who aren’t able to pay for it
 
  • Like
Reactions: hspagsm

NukaCola

Engaged Member
Jul 1, 2017
3,932
4,615
I'm using v1.30 and can't find any dance option... Except on Tools there's Pole Dance...
Isn't pole dance is the only dance animation this game ever have? I followed this game since 2017 and I don't recall there is another dance option exist.
 

edale

Newbie
Apr 1, 2018
78
99
Is it Dance Option was removed forever ??
I was missing his project since Oct 18 and now I tried to install the latest version...
And looks like we Missing Dance Menu...
Sure you're not thinking of Waifu Sex Simulator? That one has lots of dances...
 

dantekazama

Member
Aug 30, 2018
229
157
As far as I remember, the dance can be choose, which dance I mean is Opening Dance...
And to choose those dance is from BGM/Music session (if I'm not mistaken) ...
 

156_163_146_167

Engaged Member
Jun 5, 2017
3,138
2,512
I do remember dancing. I don't know how you'd trigger it, but it used to be that when you start a new day she'd dance on the stage. No idea if that's still in the game, and I haven't played the latest version yet.
 

Killerqueen21

Newbie
Jan 17, 2019
68
104
I do remember dancing. I don't know how you'd trigger it, but it used to be that when you start a new day she'd dance on the stage. No idea if that's still in the game, and I haven't played the latest version yet.
It's still in the game but now it works in a different way. You have to buy the dancing pole and then use it. And I think that there is only one dance. Pretty good one anyway imao
 

drpavelcia

Member
Aug 19, 2018
438
804
Okay guys, I've got some bad news. Sadly I was unable to bypass the license mechanism. The main EXE doesn't play well with IDA or Ghidra and I wasn't able to figure out where the DLL calls are made in it to check the license key.

I also tried modifying the DLL files themselves, but when I did that it just complained they were missing, so I couldn't get it to work. It'll take someone more experienced than me to crack it.

Otherwise there might be some way to work around it by taking a valid license key file and using Wireshark to figure out what's being sent back and forth, and a fake local server to always send that valid message back to the game to trick it into thinking it's valid, but I don't have a key, and I'm not sure how easy that is to do. It would also require some thinking on how to prevent people from accidentally just opening it and contacting the real server which could end up invalidating it for everyone.
 

TinyTanya

Member
May 11, 2018
106
110
Okay guys, I've got some bad news. Sadly I was unable to bypass the license mechanism. The main EXE doesn't play well with IDA or Ghidra and I wasn't able to figure out where the DLL calls are made in it to check the license key.

I also tried modifying the DLL files themselves, but when I did that it just complained they were missing, so I couldn't get it to work. It'll take someone more experienced than me to crack it.

Otherwise there might be some way to work around it by taking a valid license key file and using Wireshark to figure out what's being sent back and forth, and a fake local server to always send that valid message back to the game to trick it into thinking it's valid, but I don't have a key, and I'm not sure how easy that is to do. It would also require some thinking on how to prevent people from accidentally just opening it and contacting the real server which could end up invalidating it for everyone.
Well some form of anti debugging code was a given i posted about this a few pages back it's even in the faq for the drm used here, anyway thx for at least trying maybe someone with some real cracking experience (which i lack as well unfortunately) can pick it up.
 

TheOneAndOnlyBla

New Member
May 16, 2018
13
31
my 1st idea to approach this drm shit was building a fake server too. since this should be more future prone to coming versions (no cracking anew on new versions). until now i sniffed the traffic between client and server to get a rough idea of the communication between it and also build a fake server which talks with the client and lets me play around with the data a little. problem is i don't have a dump of a successfull activation to replicate it. So i need a free key for some minutes or a wireshark capture.

pm me if you can help
 

drpavelcia

Member
Aug 19, 2018
438
804
my 1st idea to approach this drm shit was building a fake server too. since this should be more future prone to coming versions (no cracking anew on new versions). until now i sniffed the traffic between client and server to get a rough idea of the communication between it and also build a fake server which talks with the client and lets me play around with the data a little. problem is i don't have a dump of a successfull activation to replicate it. So i need a free key for some minutes or a wireshark capture.

pm me if you can help
We should also do this soon, as there's a high likelihood they'll implement HTTPS on their activation server at some point, which would probably prevent sniffing that traffic.
 

TheOneAndOnlyBla

New Member
May 16, 2018
13
31
tsl/ssl crypto shouldn't be that much of a hassle since currently my fake server is actually a man in the middle. Only if the server uses an authentication certificate (X.509.3), that could become a real problem.
 

grimmydark

New Member
May 5, 2019
10
0
I'm a new patreon and now I regret doing that. After putting in the activation code, I cannot start the game. I feel so scammed right now.
 

yomamasass

Member
Mar 18, 2018
335
371
Give the code to drpavelcia he'll take your revenge! Though jokes on a side you should talk with project helius via email or patreon comment section, they trying to reply to these kind of problems much as possible.
 
  • Haha
Reactions: drpavelcia

fiwupubari

New Member
May 29, 2019
2
7
Like other I'm trying to find a way to crack this but I'm no expert at all. First time that I try on a profesionnal protection.
I played with fiddler but I'm also stuck because I don't have any valid unused license.
I messed a bit with the server answer trying to change the <MaxActivation> but to no use. It's like the client doesn't care about what the server says in the first request.

In the second request I can see <LicenseKey /> in the answer and I guess when the MaxActivation isn't reached, we can get some data here. The best message I could have was "Invalid License Key! (0x003f89)" when trying to fill the empty LicenseKey and changing the error code.
What I'm wondering about is this RegistrationID and RegIDTran and what role they have in the activation process.

Finding a way to force the activation is probably the easiest way because trying to isolate the game from the DRM looks almost impossible.

I still have to reverse Eck32/6420.dll and continue to look for the C# disassembly of deactivation.exe but it's a lot of work.
 

drpavelcia

Member
Aug 19, 2018
438
804
Like other I'm trying to find a way to crack this but I'm no expert at all. First time that I try on a profesionnal protection.
I played with fiddler but I'm also stuck because I don't have any valid unused license.
I messed a bit with the server answer trying to change the <MaxActivation> but to no use. It's like the client doesn't care about what the server says in the first request.

In the second request I can see <LicenseKey /> in the answer and I guess when the MaxActivation isn't reached, we can get some data here. The best message I could have was "Invalid License Key! (0x003f89)" when trying to fill the empty LicenseKey and changing the error code.
What I'm wondering about is this RegistrationID and RegIDTran and what role they have in the activation process.

Finding a way to force the activation is probably the easiest way because trying to isolate the game from the DRM looks almost impossible.

I still have to reverse Eck32/6420.dll and continue to look for the C# disassembly of deactivation.exe but it's a lot of work.
I think I know what you might be hitting. I believe there's 2 programs making requests: The "Deactivation.exe" and the actual game "Shipping" something exe. Monitor the requests made by the shipping exe, that's the one doing the actual license check to launch the game. The Deactivation exe is only doing a check to see if the license exists or not, and I think that one you can actually bypass with the dnspy tool.

What we basically need to do is tell the shipping exe when it makes a request, "yes, your license key is valid".
 
  • Like
Reactions: vanuyak

Zyrix

New Member
Modder
Aug 29, 2016
12
336
For reversers:

Protection: ElecKey 2.X Internet, Enterprise, or Ultimate.

Very old and unusual protection I have not heard of until now. Simply spoofing the callback upon sending a key to Deactivation.exe will most likely not be enough as there may be another check in FallenDoll.exe. Note that FallenDoll.exe gets the activation app to launch from KCAP.ini. Simply returning "true" in Deactivation.exe was not enough for me from my experiments.

Searching the internet I have been able locate some versions of ElecKey 2.X, however since the protection is not really used that widely, the only two links were from ~2009-2010, and their download link has expired long ago, as expected.

The way I see it is the following 2 options:

Option 1:
Figure out the key generation scheme from how it checks the activation key. From the Deactivation.exe, a keycheck can be found:
this.Kc = new KeyCheck(1721994409u, 1, 0, 0, "KPKWFJ5BLS7L4HQVGLXXTEGF", Application.ExecutablePath);
, where "KPKWFJ5BLS7L4HQVGLXXTEGF" is the "InitLicenseKey", aka. most likely product code.
Using this, it is very likely a proper key can be generated, however the method "buttonActivate_Click" should be patched appropriately to not make a call to the server. I highly doubt any kind of asymmetric key algorithms are used in the process of key generation.

Option 2:
Unpack FallenDoll.exe and patch out the licensing. I do not possess an unpacker that can handle it though.

Either way, regardless of option 1 or 2, patching seems inevitable. Option 1 (from the looks of it) seems to require patching of Deactivation.exe only, whereas option 2 will require patching of FallenDoll.exe.
 

TheOneAndOnlyBla

New Member
May 16, 2018
13
31
I don't think that generating a key will work. As far as I understand that ElecKey, every key is generated by the guy who made the protected software (Project Helius in this case) and registered in some kind of database of the dev of ElecKey (Sciensoft).
Hope You get what I try to say. English isn't my native language as You may have guessed already^^.

When You purchase a license of ElecKey to use in Your product, You will be sent a unique version of the tools. Unique in the way, that there is a unique key coded into it, where the trial version of ElecKey all use some 1111111-11111 like key. Maybe this "KPKWFJ5BLS7L4HQVGLXXTEGF" Zyrix found is exactly this unique key? If so, maybe it's possible to use the trial version of ElecKey, hex the standard key to the one from Fallen Doll and uncrypt Fallen Doll , thus removing any traces of drm completely.


As for the RegIDTran and RegistrationID sections in the network traffic:
My guess is that they somehow identify the product (Fallen Doll in this case). Since there is no other data pointing out what the request is all about except the key itself. So either every key must be unique worlwide, even between different products using ElecKey or the mentioned sections are just some product code. If we are unlucky, this is some machine identification generated unique to the machine. That would make it impossible to solve the whole thing with a fake server alone. Let's find out!

The ID sent by my machine is
<RegIDTran>EM864EEC5RSUNURB</RegIDTran>

the ID returned by the server is
<RegistrationID>WYZQ03TX71B75RQ2</RegistrationID>

these are the same regardless the key I used (HKV5-754M-XG5B-86I3-7NGH or QE9O-5RSX-3M1L-CPZH-SLK7).
Anyone want to compare these to the ones sent by his own machine pls?



So the <RegistrationID> stuff is based on the file C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD, which is a 512bytes file generated by FallenDoll.exe at first start and seems to contain a random generated key representing the machine. Also it contains some information about the file system it's generated for to prevent copying of that file to another computer (tested with ram disks mounted to C:\ProgramData\Key-Base). Maybe this file will also contain the key for decrypting FallenDoll.exe once registration is done.

I still have no clue about what <RegIDTran> is for. In my last traffic captures it was another one than posted above, but didn't change during the tests. So it's maybe some date related thing for keeping track of license transactions or something.
 
Last edited:
4.30 star(s) 25 Votes