Unreal Engine Abandoned Fallen Doll [v1.31] [Project Helius]
- Thread starter Muff Diver
- Start date
As far as I know there is no difference. Probably something "lost in translation" when it was uploaded here.
- Jan 24, 2018
- 39
- 286
Paralogue 0.17
Non-VR:
VR:
KEY 90T7-I66E-IMZC-RR35-VOLM(has been used)
Non-VR:
You must be registered to see the links
VR:
You must be registered to see the links
KEY 90T7-I66E-IMZC-RR35-VOLM(has been used)
Last edited:
- Jul 21, 2018
- 1,259
- 1,708
Probably my fault. I get slangy when I crack things.
Retired, won't crack, except for maybe 156. Gave instructions on how to unpack ElecKey protection (search thread). You also might want to label it VR or Non-VR.
Last edited:
That's sad to hear. Thanks for your hard work and hope you will come back one day.
- Jul 21, 2018
- 1,259
- 1,708
Maybe. Still wrapping up cracks that I promised for others. Up to 6 so far in the last week. Many are VR-games which I have to go through a few more hoops to crack because I don't have VR that will work on most of these games (can't execute to verify and I don't like playing back and forth over a message board to test things... Wondering if I can virtualize a VR headset in VMware/KVM). I just can't stand when people don't read. In fact, that's one of the majority reasons the mainstream scenes quit passing out cracks back in the day. Besides, Paralogue and Fallen Doll take maybe 60 seconds each to crack, then about 5 minutes each to clean up and remove remnants of ElecKey code and clean IAT (x64 tools for IAT rebuilding are practically non-existent, I had to write one), then fix up PE header a tiny bit.
Last edited:
I tried to follow your instruction, I set "breakpoint" on load using "sxe ld" (not sure is it the correct way to set bp on LoadLibraryA, I tried to simply set a dll bp on EKC6420.DLL or function bp on LoadLibraryA which it doesn't break), but it does seems to stop when it importing EKC6420.DLL. I then produce a memory dump using ".dump /mfh" but have no idea of how to produce an executable from the dump.
As you can see I have 0 exp on this lol so it definitely take more then 6 minutes for me to do it.
Last edited:
Hey man i appreciated a lot what you did but your behavior made me kinda curious. You stayed around replying to most people who asked for help with stupid questions, then you eventually burned out....my question is: why?
I mean, as long as you write it clearly the first time there's no real need to repeat yourself, people who want it bad enough will eventually give up asking and start reading, and even if they don't there's a bunch of people here that followed your instructions and managed to make it work, so there's not a real need for you to "dirty your hands" by answering them.
So if you do come back, just don't worry about the plebs and take it easy, most of these guys don't even need any help, they just need to learn not to rely on others without first investing a bit of their time in trying.
TLDR: You're not alone, you don't have to personally explain to everyone, there's a community that can help with that so you can just keep on focusing on what you love doing. Take it easy and thank you for everything!
- Jul 21, 2018
- 1,259
- 1,708
I don't use WinDbg. OllyDbg or x96Dbg or Ida (other archs). This being x64, use x96Dbg. If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)...
If you set any BPs on an executable protected by ElecKey, it'll muss it up. "bp LoadLibraryA". Allow the kernel to load it, let it execute until it returns to main executable, step over the add sp. You'll see a jmp just above. Set EIP to follow, continue until you see a jmp *ax (rax, eax). That is your jump to OEP. Step, at OEP. Dump. 60 seconds tops.
IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.
Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT...)
*Oh, the v17 above is v17a VR. So for some, it'll just close/not work.
Last edited:
- Jul 21, 2018
- 1,259
- 1,708
Got a lot going on, just in general (life blablabla), all the time. Inundated altogether. Half-tempted to say screw it all and just walk north over the country-border and keep going.
TLDR: My Signature.
Last edited:
- Nov 11, 2018
- 52
- 68
What's in this version that wasn't in 0.16? Anyone has the log?
Help yourself as you don't need activation key. Read the thread.
- May 21, 2019
- 296
- 757
- Feb 9, 2018
- 419
- 181
can you apply your cracking majic on this one
Paralogue 0.17(Non-VR )
You must be registered to see the links
KEY 90T7-I66E-IMZC-RR35-VOLM(has been used)
- May 21, 2019
- 296
- 757
I am not a cracker and this guy was about Fallen Doll 1.31(its 1.31B and has been cracked by that one guy, its in this thread) and you're fucking go on about Paralogue 0.17 when in thread for that game cracker is busy cracking other games.