Unreal Engine Fallen Doll: Operation Lovecraft [v0.4.9 Cracked] [Project Helius]
- Thread starter monroe
- Start date
can someone show me or tell me exactly where his walk through is to crack the game i wanna give it a go
- Jul 21, 2018
- 1,341
- 1,892
Reply:
I am always glad when someone tries to learn and grow.
The information is relevant to FallenDoll and Paralogue (or anything else that uses ElecKey protection...). I posted the information in various places on the FallenDoll thread. Here is a decent summary:This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.
IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.
Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT which is easier than rebasing...)
If in doubt, install Epic Games Launcher and make a 'do nothing' game just to compare executables. Remember, first executable is just a loader for second. .\WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe is actual game.
Last edited:
- Mar 18, 2018
- 335
- 371
- Jul 21, 2018
- 1,341
- 1,892
Basic software reverse-engineering. ._.I have so many questions about what the fuck i did just read
As a high-level programmer (as in language), only understood this part, the rest is low-level black magic to me
First part seems like just basic debugger stepping, but how can you actually edit an exe without decompiling and recompiling, won't the instruction address slots be offset if you just add/remove some of the instructions?
- Mar 18, 2018
- 335
- 371
Say bupo, can i ask you few personal questions?
You don't have permission to view the spoiler content.
Log in or register now.
- Jul 21, 2018
- 1,341
- 1,892
You don't have permission to view the spoiler content.
Log in or register now.
- Jul 21, 2018
- 1,341
- 1,892
Unreal Engine-based games usually use unique keys per build to encrypt the content Pak files. Not talking about Activation key crap. Current 0.17 non-VR key is cSAKY6M1otHx1EEHn/WAsprIScyfExsSthF0HU5cH9E=. If you want to use 0.16, you might can try unpaking and repaking with 0.16 key. I've done that before for other games. (Can also be used to extract resources/models/code, etc...and replacing them too.)
Last edited:
- Jun 19, 2018
- 17
- 35
Can you share Paralogue-Win64-Shipping.exe ( cracked ) file of ver 0.17 ?
- Jan 7, 2018
- 71
- 138
Do you not see the -Retired after his name...Can you share Paralogue-Win64-Shipping.exe ( cracked ) file of ver 0.17 ?
Anyone have link to the crack instructions? I cant find it searching "ElecKey", "Crack Method" or "Instructions".
- Jan 7, 2018
- 71
- 138
It's on the Fallen Doll thread, about when the crack first appeared.
- Mar 18, 2018
- 335
- 371
If you are talking about how to make a crack just scroll up a little its at post #123 the bottom half of the post.
Hi Bupo and thanks for your work and your share.Reply:
I am always glad when someone tries to learn and grow.
This being x64, use x96Dbg. If you set any BPs on an executable protected by ElecKey, it'll muss it up. Remove all BPs. Then add a BP on "LoadLibraryA". If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)... Run. Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops.
IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.
Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT which is easier than rebasing...)
If in doubt, install Epic Games Launcher and make a 'do nothing' game just to compare executables. Remember, first executable is just a loader for second. .\WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe is actual game.
Is it possible for you to be more exhaustive on the way to crack the game ? Personally I have never used this kind of software
I open WindowsNoEditor\Paralogue\Binaries\Win64\Paralogue-Win64-Shipping.exe in x64dbg and I go the Symbol pannel.
Then I search in the paralogue executable the symbol LoadLibraryA, right-click and add a BP on it :
Go back in the CPU pannel and then, I click on Run :
As expected I'm blocked on the LibraryA loading.
But it's the only thing I've been able to follow in your explanation :'(
I do not understand this part :
"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."
A little help would be welcome
especially since it's very interesting!
- Jul 21, 2018
- 1,341
- 1,892
I really did spell it out though, already. Let it load Ekc6420...and on return to main module, step the add sp to fix stack, follow the jmp above (set new execution path...) A shortcut instead of going through Symbols, "bp LoadLibraryA" in cmd for that debugger.As expected I'm blocked on the LibraryA loading.
But it's the only thing I've been able to follow in your explanation :'(
I do not understand this part :
"Allow the kernel to load EKC6420, let it execute until it returns to main executable, step over the stack pointer add. You'll see a jmp just above before the call that caused the loading of EKC6420. Set EIP to follow, continue until you see a jmp rax (function end isn't a return but a simple jmp OEP). That is your jump to OEP. Step, you're now at OEP. 60 seconds tops."
A little help would be welcome
Oh and you aren't "blocked", you're "triggered" on the breakpoint. Eg the program is paused because you have placed a bp ("breakpoint") on that call. I'd also urge you not to spell things out for others like that. People need to learn...
Last edited: