链接
UE4Dumper:https://github.com/kp7742/UE4Dumper
游戏示例: https://www.bilibili.com/video/BV12v41167Gy
定义
GWorld 指向游戏世界对象
//Engine\Source\Runtime\Engine\Classes\Engine\World.h
/** Global UWorld pointer. Use of this pointer should be avoided whenever possible. */
extern ENGINE_API class UWorldProxy GWorld;
GNames 指向游戏字符串数组
//Engine\Source\Runtime\Core\Private\UObject\UnrealNames.cpp
static bool bNamePoolInitialized;
alignas(FNamePool) static uint8 NamePoolData[sizeof(FNamePool)];
GUObject 指向游戏对象数组
//Engine\Source\Runtime\CoreUObject\Public\UObject\UObjectArray.h
extern class FUObjectArray GUObjectArray;
UE4版本
查看AndroidManifest.xml
游戏版本为 U E 4 + R e l e a s e - 4 . 2 5
指针怎么找
GWorld
切换到Exports
搜索关键词【GWorld】
GWorld 即为 0BD23804
GNames
1.切换到Exports
搜索关键词【FNamePool::FNamePool(void)】
2.然后 按快捷键X查看是谁调用了该函数 随便点击一个进去
3.Gnames 即为 0xBBF3778(0xBBF3780-0x64D5634+0x64D562C)
.text:064D5628 LDR R0, =(unk_BBF3780 - 0x64D5634)
.text:064D562C ADD R0, PC, R0 ; unk_BBF3780
.text:064D5630 BL _ZN9FNamePoolC2Ev ;
FNamePool::FNamePool(void)
GUObject
切换到Exports
搜索关键词【GUObjectArray】
GUObject 即为 0BC06128
命令
示例
./ue4dumper --newue --sdkw --gworld 0BD23804 --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
./ue4dumper --newue --objs --guobj 0BC06128 --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
./ue4dumper --newue --strings --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
帮助文档
./ue4dumper -h
UE4Dumper v0.20 <==> Made By KMODs(kp7742)
Usage: ./ue4dumper <option(s)>
Dump Lib libUE4.so from Memory of Game Process and Generate structure SDK for UE4 Engine
Tested on PUBG Mobile Series and Other UE4 Based Games
Options:
--SDK Dump With GObjectArray Args--------------------------------------------------------
--sdku Dump SDK with GUObject
--gname <address> GNames Pointer Address
--guobj <address> GUObject Pointer Address
--SDK Dump With GWorld Args--------------------------------------------------------------
--sdkw Dump SDK with GWorld
--gname <address> GNames Pointer Address
--gworld <address> GWorld Pointer Address
--Dump Strings Args----------------------------------------------------------------------
--strings Dump Strings
--gname <address> GNames Pointer Address
--Dump Objects Args----------------------------------------------------------------------
--objs Dumping Object List
--gname <address> GNames Pointer Address
--guobj <address> GUObject Pointer Address
--Lib Dump Args--------------------------------------------------------------------------
--lib Dump libUE4.so from Memory
--raw(Optional) Output Raw Lib and Not Rebuild It
--fast(Optional) Enable Fast Dumping(May Miss Some Bytes in Dump)
--Show ActorList With GWorld Args--------------------------------------------------------
--actors Show Actors with GWorld
--gname <address> GNames Pointer Address
--gworld <address> GWorld Pointer Address
--Other Args-----------------------------------------------------------------------------
--newue(Optional) Run in UE 4.23+ Mode
--ptrdec(Optional) Use Pointer Decryption Mode
--verbose(Optional) Show Verbose Output of Dumping
--derefgname(Optional) <true/false> De-Reference GNames Address(Default: true)
--derefguobj(Optional) <true/false> De-Reference GUObject Address(Default: false)
--package <packageName> Package Name of App(Default: com.tencent.ig)
--output <outputPath> File Output path(Default: /sdcard)
--help Display this information
结果
SDK.txt
游戏类成员偏移以及函数地址
Class: World.Object
Level* PersistentLevel;//[Offset: 0x20, Size: 0x4]
NetDriver* NetDriver;//[Offset: 0x24, Size: 0x4]
LineBatchComponent* LineBatcher;//[Offset: 0x28, Size: 0x4]
LineBatchComponent* PersistentLineBatcher;//[Offset: 0x2c, Size: 0x4]
LineBatchComponent* ForegroundLineBatcher;//[Offset: 0x30, Size: 0x4]
GameNetworkManager* NetworkManager;//[Offset: 0x34, Size: 0x4]
PhysicsCollisionHandler* PhysicsCollisionHandler;//[Offset: 0x38, Size: 0x4]
Object*[] ExtraReferencedObjects;//[Offset: 0x3c, Size: 0xc]
Object*[] PerModuleDataObjects;//[Offset: 0x48, Size: 0xc]
Actor*[] LevelSequenceActors;//[Offset: 0x54, Size: 0xc]
LevelStreaming*[] StreamingLevels;//[Offset: 0x60, Size: 0xc]
StreamingLevelsToConsider StreamingLevelsToConsider;//[Offset: 0x6c, Size: 0x1c]
FString StreamingLevelsPrefix;//[Offset: 0x88, Size: 0xc]
Level* CurrentLevelPendingVisibility;//[Offset: 0x94, Size: 0x4]
Level* CurrentLevelPendingInvisibility;//[Offset: 0x98, Size: 0x4]
DemoNetDriver* DemoNetDriver;//[Offset: 0x9c, Size: 0x4]
ParticleEventManager* MyParticleEventManager;//[Offset: 0xa0, Size: 0x4]
PhysicsVolume* DefaultPhysicsVolume;//[Offset: 0xa4, Size: 0x4]
bool bAreConstraintsDirty;//(ByteOffset: 0, ByteMask: 8, FieldMask: 8)[Offset: 0xba, Size: 0x1]
NavigationSystemBase* NavigationSystem;//[Offset: 0xbc, Size: 0x4]
GameModeBase* AuthorityGameMode;//[Offset: 0xc0, Size: 0x4]
GameStateBase* GameState;//[Offset: 0xc4, Size: 0x4]
AISystemBase* AISystem;//[Offset: 0xc8, Size: 0x4]
AvoidanceManager* AvoidanceManager;//[Offset: 0xcc, Size: 0x4]
Level*[] Levels;//[Offset: 0xd0, Size: 0xc]
LevelCollection[] LevelCollections;//[Offset: 0xdc, Size: 0xc]
GameInstance* OwningGameInstance;//[Offset: 0xf8, Size: 0x4]
MaterialParameterCollectionInstance*[] ParameterCollectionInstances;//[Offset: 0xfc, Size: 0xc]
Canvas* CanvasForRenderingToTarget;//[Offset: 0x108, Size: 0x4]
Canvas* CanvasForDrawMaterialToRenderTarget;//[Offset: 0x10c, Size: 0x4]
ActorComponent*[] ComponentsThatNeedEndOfFrameUpdate;//[Offset: 0x148, Size: 0xc]
ActorComponent*[] ComponentsThatNeedEndOfFrameUpdate_OnGameThread;//[Offset: 0x154, Size: 0xc]
WorldComposition* WorldComposition;//[Offset: 0x3e8, Size: 0x4]
WorldPSCPool PSCPool;//[Offset: 0x468, Size: 0x44]
WorldSettings* K2_GetWorldSettings();// 0xa705f50
None None;//[Size: 0xae1d7e68]
None None;//[Size: 0xa000006]
None None;//[Size: 0x0]
--------------------------------
Class: Object
void ExecuteUbergraph(int EntryPoint);// 0x681a184
None None;//[Size: 0xae1d7e68]
None None;//[Size: 0xa000006]
None None;//[Size: 0x0]
...
Objects.txt
游戏对象信息
[0x0]:
Name: /Script/CoreUObject
Class: Package
ObjectPtr: 0x8d7af200
ClassPtr: 0xc81b9a00
[0x5]:
Name: MaterialExpressionTextureBase
Class: Class
ObjectPtr: 0xd4827980
ClassPtr: 0xc81b9bc0
[0xa]:
Name: /Script/Paper2D
Class: Package
ObjectPtr: 0x8d7aef80
ClassPtr: 0xc81b9a00
[0xf]:
Name: Character
Class: Class
ObjectPtr: 0xd4827280
ClassPtr: 0xc81b9bc0
...
Strings.txt
游戏字符串信息
{
4} [0]: None
{
12} [2]: ByteProperty
{
11} [8]: IntProperty
{
12} [d]: BoolProperty
{
13} [13]: FloatProperty
{
14} [19]: ObjectProperty
{
12} [20]: NameProperty
{
16} [26]: DelegateProperty
{
14} [2e]: DoubleProperty
{
13} [35]: ArrayProperty
{
14} [3b]: StructProperty
{
14} [42]: VectorProperty
{
15} [49]: RotatorProperty
{
11} [50]: StrProperty
{
12} [55]: TextProperty
{
17} [5b]: InterfaceProperty
{
25} [63]: MulticastDelegateProperty
{
18} [6f]: LazyObjectProperty
{
18} [78]: SoftObjectProperty
{
13} [81]: Int64Property
{
13} [87]: Int32Property
{
13} [8d]: Int16Property
{
12} [93]: Int8Property
{
14} [99]: UInt64Property
{
14} [a0]: UInt32Property
{
14} [a7]: UInt16Property
...
PS
1.UE4引擎 4.23及以上和4.23以下查找GNames的方法不同,而GWorld和GUObject查找方式一致
2.IDA 解析 so的速度是真的慢,而且非常容易未响应
3.UE4几乎每个版本结构都有区别,所以需要修改 UE4Dumper中的 Offset.h