Skip to content

Home

Jump to bottom
hackcatml edited this page Aug 12, 2024 · 8 revisions

Contents

How to find GUObjectArray offset manually

In IDA, search for the string "DisableDisregardForGC" or "CloseDisregardForGC". image

Navigate to the address that references this string. image

In the Pseudocode of the function, you can find the GUObjectArray offset. In the image below, the GUObjectArray offset is 0x89cd0e0. image

You can also find the GUObjectArray offset by searching the following pattern in memory:

  • Android
    "DisableDisregardForGC" or "CloseDisregardForGC" pattern:
    ?1 ?? ff ?0 ?? ?? ?? ?1 ?? ?? ?3 ?1 ?? ?? ?? 9? ?0 ?? ?? ?0 00 ?? ?? f9
    or
    ?1 ?? f? ?0 ?? ?? ?? ?1 21 ?? ?? 91 ?? ?? ?? 9? ?0 ?? ?? ?0 00 ?? ?? f9 image

  • iOS
    FUObjectArray::AllocateObjectPool(&GUObjectArray, int, int, bool); pattern:
    e1 ?? 40 b9 e2 ?? 40 b9 e3 ?? 40 39 image

How to find GName offset manually

Method 1: Hooking the operator==(FNameEntryId, EName) function

Find the operator==(FNameEntryId, EName) function in memory. The function pattern is as follows:
?8 ?? ?? ?? 08 01 ?? 91 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 08 69 69 b8 1f 01 00 6b e0 17 9f 1a c0 03 5f d6 image

This function is continuously called during the execution of an Unreal Engine game, and the GName is passed to the x8 register. You can use the following hooking script to obtain the GName address:

// Intercept operator==(FNameEntryId, EName) func
Interceptor.attach(<operator==(FNameEntryId, EName) address>.add(0x8), {
    onEnter: function(args) {
        if (this.context.x8 != ptr(0x0) && JSON.stringify(this.context.x8).length > 10) {
            GName = ptr(this.context.x8);
            console.log(`[*] Got GName: ${GName}`);
            Interceptor.detachAll();
        }
    }
})

Method 2: Finding the FNamePool::FNamePool() function

Find the FNamePool::FNamePool() function in memory. The function pattern is as follows:
c8 00 00 37 ?? ?? ?? ?? 00 00 ?? 91 image

In the Pseudocode, you can check the GName offset. In the image below, the GName offset is 0xb07e0c0. image

How to find Unreal Engine version

Scan the memory for the Unreal Engine version using the following patterns:
UE4: 04 00 ?? 00 0? 00 00 00
UE5: 05 00 ?? 00 ?? 00 00 00

You will find many matching addresses. There is a specific relationship between the Unreal Engine version and the discovered addresses:
The address stored at Unreal Engine version found address + 0x40 should equal the Unreal Engine version found address. image

Clone this wiki locally