3.80 star(s) 64 Votes

ricardo911

New Member
Dec 21, 2018
11
21
can someone show me or tell me exactly where his walk through is to crack the game i wanna give it a go
 

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,341
1,892
I would like to see more detailed version of "HOW TO" crack the game
Reply:
"Earn it ..." -Bupo 2019


can someone show me or tell me exactly where his walk through is to crack the game i wanna give it a go
I am always glad when someone tries to learn and grow. :) The information is relevant to FallenDoll and Paralogue (or anything else that uses ElecKey protection...). I posted the information in various places on the FallenDoll thread. Here is a decent summary:

This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.

IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.

Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT which is easier than rebasing...)

If in doubt, install Epic Games Launcher and make a 'do nothing' game just to compare executables. Remember, first executable is just a loader for second. .\WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe is actual game.
 
Last edited:

crazybastardololo

New Member
Oct 26, 2018
4
5
Reply:

This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.
As a high-level programmer (as in language), only understood this part, the rest is low-level black magic to me:D

First part seems like just basic debugger stepping, but how can you actually edit an exe without decompiling and recompiling, won't the instruction address slots be offset if you just add/remove some of the instructions?
 

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,341
1,892
just use the old crack 1.6 .exe and replace in the new folder for 1.7
Unreal Engine-based games usually use unique keys per build to encrypt the content Pak files. Not talking about Activation key crap. Current 0.17 non-VR key is cSAKY6M1otHx1EEHn/WAsprIScyfExsSthF0HU5cH9E=. If you want to use 0.16, you might can try unpaking and repaking with 0.16 key. I've done that before for other games. (Can also be used to extract resources/models/code, etc...and replacing them too.)
 
Last edited:

CosmicBreak

Newbie
Jun 19, 2018
17
35
Unreal Engine-based games usually use unique keys per build to encrypt the content Pak files. Not talking about Activation key crap. Current 0.17 non-VR key is cSAKY6M1otHx1EEHn/WAsprIScyfExsSthF0HU5cH9E=. If you want to use 0.16, you might can try unpaking and repaking with 0.16 key. I've done that before for other games. (Can also be used to extract resources/models/code, etc...and replacing them too.)
Can you share Paralogue-Win64-Shipping.exe ( cracked ) file of ver 0.17 ? :giggle:
 
  • Like
Reactions: Mr.Shark

KodyJones

Newbie
Jul 17, 2019
17
4
Anyone have link to the crack instructions? I cant find it searching "ElecKey", "Crack Method" or "Instructions".
 

bichmout

New Member
Dec 3, 2017
3
4
Reply:



I am always glad when someone tries to learn and grow. :) The information is relevant to FallenDoll and Paralogue (or anything else that uses ElecKey protection...). I posted the information in various places on the FallenDoll thread. Here is a decent summary:

This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.

IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.

Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT which is easier than rebasing...)

If in doubt, install Epic Games Launcher and make a 'do nothing' game just to compare executables. Remember, first executable is just a loader for second. .\WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe is actual game.
Hi Bupo and thanks for your work and your share.

Is it possible for you to be more exhaustive on the way to crack the game ? Personally I have never used this kind of software :)

I open WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe in x64dbg and I go the Symbol pannel.

Then I search in the paralogue executable the symbol LoadLibraryA, right-click and add a BP on it :

1565112670905.png

Go back in the CPU pannel and then, I click on Run :

1565112865736.png

As expected I'm blocked on the LibraryA loading.

But it's the only thing I've been able to follow in your explanation :'(

I do not understand this part :

"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."

A little help would be welcome:) especially since it's very interesting!
 
  • Like
Reactions: 00Bob00

BupoTiling03-Retired

Well-Known Member
Modder
Jul 21, 2018
1,341
1,892
As expected I'm blocked on the LibraryA loading.

But it's the only thing I've been able to follow in your explanation :'(

I do not understand this part :

"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."

A little help would be welcome:) especially since it's very interesting!
I really did spell it out though, already. Let it load Ekc6420...and on return to main module, step the add sp to fix stack, follow the jmp above (set new execution path...) A shortcut instead of going through Symbols, "bp LoadLibraryA" in cmd for that debugger. :) Oh and you aren't "blocked", you're "triggered" on the breakpoint. Eg the program is paused because you have placed a bp ("breakpoint") on that call. I'd also urge you not to spell things out for others like that. People need to learn...
 
Last edited:
  • Like
Reactions: yoohen and 00Bob00
3.80 star(s) 64 Votes