Basic UE4 Win64 Base Table

Upload *YOUR* gamehacking tools/helpers here
User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Basic UE4 Win64 Base Table

Post by Cake-san »

Made this table for learning purpose and to ease the making of cheat table for UE4 Win64 based game...

Prerequisite: Basic Lua programming knowledge & OOP data structure knowledge & Table making knowledge...


Features:
- Create structure dissect from UE4 class object
- Basic UE4 Object Dumper
- Example scripts & pointers

[Troubleshooting]

run dissect code & wait until finished then you can search for Referenced strings
you can also Save DissectCode after it had finished so, you can Load it when you want to use it again...

- StaticFindObject aob not found... - search for "Illegal call to StaticFindObject()" (without the quote)

- UObjectArray aob not found... - search for "UObject serial numbers overflowed" (without the quote)
Note: most of the time this function(FUObjectArray::AllocateSerialNumber) is being called by FWeakObjectPtr::operator= (which handle static/base address of UObjectArray) but for rare cases, it handle that address by its own...

- GetFullName aob not found... - search for "This platform requires cooked" (without the quote) -error code in range of: 0x572,0x59D,0x20D,0xF2,1CB, 0x715,0x740,0x8A,0x20F,0x13F,1DA(not the smallest nor the biggest, more on middle value,maybe)
Note: A little above the result there's a call & it might be GetFullName function
Note: Inside GetFullName there is a Function FName:AppendString (2nd or 3rd or 4rd call) & inside of that Function contain a function that handle static/base address of FNamePool...

- Game Crashed while activating script - comment out all 'createThread(ue4createstruct' , then you have to find out if all function & parent/child offset is valid...

Note: Example script will only work if game use generic variable else you have to make your own script...

Credits:
-CheatingMuppet - Satisfactory table & UE4 insight
-happyTugs - GNames & GObject Dumper for UE3 table
-Corrm - Unreal Finder Tool
-Fearless & CE forum , Tool Creators & Communities


Update 1
-Fix AOB part for ue4.18 & ue4.25
Update 2
-Add more AOB for ue4.25
-ue4.25 dumping also include property inside Function

Image
Attachments
Win64-Shipping.CT
Update 2
(37.79 KiB) Downloaded 464 times

grbras
Noobzor
Noobzor
Posts: 9
Joined: Thu Jul 16, 2020 4:03 pm
Reputation: 5

Re: Basic UE4 Win64 Base Table

Post by grbras »

First of all, this is nicelly done, and it could convert into a full sdk generator. So thank you for your effort, and i hope to see more from this.

Second, those structs are hand made and saved on the ctable "Win64-Shipping.CT", or are you generating them on the fly?

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

Unreal Engine Algorithm version
Made this because I can't find a dumper that can dump the game I'm playing...

Features
- Added support for some UE4 32 bit based game... (I only have 1 game,lol, so can't test much)
- Added support for some UE3 based game... ( I only have 2 games for this engine version, so you need to configure it before use, if its offset is different...)
- Added FName dumper
- Added Tools -> makeshift FNamePool scanner script

Pros
- Stable & doesn't crash much & compatible with many games...

Cons
- 2.5x times slower than calling function...
- Inaccurate for some games...

Update 1
- Fixed a typo that made the script unable to dump property for >=25 version
- Fixed StaticFindObjectAlgo script to find object more accurately...
Sorry, for the inconvenience...

Update 2
-Performance update... cache & more caching & multi threading... first time dump is 0.5 slower than calling one but after that 2x times faster than calling one...
-fixed ue4determineversion() script...

Update 3
- FNameStringAlgo now distinguished between utf-16 or utf-8 fname on ue4
- createstruct will now add 4 bytes placeholder for unknown offset

Update 3.5
- Added support for UE4.10

Update 3.9
- Optimized script to be a bit faster & fixed other issues... :ph34r:

Update 4
- Added structureDissectCallback - so, just like mono/.net when this script is activated , it will automatically fill structure dissect with symbols if it's a valid Instance address..
- Object Dumper will now dump Enum's value & StructPropery/ObjectProperty will have ~ toward its ScriptStruct

Update 4.1
- Fixed infinite loop & findAddress bugs for ue<25 games

Update 4.2
- Fixed stackoverflow for ue4.25+

Update 5
- Performance improvement
- Fixed a few bugs
- Added SymbolLookupCallback eg: enter "Function /Script/Engine.ActorComponent:ComponentHasTag" (without quote) using "Go to address" inside Memory Viewer to go to that exec function Or use inside script...
- now generate ArrayProperty & MapProperty childrens....
Attachments
Win-Shipping_.CT
Algorithm version Update 5
(93.65 KiB) Downloaded 121 times
Win-Shipping_.CT
Algorithm version Update 4.2
(80.75 KiB) Downloaded 45 times
Win-Shipping_.CT
Algorithm version Update 4.1
(79.24 KiB) Downloaded 31 times
Win-Shipping_.CT
Algorithm version Update 4
(77.01 KiB) Downloaded 23 times
Win-Shipping.CT
Algorithm version Update 3.9
(68.64 KiB) Downloaded 29 times
Win-Shipping.CT
Algorithm version Update 3.5
(59.07 KiB) Downloaded 38 times
Win-Shipping.CT
Algorithm version update 3
(53 KiB) Downloaded 115 times
Last edited by Cake-san on Tue Mar 16, 2021 1:01 pm, edited 11 times in total.

ctl3d32
Table Makers
Table Makers
Posts: 43
Joined: Sun Nov 24, 2019 7:05 am
Reputation: 92

Re: Basic UE4 Win64 Base Table

Post by ctl3d32 »

Nice Tool. It already helped me a lot. Keep the good work!

jgoemat
Table Makers
Table Makers
Posts: 38
Joined: Fri Jul 21, 2017 6:47 pm
Reputation: 38

Re: Basic UE4 Win64 Base Table

Post by jgoemat »

This seems very interesting, but I don't know how to use it or what games to use it on. Could someone post an example? Something like "I hook into Batman: Arkham Asylum (which is a UE4 game I think), expand the 'UE4 entry, and click on 'Basic UE Object dumper'. Then I see there's a class called 'Script/Batmobile' and I click on X and do Y and now it's invulnerable." Or not even a full cheat, but how this would be used to dissect a structure you found a pointer to some other way. Can it tell what type you are pointing to and provide the structure? Do you just have to click those two things for that to happen automatically, or do you have to do something else?

Thanks!

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

Basic:
If you know OOP you should be able to understand this...
Image


Interesting variables will most likely be inside PlayerController.Character/.Pawn or GameInstance depending on what you want & where dev put that stuff...
Image

Code: Select all

function ue4createstruct(fullnameOrAddress,name,depth,isfullname)
function uecreatestruct(instance,name,depth,isfullname)
depth is how far you want the struct to be which is 0 if you dont want to include parent/super class's member or vice versa...

Image

When struct had been created, you can use its symbol...
Image

You can look into my latest UE based table for reference

gideon25
Table Makers
Table Makers
Posts: 768
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 518

Re: Basic UE4 Win64 Base Table

Post by gideon25 »

Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Unreal Engine Algorithm version
Made this because I can't find a dumper that can dump the game I'm playing...

Features
- Added support for some UE4 32 bit based game... (I only have 1 game,lol, so can't test much)
- Added support for some UE3 based game... ( I only have 2 games for this engine version, so you need to configure it before use, if its offset is different...)
- Added FName dumper
- Added Tools -> makeshift FNamePool scanner script

Pros
- Stable & doesn't crash much & compatible with many games...

Cons
- 2.5x times slower than calling function...
- Inaccurate for some games...

Update 1
- Fixed a typo that made the script unable to dump property for >=25 version
- Fixed StaticFindObjectAlgo script to find object more accurately...
Sorry, for the inconvenience...

Update 2
-Performance update... cache & more caching & multi threading... first time dump is 0.5 slower than calling one but after that 2x times faster than calling one...
-fixed ue4determineversion() script...

Update 3
- FNameStringAlgo now distinguished between utf-16 or utf-8 fname on ue4
- createstruct will now add 4 bytes placeholder for unknown offset
So im in a game where the referenced strings say UnrealEngine_4_10_4. The main script wouldn't activate first saying the AOB for GUObjectArray wasn't found, then the AOB for GEngine wasn't found. I put the correct AOBs here:

if targetIs64Bit() then

local address=findAddress('GUObjectArray',0,'4C 8D * * 4E 91 01 * * 71banana',process,nil,0,true)[1]

and here

findAddress('GEngine',1,'41 B8 01 00 00 00 48 8D 4C 24 48 E8 * * * * 48 8B D8 E8 * * * * 4C 8B 03banana',process)<--(engine is the 2nd AOB when aob scanning with cheat engine, correct?)

When attempting to activate the main script after that I get a Range Check Error. Can you help? Thanks!

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

gideon25 wrote:
Thu Feb 11, 2021 2:58 am
...
# Updated Nah
Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Update 3.5
- Added support for UE4.10

gideon25
Table Makers
Table Makers
Posts: 768
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 518

Re: Basic UE4 Win64 Base Table

Post by gideon25 »

Cake-san wrote:
Thu Feb 11, 2021 7:37 am
gideon25 wrote:
Thu Feb 11, 2021 2:58 am
...
# Updated Nah
Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Update 3.5
- Added support for UE4.10
Just some quick questions, sorry to bother:
NICE! So I am just learning this stuff but I found out the main character stuff is in:
00000168A62E9D80 Class /Script/PumpkinOnline.Main_Character_PC ~ Class /Script/Engine.PlayerController

So i created a structure with the lua function you showed with 168A62E9D80 and there it was! Amazing!
Question1:
Now in this case what would be like the pointer to this if I wanted to create some pointers in the table using the names to get to it (Like you have).

here are the things at the top of the uobject dump:

Code: Select all

00000000] 00000168A840EC00 Package /Script/CoreUObject
[00000001] 00000168A62EF000 Class /Script/CoreUObject.Object
[00000002] 00000168A840F300 Package /Script/Engine
[00000003] 00000168A62EBD00 Class /Script/Engine.BlueprintFunctionLibrary ~ Class /Script/CoreUObject.Object
[00000004] 00000168A840F000 Package /Script/PumpkinOnline
[00000005] 00000168A62EBE80 Class /Script/PumpkinOnline.CustomBlueprintNodes ~ Class /Script/Engine.BlueprintFunctionLibrary
[00000006] 00000168A62EB580 Class /Script/Engine.Actor ~ Class /Script/CoreUObject.Object
[00000007] 00000168A62EB700 Class /Script/Engine.Pawn ~ Class /Script/Engine.Actor
[00000008] 00000168A62EBA00 Class /Script/Engine.Character ~ Class /Script/Engine.Pawn
[00000009] 00000168A62EBB80 Class /Script/PumpkinOnline.AnimalMaster ~ Class /Script/Engine.Character
[00000010] 00000168A62EB280 Class /Script/Engine.AnimInstance ~ Class /Script/CoreUObject.Object
[00000011] 00000168A62EB400 Class /Script/PumpkinOnline.AnimalAnimInstance ~ Class /Script/Engine.AnimInstance
[00000012] 00000168A62EAE00 Class /Script/Engine.AnimNotify ~ Class /Script/CoreUObject.Object
[00000013] 00000168A62EAF80 Class /Script/PumpkinOnline.AnimNotify_PlaySoundForToolbase ~ Class /Script/Engine.AnimNotify
[00000014] 00000168A62EAC80 Class /Script/PumpkinOnline.Breakable_Object ~ Class /Script/Engine.Actor
[00000015] 00000168A62EA980 Class /Script/PumpkinOnline.BugSpawnManager ~ Class /Script/Engine.Actor
[00000016] 00000168A62EA800 Class /Script/PumpkinOnline.NpcBase ~ Class /Script/Engine.Character
[00000017] 00000168A62EA500 Class /Script/CoreUObject.Interface ~ Class /Script/CoreUObject.Object
[00000018] 00000168A62EA680 Class /Script/PumpkinOnline.PumpkinChildInterface ~ Class /Script/CoreUObject.Interface
[00000019] 00000168A62EA200 Class /Script/PumpkinOnline.NpcChar ~ Class /Script/PumpkinOnline.NpcBase
[00000020] 00000168A62EA080 Class /Script/PumpkinOnline.DummyNpc ~ Class /Script/Engine.Actor
[00000021] 00000168A62E9F00 Class /Script/PumpkinOnline.MinigameSetMasterCpp ~ Class /Script/Engine.Actor
[00000022] 00000168A62E9A80 Class /Script/Engine.Controller ~ Class /Script/Engine.Actor
[00000023] 00000168A62E9C00 Class /Script/Engine.PlayerController ~ Class /Script/Engine.Controller
[00000024] 00000168A62E9D80 Class /Script/PumpkinOnline.Main_Character_PC ~ Class /Script/Engine.PlayerController
and so looking here at the /PumpkinOnline.Main_Character_PC structure:
Image

Question2:

lets say I wanted to create a structure with the names populated for InventoryObjects (in tha pic). In the dump it shows:
00000168B6925D00 ArrayProperty /Script/PumpkinOnline.Main_Character_PC:InventoryObjects

So would you happen to know how to do that? This didn't work.
ue4createstruct(0x168B6925D00,'invent',0)
uecreatestruct(0x168B6925D00,'invent',0)

And what would THAT pointer look like if I wanted to add it to the table? Thanks, this would help me learn a lot!

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

gideon25 wrote:
Sat Feb 13, 2021 12:27 am
...
Answer 1:

GameEngine -> GameInstance -> LocalPlayers[0]- > PlayerController ?

Answer 2:

Since it's an ArrayProperty , you need to find ScriptStruct for that Property, in your case might be ScriptStruct /Script/PumpkinOnline.InventoryItem ?

gideon25
Table Makers
Table Makers
Posts: 768
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 518

Re: Basic UE4 Win64 Base Table

Post by gideon25 »

Cake-san wrote:
Sat Feb 13, 2021 5:14 am
gideon25 wrote:
Sat Feb 13, 2021 12:27 am
...
Answer 1:

GameEngine -> GameInstance -> LocalPlayers[0]- > PlayerController ?

Answer 2:

Since it's an ArrayProperty , you need to find ScriptStruct for that Property, in your case might be ScriptStruct /Script/PumpkinOnline.InventoryItem ?
So I see this:

Code: Select all

[00004992] 0000022C230F0C80 ScriptStruct /Script/PumpkinOnline.InventoryItem ~ ScriptStruct /Script/Engine.TableRowBase
[      98] 0000022C2DF52680 ArrayProperty /Script/PumpkinOnline.InventoryItem:ExtraOptions
[       0] 0000022C2DF52600 StructProperty /Script/PumpkinOnline.InventoryItem:ExtraOptions.ExtraOptions
[      88] 0000022C2DFDBDE0 StrProperty /Script/PumpkinOnline.InventoryItem:OptionsString
[      68] 0000022C2DF52580 AssetObjectProperty /Script/PumpkinOnline.InventoryItem:ShopMesh
[      60] 0000022C2DFDBD70 IntProperty /Script/PumpkinOnline.InventoryItem:SellPrice
[      5C] 0000022C2DFDBD00 IntProperty /Script/PumpkinOnline.InventoryItem:BuyPrice
[      5A] 0000022C2DF52500 ByteProperty /Script/PumpkinOnline.InventoryItem:ToolType
[      59] 0000022C2DF52480 ByteProperty /Script/PumpkinOnline.InventoryItem:ToolTier
[      58] 0000022C2DF52400 ByteProperty /Script/PumpkinOnline.InventoryItem:Category
[      54] 0000022C2DFDBC90 IntProperty /Script/PumpkinOnline.InventoryItem:MaxStack
[      50] 0000022C2DFDBC20 IntProperty /Script/PumpkinOnline.InventoryItem:StackAmount
[      30] 0000022C2DF52380 AssetObjectProperty /Script/PumpkinOnline.InventoryItem:Mesh
[      28] 0000022C2DF52300 ObjectProperty /Script/PumpkinOnline.InventoryItem:Thumbnail
[      18] 0000022C2DFDBBB0 StrProperty /Script/PumpkinOnline.InventoryItem:Description
[       8] 0000022C2DFDBB40 StrProperty /Script/PumpkinOnline.InventoryItem:Name
[       0] 0000022C2DFDBAD0 NameProperty /Script/PumpkinOnline.InventoryItem:RowName
and this:
[00003311] 0000022C230F5780 ScriptStruct /Script/Engine.TableRowBase

So what would the pointer look like? I guess Im having trouble understanding where it would go here and what it would be called, how it would look:
Image

While I can generate a dissect/structure for this using your lua commands:
[00004992] 0000022C230F0C80 ScriptStruct /Script/PumpkinOnline.InventoryItem ~ ScriptStruct /Script/Engine.TableRowBase

How can I tell where the stuff goes?

Also curious:
IF I don't have the actual address to put into that structure, it won't work. Lets say I generated the structure, and wanted to find out the address I needed to put into it and I just had this (without your pointers): [00004992] 0000022C230F0C80 <<--what would I need to do with it to find the address I need to put into the structure after I generated it? IS it all so nested that my pointer would look like the pic above? Everything comes from gEngine?

Thanks!

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

I can't help much on forum , because it keep disconnecting...

Code: Select all

{$lua}
if syntaxcheck then return end
for i=memrec.Count-1,0,-1 do
  memoryrecord_delete(memrec.Child[i])
end
[ENABLE]
if not ItemList then
  memrec.setAddress('+PlayerController.InventoryItemsTable')
  memrec.OffsetCount=1
  memrec.Offset[0]=0
  local list,pointer,fname,len,name,desc=memrec.getCurrentAddress()+0x30
  ItemList='0000000000000000:None\n'
  for i=0 ,readInteger(list+8)-1
  do
    pointer=readPointer(readPointer(list)+i*0x18+8)
    fname=readQword(pointer)
    len=readInteger(pointer+0x10)
    name=readString(readPointer(pointer+8),len*2,true)
    len=readInteger(pointer+0x20)
    desc=readString(readPointer(pointer+0x18),len*2,true)
    if name and string.find(name,']') then name=name:sub(string.find(name,']')+1,name:len())end
    if desc and string.find(desc,']') then desc=desc:sub(string.find(desc,']')+1,desc:len())end
    ItemList=ItemList..string.format('%016X:%s     %s\n',fname,name,desc)
  end
end

memrec.setAddress('+PlayerController.InventoryObjects')
local count=readInteger(memrec.getCurrentAddress()+0x8)
memrec.OffsetCount=1
memrec.Offset[0]=0

local rec,tec,pointer,len,name
for i=0,count-1 do
  rec = getAddressList().createMemoryRecord()
  rec.setDescription('RowName')
  rec.setAddress(string.format('+%X',i*0xA8))
  rec.VarType='vtQword'
  rec.appendToEntry(memrec)
  rec.ShowAsHex=true
  rec.DontSave=true
  rec.DropDownList.Text=ItemList
  rec.DropDownDescriptionOnly=true
  rec.DisplayAsDropDownListItem=true
end
[DISABLE]

gideon25
Table Makers
Table Makers
Posts: 768
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 518

Re: Basic UE4 Win64 Base Table

Post by gideon25 »

Cake-san wrote:
Sat Feb 13, 2021 6:45 am
I can't help much on forum , because it keep disconnecting...

Code: Select all

{$lua}
if syntaxcheck then return end
for i=memrec.Count-1,0,-1 do
  memoryrecord_delete(memrec.Child[i])
end
[ENABLE]
if not ItemList then
  memrec.setAddress('+PlayerController.InventoryItemsTable')
  memrec.OffsetCount=1
  memrec.Offset[0]=0
  local list,pointer,fname,len,name,desc=memrec.getCurrentAddress()+0x30
  ItemList='0000000000000000:None\n'
  for i=0 ,readInteger(list+8)-1
  do
    pointer=readPointer(readPointer(list)+i*0x18+8)
    fname=readQword(pointer)
    len=readInteger(pointer+0x10)
    name=readString(readPointer(pointer+8),len*2,true)
    len=readInteger(pointer+0x20)
    desc=readString(readPointer(pointer+0x18),len*2,true)
    if name and string.find(name,']') then name=name:sub(string.find(name,']')+1,name:len())end
    if desc and string.find(desc,']') then desc=desc:sub(string.find(desc,']')+1,desc:len())end
    ItemList=ItemList..string.format('%016X:%s     %s\n',fname,name,desc)
  end
end

memrec.setAddress('+PlayerController.InventoryObjects')
local count=readInteger(memrec.getCurrentAddress()+0x8)
memrec.OffsetCount=1
memrec.Offset[0]=0

local rec,tec,pointer,len,name
for i=0,count-1 do
  rec = getAddressList().createMemoryRecord()
  rec.setDescription('RowName')
  rec.setAddress(string.format('+%X',i*0xA8))
  rec.VarType='vtQword'
  rec.appendToEntry(memrec)
  rec.ShowAsHex=true
  rec.DontSave=true
  rec.DropDownList.Text=ItemList
  rec.DropDownDescriptionOnly=true
  rec.DisplayAsDropDownListItem=true
end
[DISABLE]
Hi, thanks but I get an error at line 1 attempt to perfom nil value for line 13.
Does it help that I created my player controller like this:

createThread(ue4createstruct('/Script/PumpkinOnline.Main_Character_PC','MainChar_PC',2))

which allowed me to see pawn and the inventory pointers..

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 506

Re: Basic UE4 Win64 Base Table

Post by Cake-san »

gideon25 wrote:
Sat Feb 13, 2021 9:18 am
...
Aren't you a Table Maker... You're supposed to edit the script according to your needs & circumstances... :roll:

Here's an example table:
Attachments
PumpkinOnline-Win64-Shipping.CT
(73.95 KiB) Downloaded 36 times
Last edited by Cake-san on Mon Feb 15, 2021 5:36 am, edited 1 time in total.

gideon25
Table Makers
Table Makers
Posts: 768
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 518

Re: Basic UE4 Win64 Base Table

Post by gideon25 »

Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users