Detailed course catalog: UE4/UE5 engine FPS game reverse engineering Yuque
tool:
Provide debuggable EAC debugger (free)
Provide the finished product + source code (free) of the kernel layer injector that can be injected into EAC BE, and will teach and write a kernel layer injector later
Provide kernel layer dump tool finished product + source code (free of charge), solve the problem that game files cannot be directly analyzed by ida // Note: non-dump sdk, please distinguish clearly
Provide kernel layer dump sdk script finished product + source code (free) // support for protected game dump sdk
Actual game:
Stand-alone game UE4 engine (unprotected),
POLYGON UE5 engine (EAC),
GUNDAM EVOLUTION Gundam Evolution (EAC),
Super Human UE4 Engine (BE),
Apex(EAC)
Public class:
Hidden c's personal space_哔哩哔哩_Bilibili
Effect video:
Hidden c's personal space_哔哩哔哩_Bilibili
Effect picture:
Introduction:
The stand-alone game is not used as a demonstration, the stand-alone game in the first chapter is just the basics of learning! ! !
The stand-alone game is not used as a demonstration, the stand-alone game in the first chapter is just the basics of learning! ! !
The stand-alone game is not used as a demonstration, the stand-alone game in the first chapter is just the basics of learning! ! !
After learning the basics, do multiplayer games directly, and take you to complete a project! ! !
After learning the basics, do multiplayer games directly, and take you to complete a project! ! !
After learning the basics, do multiplayer games directly, and take you to complete a project! ! !
A total of seven chapters and hundreds of videos from the application layer to the kernel layer! ! !
01 UE4 engine:
// In the link of 01 UE4 engine, it is just a basic understanding of the UE engine to lay a solid foundation
// Various drawing algorithms + memory self-aiming + silent self-aiming + bullet tracking + various abnormal functions are all available in 02 UE5
00 Necessary premise // dx internal drawing foundation
01 Self-written DX11Hook framework
02 Solve the crash problem of internal drawing change resolution
03 Analyze the GName algorithm through UE engine source code
04 IDA lookup GName
05 CE Lookup GName
06 Write GetName function in C++
07 Verify the GName algorithm
08 IDA finds GWorld
09 Player class inheritance relationship
10 Detailed explanation of GWorld structure and repair of GWorld structure
11 Traverse all Actor coordinates//Practice what you have learned before
12 Find the world coordinates and transfer to the screen coordinates CALL
13 Call the world to turn the screen CALL and draw the name
14 Filter Actors to draw only enemies
15 Find the enemy bone and draw the bone index
16 Detailed Explanation of UE Engine Skeleton Algorithm// Mainly explain the bone algorithm of UE engine and solve the flickering of external bones
17 Solve the bone flickering problem
18 Find the relative coordinates of bones and convert them to world coordinates CALL
19 Use CALL to obtain bone coordinates
20 Draw bones by bone name to solve the problem of different bone indexes
21 Find the camera component// UE engine obstacle judgment
22 Look for ray CALL (CALL of obstacle judgment)
23 Detailed explanation of ray CALL parameters and repair function
24 Use ray CALL to make obstacle judgment
02 UE5 engine: // lead to do a complete reverse engineering
00 Use of Kernel Injector
01 Basic environment configuration
02 Review the internal drawing frame
03 Change the framework to adapt to the injector
04 Find GWorld GName etc.
05 UWorld structure
06 GetName function
07 UE5 coordinates are different from those of UE4
08 Find the world coordinates and transfer to the screen coordinates call
09 Draw all Actor names
10 Find players array to draw only players
11 Differentiate factions without drawing teammates
12 Find bones and bone coordinates call
13 Draw bones//various drawing algorithms
14 Draw menu
15 Draw 2D adaptive box
16 Draw a 3D rotating box
17 Drawing 2D rotating radar
18 Drawing Rays
19 Draw Orientation
20 Drawing health and filtering dead enemies
21 UE5 Obstacle Judgment
22 Realization of memory self-pointing//Three kinds of self-pointing methods
23 Analyzing shot calls
24 Silent self-aiming implementation
25 bullet tracking implementation
26 Aiming range realization
27 Analyze weapons//Weapon functions
28 Achieving non-proliferation of weapons
29 Weapon without recoil implemented
30 weapons are fully automatic
31 bullet instant hit implementation
32 Realization of infinite stamina of characters//Character functions
33 Accelerated Realization of Characters
34 Solve the game crash problem
35 Use feature code search technology to achieve game update assistance "update-free"
03 engine drawing:
01 The difference between engine drawing and internal drawing
02 ida analyzes the virtual table and quickly locates the engine hook function
03 Find the engine drawing function
04 ida looking for GEngine
05 Rendering with engine fonts
04 Dump SDK:
00 Basic environment construction
01 Find GUObjectArray
02 Repair TUObjectArray structure
03 Fix FUObjectItem structure
04 Fix UObject structure
05 dump all UObject information
06 Fix UEnum structure
07 Fix UFunction structure
08 Repair UStruct structure
09 Fix FField structure
10 Fix FProperty structure
11 Dump SDK // dump sdk learning
12 Analyze UEnum structure offset through ida
13 Analyze UStruct structure offset through ida
14 Analyze the UFunction structure offset through ida
15 Analyze the FField structure offset through ida
16 Analyze the FProperty structure offset through ida //Because if the structure is encrypted, ce may not be found, so ida is used to find the offset
17 Use the driver to read and write to dump the driver to protect the game // Change the dump script to support the dump driver to protect the game
05 Anti-structure encryption:
GUNDAM EVOLUTION (Gundam Evolution) drive dump can not be directly analyzed by ida
GUNDAM EVOLUTION (Gundam Evolution) GWorld decryption
GUNDAM EVOLUTION (Gundam Evolution) GName decryption
GUNDAM EVOLUTION (Gundam Evolution) GObject decryption
GUNDAM EVOLUTION dump sdk
Encrypted confrontation of super human structure
// Super humans have encrypted a large number of structures, such as GName, dump sdk structures are basically all encrypted
// In addition, the game file is encrypted so that it cannot be statically analyzed by ida
// In this part we have to learn how to fight against encryption algorithms
06 Kernel Basics:
00 core prerequisites
01 Driver communicates with R3
02 Cr3 drive to read data
03 Cr3 drive to write data
04 Mdl drive to read data
05 Mdl drive to write data
06 The driver layer applies for memory
07 The driver layer releases memory
08 The driver layer modifies the page protection attribute
09 supplement
07 Kernel reflection injection (no module injection, memory injection):
00 Necessary prerequisite for kernel injection
01 Memory expansion DLL
02 Repair relocation table
03 Repair import table
04 Repair TLS
05 Several methods of Call ShellCode
06 How to bypass driver protection such as eac be to Call ShellCode
07 Assembling ShellCode
08 Erase reflective injection features
09 Apex (EAC) injection test