Link
UE4Dumper: https://github.com/kp7742/UE4Dumper
game example: https://www.bilibili.com/video/BV12v41167Gy
defines
GWorld to point to the game world object
//Engine\Source\Runtime\Engine\Classes\Engine\World.h
/** Global UWorld pointer. Use of this pointer should be avoided whenever possible. */
extern ENGINE_API class UWorldProxy GWorld;
GNames points to an array of game strings
//Engine\Source\Runtime\Core\Private\UObject\UnrealNames.cpp
static bool bNamePoolInitialized;
alignas(FNamePool) static uint8 NamePoolData[sizeof(FNamePool)];
GUIObject points to an array of game objects
//Engine\Source\Runtime\CoreUObject\Public\UObject\UObjectArray.h
extern class FUObjectArray GUObjectArray;
UE4 version
View the AndroidManifest.xml
game version is UE 4 + Release - 4.2 5
pointer How to find
GWorld
Switch to Exports
search keyword [GWorld]
GWorld is 0BD23804
GNames
1. Switch to Exports
search keyword [FNamePool::FNamePool(void)]
2. Then press the shortcut key X to see who called the function and click one to enter
3. Gnames is 0xBBF3778( 0xBBF3780-0x64D5634+0x64D562C)
.text:064D5628 LDR R0, =(unk_BBF3780 - 0x64D5634)
.text:064D562C ADD R0, PC, R0 ; unk_BBF3780
.text:064D5630 BL _ZN9FNamePoolC2Ev ;
FNamePool::FNamePool(void)
GUObject
switch to Exports
search keyword [GUObjectArray]
GUObject is 0BC06128
command
example
./ue4dumper --newue --sdkw --gworld 0BD23804 --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
./ue4dumper --newue --objs --guobj 0BC06128 --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
./ue4dumper --newue --strings --gname 0BBF3778 --package com.wangyi.UE4_Bili_Brushify_01 --output /storage/emulated/0/三秋 --verbose
help document
./ue4dumper -h
UE4Dumper v0.20 <==> Made By KMODs(kp7742)
Usage: ./ue4dumper <option(s)>
Dump Lib libUE4.so from Memory of Game Process and Generate structure SDK for UE4 Engine
Tested on PUBG Mobile Series and Other UE4 Based Games
Options:
--SDK Dump With GObjectArray Args--------------------------------------------------------
--sdku Dump SDK with GUObject
--gname <address> GNames Pointer Address
--guobj <address> GUObject Pointer Address
--SDK Dump With GWorld Args--------------------------------------------------------------
--sdkw Dump SDK with GWorld
--gname <address> GNames Pointer Address
--gworld <address> GWorld Pointer Address
--Dump Strings Args----------------------------------------------------------------------
--strings Dump Strings
--gname <address> GNames Pointer Address
--Dump Objects Args----------------------------------------------------------------------
--objs Dumping Object List
--gname <address> GNames Pointer Address
--guobj <address> GUObject Pointer Address
--Lib Dump Args--------------------------------------------------------------------------
--lib Dump libUE4.so from Memory
--raw(Optional) Output Raw Lib and Not Rebuild It
--fast(Optional) Enable Fast Dumping(May Miss Some Bytes in Dump)
--Show ActorList With GWorld Args--------------------------------------------------------
--actors Show Actors with GWorld
--gname <address> GNames Pointer Address
--gworld <address> GWorld Pointer Address
--Other Args-----------------------------------------------------------------------------
--newue(Optional) Run in UE 4.23+ Mode
--ptrdec(Optional) Use Pointer Decryption Mode
--verbose(Optional) Show Verbose Output of Dumping
--derefgname(Optional) <true/false> De-Reference GNames Address(Default: true)
--derefguobj(Optional) <true/false> De-Reference GUObject Address(Default: false)
--package <packageName> Package Name of App(Default: com.tencent.ig)
--output <outputPath> File Output path(Default: /sdcard)
--help Display this information
result
SDK.txt
游戏类成员偏移以及函数地址
Class: World.Object
Level* PersistentLevel;//[Offset: 0x20, Size: 0x4]
NetDriver* NetDriver;//[Offset: 0x24, Size: 0x4]
LineBatchComponent* LineBatcher;//[Offset: 0x28, Size: 0x4]
LineBatchComponent* PersistentLineBatcher;//[Offset: 0x2c, Size: 0x4]
LineBatchComponent* ForegroundLineBatcher;//[Offset: 0x30, Size: 0x4]
GameNetworkManager* NetworkManager;//[Offset: 0x34, Size: 0x4]
PhysicsCollisionHandler* PhysicsCollisionHandler;//[Offset: 0x38, Size: 0x4]
Object*[] ExtraReferencedObjects;//[Offset: 0x3c, Size: 0xc]
Object*[] PerModuleDataObjects;//[Offset: 0x48, Size: 0xc]
Actor*[] LevelSequenceActors;//[Offset: 0x54, Size: 0xc]
LevelStreaming*[] StreamingLevels;//[Offset: 0x60, Size: 0xc]
StreamingLevelsToConsider StreamingLevelsToConsider;//[Offset: 0x6c, Size: 0x1c]
FString StreamingLevelsPrefix;//[Offset: 0x88, Size: 0xc]
Level* CurrentLevelPendingVisibility;//[Offset: 0x94, Size: 0x4]
Level* CurrentLevelPendingInvisibility;//[Offset: 0x98, Size: 0x4]
DemoNetDriver* DemoNetDriver;//[Offset: 0x9c, Size: 0x4]
ParticleEventManager* MyParticleEventManager;//[Offset: 0xa0, Size: 0x4]
PhysicsVolume* DefaultPhysicsVolume;//[Offset: 0xa4, Size: 0x4]
bool bAreConstraintsDirty;//(ByteOffset: 0, ByteMask: 8, FieldMask: 8)[Offset: 0xba, Size: 0x1]
NavigationSystemBase* NavigationSystem;//[Offset: 0xbc, Size: 0x4]
GameModeBase* AuthorityGameMode;//[Offset: 0xc0, Size: 0x4]
GameStateBase* GameState;//[Offset: 0xc4, Size: 0x4]
AISystemBase* AISystem;//[Offset: 0xc8, Size: 0x4]
AvoidanceManager* AvoidanceManager;//[Offset: 0xcc, Size: 0x4]
Level*[] Levels;//[Offset: 0xd0, Size: 0xc]
LevelCollection[] LevelCollections;//[Offset: 0xdc, Size: 0xc]
GameInstance* OwningGameInstance;//[Offset: 0xf8, Size: 0x4]
MaterialParameterCollectionInstance*[] ParameterCollectionInstances;//[Offset: 0xfc, Size: 0xc]
Canvas* CanvasForRenderingToTarget;//[Offset: 0x108, Size: 0x4]
Canvas* CanvasForDrawMaterialToRenderTarget;//[Offset: 0x10c, Size: 0x4]
ActorComponent*[] ComponentsThatNeedEndOfFrameUpdate;//[Offset: 0x148, Size: 0xc]
ActorComponent*[] ComponentsThatNeedEndOfFrameUpdate_OnGameThread;//[Offset: 0x154, Size: 0xc]
WorldComposition* WorldComposition;//[Offset: 0x3e8, Size: 0x4]
WorldPSCPool PSCPool;//[Offset: 0x468, Size: 0x44]
WorldSettings* K2_GetWorldSettings();// 0xa705f50
None None;//[Size: 0xae1d7e68]
None None;//[Size: 0xa000006]
None None;//[Size: 0x0]
--------------------------------
Class: Object
void ExecuteUbergraph(int EntryPoint);// 0x681a184
None None;//[Size: 0xae1d7e68]
None None;//[Size: 0xa000006]
None None;//[Size: 0x0]
...
Objects.txt
游戏对象信息
[0x0]:
Name: /Script/CoreUObject
Class: Package
ObjectPtr: 0x8d7af200
ClassPtr: 0xc81b9a00
[0x5]:
Name: MaterialExpressionTextureBase
Class: Class
ObjectPtr: 0xd4827980
ClassPtr: 0xc81b9bc0
[0xa]:
Name: /Script/Paper2D
Class: Package
ObjectPtr: 0x8d7aef80
ClassPtr: 0xc81b9a00
[0xf]:
Name: Character
Class: Class
ObjectPtr: 0xd4827280
ClassPtr: 0xc81b9bc0
...
Strings.txt
游戏字符串信息
{
4} [0]: None
{
12} [2]: ByteProperty
{
11} [8]: IntProperty
{
12} [d]: BoolProperty
{
13} [13]: FloatProperty
{
14} [19]: ObjectProperty
{
12} [20]: NameProperty
{
16} [26]: DelegateProperty
{
14} [2e]: DoubleProperty
{
13} [35]: ArrayProperty
{
14} [3b]: StructProperty
{
14} [42]: VectorProperty
{
15} [49]: RotatorProperty
{
11} [50]: StrProperty
{
12} [55]: TextProperty
{
17} [5b]: InterfaceProperty
{
25} [63]: MulticastDelegateProperty
{
18} [6f]: LazyObjectProperty
{
18} [78]: SoftObjectProperty
{
13} [81]: Int64Property
{
13} [87]: Int32Property
{
13} [8d]: Int16Property
{
12} [93]: Int8Property
{
14} [99]: UInt64Property
{
14} [a0]: UInt32Property
{
14} [a7]: UInt16Property
...
PS
1. UE4 engine 4.23 and above and below 4.23 have different ways to find GNames, but GWorld and GUObject search methods are the same. 2.
The speed of IDA parsing so is really slow, and it is very easy to fail to respond
. 3. Almost every version of UE4 has a different structure, so you need to modify Offset.h in UE4Dumper