Basic UE4 Win64 Base Table

[Zephyrusiac]

FNamePool parsed...
error: stringoffset/ByteProperty not found

UE4 game...

Soulmask, right?
Currently trying to figure it out. UE4SS and UUU4 don't work either. I'm wondering if it might be using a modified version of ue4.27.

[Send]

FNamePool parsed...
error: stringoffset/ByteProperty not found

UE4 game...

Soulmask, right?
Currently trying to figure it out. UE4SS and UUU4 don't work either. I'm wondering if it might be using a modified version of ue4.27.

It is. They removed/modified a lot as part of their 'anti-cheat'. Game already has anti-debugging (can be bypassed). You could try Dumper 7, but unless you know C#/C++ and use the SDK it generates, in a dll, you'd get nothing but offsets. Wundering Wave's gives the exact same error with Cake's tables.

Edit: PeaceBeUponYou (GH)'s UE Dumper doesn't work as well. FName seems to be encrypted.

Edit 2:
"OFFSET_GNAMES", 0x67E5858
"OFFSET_GOBJECTS", 0x669f970
"OFFSET_GWORLD", 0x67E5858

[Zephyrusiac]

FNamePool parsed...
error: stringoffset/ByteProperty not found

UE4 game...

Soulmask, right?
Currently trying to figure it out. UE4SS and UUU4 don't work either. I'm wondering if it might be using a modified version of ue4.27.

It is. They removed/modified a lot as part of their 'anti-cheat'. Game already has anti-debugging (can be bypassed). You could try Dumper 7, but unless you know C#/C++ and use the SDK it generates, in a dll, you'd get nothing but offsets. Wundering Wave's gives the exact same error with Cake's tables.

Edit: PeaceBeUponYou (GH)'s UE Dumper doesn't work as well. FName seems to be encrypted.

Yeah already went as far as using that exact dump for its ida mappings and then seeing what I could find in ida with ue4ss injected. patternsleuth had issues with GUObjectArray, engineversion, GMalloc and a bunch more, probably everything even slightly relevant, I think a lot of it is encrypted. Gave up after that.

EDIT Cool, but are they even parseable? I know dumper-7 dumped the objectstore correctly.

[Send]

Yeah, it's encrypted.

[Send]

-------------------------------

[Metanoia]

Does anyone mind walking me through the steps of modifying the table to work for UE5?

It's not that simple. You would need to find new AOBs for fnamepool, gobjects, etc... and then the offsets for everything like fnameindex so you can get the names from the fnamepool.

It would take a while to explain something like this.

[SunBeam]

Does anyone mind walking me through the steps of modifying the table to work for UE5?

It's not that simple. You would need to find new AOBs for fnamepool, gobjects, etc... and then the offsets for everything like fnameindex so you can get the names from the fnamepool.

It would take a while to explain something like this.

The problem with people asking for this is they never make an account with Epic's github to download the Engine, compile it and study it. No.. what's that? Gimme food on spoon. Kinda lame that this generation has lost the will to even try simple things and share their experiences. All they care for is fun, being cool with others' work and knowledge and making $ off others' backs.

[Paul44]

I've started looking at 'Remnant II' last week (UE5 title), and initially did not get this workng very well. Luckily, #Csimbi (and #DarkByte) came to the rescue: [ viewtopic.php?p=316349#p316349 ].
It still "wasn't" perfect initially, but after some experimenting it does come true... if I would follow these steps:

1. start game till 'Main menu' !
2. attach 'hotfix' table
3. enable 'Unreal Engine'... (will definitely take its time - 3~5mins)
4. then verify:
a. log: "A Total of xxx objects has been found"
b. debug_section: 3 main addresses should have been found/initiated

4. do NOT start using table yet... !
5. load save/player, till ingame...

6. dis/re-enable 'Unreal Engine' again ! (as usual, will take its time)
7. verify both log & debug
8. if everything ok, you can now proceed as normal

tip: disable in lua console 'View ~ Show on print'

=> just to be clear:
> this happens to work fine on my end for this particular game. Your game/pcconfig might decide otherwise...
> did this 3-4 times now, with reboots
> if i followed the normal route, it would work 1/10 (or something)
> if you do get (script) errors (showing in log), you'll need to reboot pc ! (quiting/relaunching ce/game simply will not do)

-EDIT-
I tackled Riven Remake this week (UE5.3), and the tool will not properly collect the info (not that I wanted it for this specific game though). Just confirming the obvious...

[Csimbi]

Yeah, it's dodgy at best.
I was thinking about rewriting the code and updating it, but my LUA-fu is too weak.
I think the community should come together and work on it together.

[濒危物种猫咪]

Thanks to your effort, it works perfectly in UE5, just need to add some of the parameters
For UE 5.1
UObject.ObjectId = 0x18
UObject.Class = 0x10
UObject.FNameIndex = 0x20
UObject.Outer = 0x28
UObject.super = 0x40
UObject.member = 0x48
UObject.nextmember = 0x28
UObject.Offset = 0x50
UObject.propsize = 0x38
UObject.bitmask = 0x80
UObject.Property = 0x78
UObject.enumoffset = 0x40
UObject.enummul = 0x10
UObject.enumname = 0x0
UObject.enumindex = 0x8

Edit:
Use Dumper7 to find the offset
UObject.ObjectId = 0xC -- Off::UObject::Index
UObject.Class = 0x10 -- Off::UObject::Class
UObject.FNameIndex = 0x18 -- Off::UObject::Name
UObject.Outer = 0x20 -- Off::UObject::Outer
UObject.super = 0x40 -- Off::UStruct::SuperStruct
UObject.member = 0x48 -- Off::UStruct::Children
UObject.nextmember = 0x28 -- Off::UField::Next
UObject.Offset = 0x4C -- Off::Property::Offset_Internal
UObject.propsize = 0x3C -- Off::Property::ElementSize
UObject.Property = 0x78 -- Off::ArrayProperty::Inner

[Aleksey0104]

Thanks to your effort, it works perfectly in UE5, just need to add some of the parameters
For UE 5.1
UObject.ObjectId = 0x18
UObject.Class = 0x10
UObject.FNameIndex = 0x20
UObject.Outer = 0x28
UObject.super = 0x40
UObject.member = 0x48
UObject.nextmember = 0x28
UObject.Offset = 0x50
UObject.propsize = 0x38
UObject.bitmask = 0x80
UObject.Property = 0x78
UObject.enumoffset = 0x40
UObject.enummul = 0x10
UObject.enumname = 0x0
UObject.enumindex = 0x8

In which lines exactly should I change? Or send me the finished result!

[DarkIceCore]

In which lines exactly should I change?

+1
-----------------------------------------------
EDIT:
so i suppose, for UE5.1, we need to change in main first script "Unreal Engine"

line 10 to line 95
!(FORMAT here EATS "SPACES" don't forget to add them)

from this:

Spoiler


----------UE4 struct---------

if not UE3 then

UObject.ObjectId= 0xC-sub
UObject.Class = 0x10-sub
UObject.FNameIndex = 0x18-(sub*2)
UObject.Outer = 0x20-(sub*2)

if UE4ver>=25 then
UObject.super= 0x40
UObject.member= 0x50
UObject.nextmember= 0x20
UObject.Offset= 0x4C
UObject.propsize=0x3C
UObject.bitmask= 0x7A
UObject.Property= 0x78
UObject.enumoffset = 0x40
UObject.enummul = 0x10
UObject.enumname = 0x0
UObject.enumindex = 0x8

elseif UE4ver>=22 then
UObject.super= 0x40
UObject.member= 0x48

else
UObject.super= 0x30 -(sub*4)
UObject.member= 0x38 -(sub*5)

end

if UE4ver<25 then
UObject.nextmember=0x28-(sub*3)
UObject.Offset= 0x44-(sub*4)
UObject.propsize= 0x34-(sub*3/2)
UObject.bitmask= 0x72-(sub*8)

UObject.Property= 0x70-(sub*8)

end

if UE4ver<11 then
UObject.Offset= 0x4C
end

----------------------------
---------UE3 struct---------
--1.25
--[[
elseif UE4ver>=1 then

UObject.ObjectId= 0x4
UObject.Outer = 0x14
UObject.FNameIndex = 0x18
UObject.Class = 0x20
UObject.Offset= 0x48
UObject.super= 0x34
UObject.member= 0x38
UObject.nextmember=0x28
UObject.propsize= 0x30
UObject.bitmask= 0x60
UObject.Property= 0x58

]]
--0.10246
else
--[[
UObject.ObjectId= 0x20
UObject.Outer = 0x28
UObject.FNameIndex = 0x2C
UObject.Class = 0x34

UObject.Offset= 0x60

UObject.super= 0x48
UObject.member= 0x4C

UObject.nextmember=0x3C
UObject.propsize= 0x44
UObject.bitmask= 0x70]]

end

---------------------------
end


to this:

Spoiler


if not UE3 then

--For UE 5.1
UObject.ObjectId = 0x18
UObject.Class = 0x10
UObject.FNameIndex = 0x20
UObject.Outer = 0x28
UObject.super = 0x40
UObject.member = 0x48
UObject.nextmember = 0x28
UObject.Offset = 0x50
UObject.propsize = 0x38
UObject.bitmask = 0x80
UObject.Property = 0x78
UObject.enumoffset = 0x40
UObject.enummul = 0x10
UObject.enumname = 0x0
UObject.enumindex = 0x8

end
end
---------------------------
end


[S1N74X]

Hi there,

i have written a namepool Address "scanner" for UE

Spoiler



function ue4versioncheck() -- Cake san's stuff
local fileversion,info =getFileVersion(enumModules()[1].PathToFile)
if not info then return 0 end
return tonumber(info.major..info.minor..'.'..info.release)
end
print('UE Version ' .. ue4versioncheck())

local memrec = getAddressList().getMemoryRecordByDescription('FindFNamePool')
memrec.Async = true


function FindStringsInProcess(stringToFind)
local res = {}
local ms=createMemScan()
local fl=createFoundList(ms)
local pf = '+W'

ms.firstScan(soExactValue, vtString,nil,stringToFind,'',0,0x7fffffffffffffff,pf,fsmNotAligned,'1',false,true,false,casesensitive)
ms.waitTillDone()
fl.initialize()
for i=0,fl.count,1 do
if fl[i] ~= nil and fl[i] ~= '00000000' then
table.insert(res,fl[i])
end
end
fl.deinitialize()
return res
end

local function replaceCharsInString(_string,find,replace)
local str = _string:gsub(find,replace)
return str
end

function byteTableToString(bt)
local byteRes = ''
for _, byte in ipairs(bt) do
local tmpRes = string.format('%0X',byte)
if tmpRes ~= nil then
if #tmpRes < 2 then -- readBytes returns n not 0n
tmpRes = '0' .. tmpRes
end
byteRes = byteRes .. tmpRes .. ' '
end
end
byteRes = replaceCharsInString(byteRes, ' ','')
return byteRes
end

local function FindFNamePoolPattern(addy,_pattern,offsetInHex)
local hexAddress = tonumber(addy,16)
local offsetResult = hexAddress - offsetInHex
local pattern = replaceCharsInString(_pattern, ' ','') -- get rid of WhiteSpaces
local size = #pattern / 2 -- 2 bytes == 1 entry
local r = readBytes(offsetResult,size,true)
if type(r) ~= 'table' then return end
local byteRes = byteTableToString(r)
--printf('%X %s',offsetResult,byteRes)
--print('res [' .. byteRes .. '] pattern [' .. pattern .. ']')
if byteRes == pattern then
return offsetResult
end
end


local function FindFNamePoolAddress(propertyName,pattern,offsetInHex)
local res = FindStringsInProcess(propertyName)
for i=#res,1,-1 do
local fnameAddress = FindFNamePoolPattern(res[i],pattern,offsetInHex)
if fnameAddress ~= nil then
printf('FNamePoolAddress [%X %s',fnameAddress,']')
return fnameAddress
end
end
end

local patternsAndOffsets = {
{'MulticastDelegateProperty',0xF2,'4E 6F 6E 65 10 03 42 79 74 65 50 72 6F 70 65 72 74 79 C0 02 49 6E 74 50 72 6F 70 65 72 74 79 6F 34 03 42 6F 6F 6C 50 72 6F 70 65 72 74 79 76','427.2'},
{'MulticastDelegateProperty',0xF4,'2A 01 4E 6F 6E 65 08 03 42 79 74 65 50 72 6F 70 65 72 74 79','425'},
}

local function GetFNamePoolAddress()
for index,entry in ipairs(patternsAndOffsets) do
local propertyName = entry[1]
local pattern = entry[3]
local offset = entry[2]
local version = entry[4]
local res = FindFNamePoolAddress(propertyName,pattern,offset)
if res ~= nil then
print('found match at index [' .. index .. ']' .. ' UE Version [' .. version .. ']' )
return res
end
end
return 'DEADBEEF'
end

local res = GetFNamePoolAddress()
if res ~= 'DEADBEEF' then
unregisterSymbol('FNamePool')
registerSymbol('FNamePool',res)
end


In Cheat Engine search for "MulticastDelegateProperty" check Addresses and find "None". Calculate Offset and put in in the patternsAndOffsets
Table. If a Match is found. It registers FNamePool

I want to find the GUObject Array. Any usefull tips or suggestions ?

[S1N74X]

Yeah, it's dodgy at best.
I was thinking about rewriting the code and updating it, but my LUA-fu is too weak.
I think the community should come together and work on it together.

Good Idea. Count me in

[JohnFK]

For UE4 the table isn't working anymore. On games which updated but still using UE4 I now receive this:

FNamePool not found, running scanner...

and obviously the scanner fails. I'm using the Update 7.3 table or is there any newer version?