-
Notifications
You must be signed in to change notification settings - Fork 28
Home
- How to find GUObjectArray offset manually
- How to find GName offset manually
- How to find Unreal Engine version
In IDA, search for the string "DisableDisregardForGC" or "CloseDisregardForGC".
Navigate to the address that references this string.
In the Pseudocode of the function, you can find the GUObjectArray offset. In the image below, the GUObjectArray offset is 0x89cd0e0.
You can also find the GUObjectArray offset by searching the following pattern in memory:
-
Android
"DisableDisregardForGC" or "CloseDisregardForGC" pattern:
?1 ?? ff ?0 ?? ?? ?? ?1 ?? ?? ?3 ?1 ?? ?? ?? 9? ?0 ?? ?? ?0 00 ?? ?? f9
or
?1 ?? f? ?0 ?? ?? ?? ?1 21 ?? ?? 91 ?? ?? ?? 9? ?0 ?? ?? ?0 00 ?? ?? f9
-
iOS
FUObjectArray::AllocateObjectPool(&GUObjectArray, int, int, bool);
pattern:
e1 ?? 40 b9 e2 ?? 40 b9 e3 ?? 40 39
Find the operator==(FNameEntryId, EName)
function in memory. The function pattern is as follows:
?8 ?? ?? ?? 08 01 ?? 91 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 08 69 69 b8 1f 01 00 6b e0 17 9f 1a c0 03 5f d6
This function is continuously called during the execution of an Unreal Engine game, and the GName is passed to the x8 register. You can use the following hooking script to obtain the GName address:
// Intercept operator==(FNameEntryId, EName) func
Interceptor.attach(<operator==(FNameEntryId, EName) address>.add(0x8), {
onEnter: function(args) {
if (this.context.x8 != ptr(0x0) && JSON.stringify(this.context.x8).length > 10) {
GName = ptr(this.context.x8);
console.log(`[*] Got GName: ${GName}`);
Interceptor.detachAll();
}
}
})
Find the FNamePool::FNamePool()
function in memory. The function pattern is as follows:
c8 00 00 37 ?? ?? ?? ?? 00 00 ?? 91
In the Pseudocode, you can check the GName offset. In the image below, the GName offset is 0xb07e0c0.
Scan the memory for the Unreal Engine version using the following patterns:
UE4: 04 00 ?? 00 0? 00 00 00
UE5: 05 00 ?? 00 ?? 00 00 00
You will find many matching addresses. There is a specific relationship between the Unreal Engine version and the discovered addresses:
The address stored at Unreal Engine version found address + 0x40
should equal the Unreal Engine version found address
.