Unreal Engine Abandoned Fallen Doll [v1.31] [Project Helius]
- Thread starter Muff Diver
- Start date
Thanks for the keys!
So far, there seems to be one step left. If I possessed a key that did not have its activations used I could most likely have it work.
The very last check is found in Deactivation.exe in "Ekc.KeyCheck.PutLicKey", where the license key is sent to. Basically the whole process is like this:
Step 1: Send the key "5PF6-FU1V-J3B0-FVH0-JK0Y" to the server, get properties back such as MaxActivations, ActivationCount etc.
Step 2: Call "InitLicKey" in "Ekc.KeyCheck", this sets the InitLicenseKey aka. "KPKWFJ5BLS7L4HQVGLXXTEGF" inside of the module "Ekc6420.dll", in function H6A. A variable with the type StringBuilder is also returned, which is set to "this.m_strRegistrationID".
Step 3: Send the key "5PF6-FU1V-J3B0-FVH0-JK0Y" again, but this time, the parameters are a little different as there will be retrieved a "LicenseKey". This key is the one that is crucial for determining if FallenDoll can run or not, and also the part where it will say "Too many activations". Note that because the key has already expired, there will not be returned a license key.
Step 4: Assuming a real license key is returned from step 3, it will now move to "Ekc.KeyCheck.PutLicKey". This is where it calls "KeyCheck.fncPutLicKeyEx64" in the "Ekc6420.dll" module on function H6D to put the license key retrieved from step 3. This, from the looks of it, seems to be the very last step.
just started to look at the docs of eleckey. so here it how this all works:
The dev (Project Heliues) buys elecKey and gets a copy with a unique 32bit number assigned to it (1721994409 in this case).
this number is referred to as key id in the docs. All his tools will use it. for every product he wants to license he assigns a product id (0 in this case).
He adds some lines of code to his project and includes some library stuff delivered along with ElecKey (terrible code, You want to vomit looking at it XD).
He then uses the "ElecKey Integrator", a tool that encrypts FallenDoll.exe and adds some Decryption Code to it as well as generating the so called Initial License Key. This key works like a settings file for the whole system (KPKWFJ5BLS7L4HQVGLXXTEGF in this case) (contains Key ID, Program ID, Key Properties, and Key settings).
When FallenDoll.exe is started following happens:
It looks if a license key is present on the system (C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD).
If not present it creates one. The created key is generated from Hard disk signature as well as CPU/BIOS signature (optional), ethernet adapters aka MAC address (optional) and some random data as well as some crypted data in it. this hash is stored in the above mentioned file.
Registration works like this:
From the key in the file a "registration ID" is generated (16 capital letters), encoding Key ID and Program ID using a one way hash function. This registration id is sent to the registration server, the dev's website or whatever (a server provided by Sciensoft in this case). The server generates a license key from it and sends it back to the user. The license key is then verified by the key system (implemented in Ekag20nt.exe). If it's found valid, the key inside C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD is updated to a registered state. The next time FallenDoll.exe is started the valid key is found and used to decrypt FallenDoll.exe.
Short version: Fallen doll creates a key file (machine signature). Deactivation.exe sends a registration code created from that key to the registration server, forwarding the response to Ekag20nt.exe. The whole key system stuff is managed by Ekag20nt.exe. The connection between Ekag20nt.exe and FallenDoll.exe/Deactivation.exe is done through Ekc6420.dll.
What I tried so far:
Redirecting all network traffic to a fake server written by myself to simulate a registration. Failed since i can't replicate the key by myself and just sending "OK, everything is fine with the key" from the fake server doesn't work (we need a llicense key suitable to our machine).
Replacing Ekc6420.dll by a self written fake. Doesn't work because FallenDoll tests it's checksum, exiting if it's not the original one. I'm currently testing at this some more.
Well, the good news is:
Theoretically i should be able to "backup" a licensed key, unregister it and "restore the backup" without registering again.
As useless as that is...^^
The dev (Project Heliues) buys elecKey and gets a copy with a unique 32bit number assigned to it (1721994409 in this case).
this number is referred to as key id in the docs. All his tools will use it. for every product he wants to license he assigns a product id (0 in this case).
He adds some lines of code to his project and includes some library stuff delivered along with ElecKey (terrible code, You want to vomit looking at it XD).
He then uses the "ElecKey Integrator", a tool that encrypts FallenDoll.exe and adds some Decryption Code to it as well as generating the so called Initial License Key. This key works like a settings file for the whole system (KPKWFJ5BLS7L4HQVGLXXTEGF in this case) (contains Key ID, Program ID, Key Properties, and Key settings).
When FallenDoll.exe is started following happens:
It looks if a license key is present on the system (C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD).
If not present it creates one. The created key is generated from Hard disk signature as well as CPU/BIOS signature (optional), ethernet adapters aka MAC address (optional) and some random data as well as some crypted data in it. this hash is stored in the above mentioned file.
Registration works like this:
From the key in the file a "registration ID" is generated (16 capital letters), encoding Key ID and Program ID using a one way hash function. This registration id is sent to the registration server, the dev's website or whatever (a server provided by Sciensoft in this case). The server generates a license key from it and sends it back to the user. The license key is then verified by the key system (implemented in Ekag20nt.exe). If it's found valid, the key inside C:\ProgramData\Key-Base\63e70b6f.052\CODE.PKD is updated to a registered state. The next time FallenDoll.exe is started the valid key is found and used to decrypt FallenDoll.exe.
Short version: Fallen doll creates a key file (machine signature). Deactivation.exe sends a registration code created from that key to the registration server, forwarding the response to Ekag20nt.exe. The whole key system stuff is managed by Ekag20nt.exe. The connection between Ekag20nt.exe and FallenDoll.exe/Deactivation.exe is done through Ekc6420.dll.
What I tried so far:
Redirecting all network traffic to a fake server written by myself to simulate a registration. Failed since i can't replicate the key by myself and just sending "OK, everything is fine with the key" from the fake server doesn't work (we need a llicense key suitable to our machine).
Replacing Ekc6420.dll by a self written fake. Doesn't work because FallenDoll tests it's checksum, exiting if it's not the original one. I'm currently testing at this some more.
Well, the good news is:
Theoretically i should be able to "backup" a licensed key, unregister it and "restore the backup" without registering again.
As useless as that is...^^
Last edited:
- Mar 16, 2018
- 876
- 683
My game doesn't want to start. it says it needs a activation key :/ Can someone help me out? I don't want to pay patreon for that key
- Mar 18, 2018
- 335
- 371
We could make a tool to activate a license, store the valid code somewhere, ask to remove the license, put the valid code back and use a fake server to avoid reactivating it. Will need to modify the host of the user to avoid wrong activation and prevent the game from being launched without the "crack".
It's probably the simplest option but it needs a real license and be sure that people don't activate the original license by mistake. And if the server see multiple register/unregister, the key will probably be blacklisted. Also need a new key for each update.
Otherwise it's patching.
If I get it, we need to patch the function that looks at the CODE.PKD to make him believe the code is valid.
But the check is probably done in the DLL where there is a checksum verification. Can we patch the checksum in the binary calling the dll functions?
edit:
Fallendoll.exe calls Ekag20nt.exe (CreateProcess with apparently two parameters "C:\XXX\WindowsNoEditor\EKAG20NT.EXE" 0200D4XXXXBE5A5A 0) and that's the binary which check CODE.PKD (ReadFile). Then Fallendoll.exe start the Deactivation.exe. I guess Ekag20nt.exe communicate with Fallendoll.exe to tell him when the key is alright and in that case it doesn't start deactivation.exe. deactivation.exe doesn't look for the keys nor seems to directly interact with Ekag20nt.exe.
I tried to find any reference to "CODE.PKD" in the strings of Ekag20nt.exe to help pinpoint the location of its opening but to no use. I have multiple XREFs from ReadFile so starting from there could be an option. Or maybe try to setup a ReadFile() hook in a debugger to see where he does that.
We could also start from the CreateProcess of fallendoll.exe to see how they communicate.
The callstack shows us it's coming from H4C+0x2601 in Ekc6420.dll.
edit2:
Really not sure about that but I found functions DdeClientTransaction() and many other like DdeConnect, DdeDisconnect() , DdeAccessData(),DdeUnaccessData() in ekc6420.dll just after the CreateProcessA().
and DdeNameService(), DdeGetData() in Ekag20nt.exe
It could be use to communicate between them. DDE use memory objects to pass data from one application to another.
I'm really not familiar with this library so maybe I'm totally in the wrong here.
But if DDE is used by Ekag20nt.exe to tell FallenDoll.exe thru Ekc6420.dll that the license is not valid, it could be interesting to try to tamper the data to make him believe the key is valid. It would need to be done from Ekag20nt.exe and not Ekc6420.dll if there is a checkum validation. But I doubt it will be as simple as a true/false from Ekag. Maybe it sends some data and Ekc6420.dll does to cryptographic validation or something. Or worse, Ekag20nt.exe sends the PKD file to the dll and he does a verification on it.
Last edited:
- May 11, 2018
- 105
- 103
Well at least the dev's managed to get some ppl interested in learning more about reversing/cracking, good job i guess 
Got to the idea to fake Ekag20nt.exe yesterday too. Couldn't find the way it communicates to ekc6420.dll and thought it could be memory mapped files. Totally forgot about that DDE stuff. Thanks to fiwupubari for that.
Unfortunately I have absolutely no experience with DDE since I don't have that much experience with windows (Linux doesn't have dde, there are usually used sockets or pipes everywhere). I have my doubts that it will be very easy but I'll take a look at it
short Update: Started to look into it. Didn't find any DDE activity using spy++. Didn't trust this tool and hacked together a simple ugly DDE sniffer myself. And oh wonder! found some activity^^
Deactivation starts Ekag20nt.exe which in return opens DDE channels ("EKAN0200D436F8BE5A5A", "command" and "data"). "0200D436F8BE5A5A" is the parameter which is given to ekag20nt.exe as 1st parameter at process creation. Absolutely looks like some IPC to me. So another Cookie for fiwupubari^^
Unfortunately I have absolutely no experience with DDE since I don't have that much experience with windows (Linux doesn't have dde, there are usually used sockets or pipes everywhere). I have my doubts that it will be very easy but I'll take a look at it
short Update: Started to look into it. Didn't find any DDE activity using spy++. Didn't trust this tool and hacked together a simple ugly DDE sniffer myself. And oh wonder! found some activity^^
Deactivation starts Ekag20nt.exe which in return opens DDE channels ("EKAN0200D436F8BE5A5A", "command" and "data"). "0200D436F8BE5A5A" is the parameter which is given to ekag20nt.exe as 1st parameter at process creation. Absolutely looks like some IPC to me. So another Cookie for fiwupubari^^
Last edited:
Just wanted to drop in and say that you guys are all cool as shit. Hacking through bullshit drm just to help yourselves and a bunch of other losers like me jerk off to a really good 3d game. You're doing god's work. o7
- Aug 19, 2018
- 437
- 796
I wonder, since you mentioned a checksum, do you know what kind of checksum it's using? If it's using a specific kind, like SHA-256 or something, maybe it's possible to find that checksum in the shipping exe and just replace it.
Actually i won't gain anything from this except satisfaction to have won and having learned something. The game probably won't run on my machine and i actually don't care. It's my hate against DRM that drives me to put all this efford into it^^
But thanks.
Yeah, did't abandon this idea yet
- Mar 16, 2018
- 876
- 683
Not yet. People that are more competent in cracking it than I am have been discussing it.
- Jul 1, 2017
- 3,919
- 4,587
Look like you download the VR version by accident. Go download non VR version.
- Nov 11, 2018
- 52
- 68
These guys already have 1.31b VR version patched? I have not checked or downloaded yet. Just came across the link and wanted to share. Downloading through those sites without subscription is at atrocious speeds.
You must be registered to see the links
Last edited:
- Aug 19, 2018
- 437
- 796
I tried deleting all files in the Shipping exe's directory except for it, and it complains about the Ekc6420.dll missing, so I know it must be checking from inside the Shipping exe. However, I tried searching for the MD5, SHA-1, SHA-256, and SHA-512 hashes of the DLL file inside the Shipping exe and got nothing. My guess is the hash includes some kind of salt with it, and because this exe is so hard to reverse engineer, I don't know what that salt is, so I don't know how to replace the hash.
- Aug 19, 2018
- 437
- 796
There may be one other way to get this to work; we could try to crack the PAK file in the game's assets (WindowsNoEditor\FallenDoll\Content\Paks) and repack it unencrypted, and use the v1.29 non-DRM exe to run it. I don't know if that would necessarily work, but it just might.
To do this, we could use ALuigi's QuickBMS tool with the Unreal Tournament 4 plugin, found here:
(The plugin is toward the bottom of the page, and you would use the 4GB file version of QuickBMS included in the tool download), and then repack it with UPak4 (
There is a forum thread here where they're doing something similar, maybe reading through this thread might give someone else a better idea of how to get that key (I have no clue):
EDIT: Here's a tutorial on searching for that key, but it looks like to get it to work you'd need a working/licensed version of the game to begin with:
To do this, we could use ALuigi's QuickBMS tool with the Unreal Tournament 4 plugin, found here:
You must be registered to see the links
(The plugin is toward the bottom of the page, and you would use the 4GB file version of QuickBMS included in the tool download), and then repack it with UPak4 (
You must be registered to see the links
). The only problem with this approach is we don't know the encryption key. We could try to pull it from the exe somehow, although this seems difficult given the Shipping exe's obfuscated state.There is a forum thread here where they're doing something similar, maybe reading through this thread might give someone else a better idea of how to get that key (I have no clue):
You must be registered to see the links
EDIT: Here's a tutorial on searching for that key, but it looks like to get it to work you'd need a working/licensed version of the game to begin with:
You must be registered to see the links
Last edited:
I'm betting that those are not cracked. Would be very unlike svscomics if it were.