Page 1 of 3

Basic UE4 Win64 Base Table

Posted: Mon Nov 16, 2020 7:21 am
by Cake-san
Made this table for learning purpose and to ease the making of cheat table for UE4 Win64 based game...

Prerequisite: Basic Lua programming knowledge & OOP data structure knowledge & Table making knowledge...


Features:
- Create structure dissect from UE4 class object
- Basic UE4 Object Dumper
- Example scripts & pointers

[Troubleshooting]

run dissect code & wait until finished then you can search for Referenced strings
you can also Save DissectCode after it had finished so, you can Load it when you want to use it again...

- StaticFindObject aob not found... - search for "Illegal call to StaticFindObject()" (without the quote)

- UObjectArray aob not found... - search for "UObject serial numbers overflowed" (without the quote)
Note: most of the time this function(FUObjectArray::AllocateSerialNumber) is being called by FWeakObjectPtr::operator= (which handle static/base address of UObjectArray) but for rare cases, it handle that address by its own...

- GetFullName aob not found... - search for "This platform requires cooked" (without the quote) -error code in range of: 0x572,0x59D,0x20D,0xF2,1CB, 0x715,0x740,0x8A,0x20F,0x13F,1DA(not the smallest nor the biggest, more on middle value,maybe)
Note: A little above the result there's a call & it might be GetFullName function
Note: Inside GetFullName there is a Function FName:AppendString (2nd or 3rd or 4rd call) & inside of that Function contain a function that handle static/base address of FNamePool...

- Game Crashed while activating script - comment out all 'createThread(ue4createstruct' , then you have to find out if all function & parent/child offset is valid...

Note: Example script will only work if game use generic variable else you have to make your own script...

Credits:
-CheatingMuppet - Satisfactory table & UE4 insight
-happyTugs - GNames & GObject Dumper for UE3 table
-Corrm - Unreal Finder Tool
-Fearless & CE forum , Tool Creators & Communities


Update 1
-Fix AOB part for ue4.18 & ue4.25
Update 2
-Add more AOB for ue4.25
-ue4.25 dumping also include property inside Function

Image

Re: Basic UE4 Win64 Base Table

Posted: Fri Nov 27, 2020 12:49 pm
by grbras
First of all, this is nicelly done, and it could convert into a full sdk generator. So thank you for your effort, and i hope to see more from this.

Second, those structs are hand made and saved on the ctable "Win64-Shipping.CT", or are you generating them on the fly?

Re: Basic UE4 Win64 Base Table

Posted: Sun Nov 29, 2020 1:42 pm
by Cake-san
Unreal Engine Algorithm version
Made this because I can't find a dumper that can dump the game I'm playing...

Features
- Added support for some UE4 32 bit based game... (I only have 1 game,lol, so can't test much)
- Added support for some UE3 based game... ( I only have 2 games for this engine version, so you need to configure it before use, if its offset is different...)
- Added FName dumper
- Added Tools -> makeshift FNamePool scanner script

Pros
- Stable & doesn't crash much & compatible with many games...

Cons
- 2.5x times slower than calling function...
- Inaccurate for some games...

Update 1
- Fixed a typo that made the script unable to dump property for >=25 version
- Fixed StaticFindObjectAlgo script to find object more accurately...
Sorry, for the inconvenience...

Update 2
-Performance update... cache & more caching & multi threading... first time dump is 0.5 slower than calling one but after that 2x times faster than calling one...
-fixed ue4determineversion() script...

Update 3
- FNameStringAlgo now distinguished between utf-16 or utf-8 fname on ue4
- createstruct will now add 4 bytes placeholder for unknown offset

Update 3.5
- Added support for UE4.10

Update 3.9
- Optimized script to be a bit faster & fixed other issues... :ph34r:

Update 4
- Added structureDissectCallback - so, just like mono/.net when this script is activated , it will automatically fill structure dissect with symbols if it's a valid Instance address..
- Object Dumper will now dump Enum's value & StructPropery/ObjectProperty will have ~ toward its ScriptStruct

Update 4.1
- Fixed infinite loop & findAddress bugs for ue<25 games

Update 4.2
- Fixed stackoverflow for ue4.25+

Re: Basic UE4 Win64 Base Table

Posted: Tue Jan 05, 2021 2:27 am
by ctl3d32
Nice Tool. It already helped me a lot. Keep the good work!

Re: Basic UE4 Win64 Base Table

Posted: Fri Jan 08, 2021 8:12 pm
by jgoemat
This seems very interesting, but I don't know how to use it or what games to use it on. Could someone post an example? Something like "I hook into Batman: Arkham Asylum (which is a UE4 game I think), expand the 'UE4 entry, and click on 'Basic UE Object dumper'. Then I see there's a class called 'Script/Batmobile' and I click on X and do Y and now it's invulnerable." Or not even a full cheat, but how this would be used to dissect a structure you found a pointer to some other way. Can it tell what type you are pointing to and provide the structure? Do you just have to click those two things for that to happen automatically, or do you have to do something else?

Thanks!

Re: Basic UE4 Win64 Base Table

Posted: Sat Jan 09, 2021 10:44 am
by Cake-san
Basic:
If you know OOP you should be able to understand this...
Image


Interesting variables will most likely be inside PlayerController.Character/.Pawn or GameInstance depending on what you want & where dev put that stuff...
Image

Code: Select all

function ue4createstruct(fullnameOrAddress,name,depth,isfullname)
function uecreatestruct(instance,name,depth,isfullname)
depth is how far you want the struct to be which is 0 if you dont want to include parent/super class's member or vice versa...

Image

When struct had been created, you can use its symbol...
Image

You can look into my latest UE based table for reference

Re: Basic UE4 Win64 Base Table

Posted: Thu Feb 11, 2021 2:58 am
by gideon25
Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Unreal Engine Algorithm version
Made this because I can't find a dumper that can dump the game I'm playing...

Features
- Added support for some UE4 32 bit based game... (I only have 1 game,lol, so can't test much)
- Added support for some UE3 based game... ( I only have 2 games for this engine version, so you need to configure it before use, if its offset is different...)
- Added FName dumper
- Added Tools -> makeshift FNamePool scanner script

Pros
- Stable & doesn't crash much & compatible with many games...

Cons
- 2.5x times slower than calling function...
- Inaccurate for some games...

Update 1
- Fixed a typo that made the script unable to dump property for >=25 version
- Fixed StaticFindObjectAlgo script to find object more accurately...
Sorry, for the inconvenience...

Update 2
-Performance update... cache & more caching & multi threading... first time dump is 0.5 slower than calling one but after that 2x times faster than calling one...
-fixed ue4determineversion() script...

Update 3
- FNameStringAlgo now distinguished between utf-16 or utf-8 fname on ue4
- createstruct will now add 4 bytes placeholder for unknown offset
So im in a game where the referenced strings say UnrealEngine_4_10_4. The main script wouldn't activate first saying the AOB for GUObjectArray wasn't found, then the AOB for GEngine wasn't found. I put the correct AOBs here:

if targetIs64Bit() then

local address=findAddress('GUObjectArray',0,'4C 8D * * 4E 91 01 * * 71banana',process,nil,0,true)[1]

and here

findAddress('GEngine',1,'41 B8 01 00 00 00 48 8D 4C 24 48 E8 * * * * 48 8B D8 E8 * * * * 4C 8B 03banana',process)<--(engine is the 2nd AOB when aob scanning with cheat engine, correct?)

When attempting to activate the main script after that I get a Range Check Error. Can you help? Thanks!

Re: Basic UE4 Win64 Base Table

Posted: Thu Feb 11, 2021 7:37 am
by Cake-san
gideon25 wrote:
Thu Feb 11, 2021 2:58 am
...
# Updated Nah
Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Update 3.5
- Added support for UE4.10

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 12:27 am
by gideon25
Cake-san wrote:
Thu Feb 11, 2021 7:37 am
gideon25 wrote:
Thu Feb 11, 2021 2:58 am
...
# Updated Nah
Cake-san wrote:
Sun Nov 29, 2020 1:42 pm
Update 3.5
- Added support for UE4.10
Just some quick questions, sorry to bother:
NICE! So I am just learning this stuff but I found out the main character stuff is in:
00000168A62E9D80 Class /Script/PumpkinOnline.Main_Character_PC ~ Class /Script/Engine.PlayerController

So i created a structure with the lua function you showed with 168A62E9D80 and there it was! Amazing!
Question1:
Now in this case what would be like the pointer to this if I wanted to create some pointers in the table using the names to get to it (Like you have).

here are the things at the top of the uobject dump:

Code: Select all

00000000] 00000168A840EC00 Package /Script/CoreUObject
[00000001] 00000168A62EF000 Class /Script/CoreUObject.Object
[00000002] 00000168A840F300 Package /Script/Engine
[00000003] 00000168A62EBD00 Class /Script/Engine.BlueprintFunctionLibrary ~ Class /Script/CoreUObject.Object
[00000004] 00000168A840F000 Package /Script/PumpkinOnline
[00000005] 00000168A62EBE80 Class /Script/PumpkinOnline.CustomBlueprintNodes ~ Class /Script/Engine.BlueprintFunctionLibrary
[00000006] 00000168A62EB580 Class /Script/Engine.Actor ~ Class /Script/CoreUObject.Object
[00000007] 00000168A62EB700 Class /Script/Engine.Pawn ~ Class /Script/Engine.Actor
[00000008] 00000168A62EBA00 Class /Script/Engine.Character ~ Class /Script/Engine.Pawn
[00000009] 00000168A62EBB80 Class /Script/PumpkinOnline.AnimalMaster ~ Class /Script/Engine.Character
[00000010] 00000168A62EB280 Class /Script/Engine.AnimInstance ~ Class /Script/CoreUObject.Object
[00000011] 00000168A62EB400 Class /Script/PumpkinOnline.AnimalAnimInstance ~ Class /Script/Engine.AnimInstance
[00000012] 00000168A62EAE00 Class /Script/Engine.AnimNotify ~ Class /Script/CoreUObject.Object
[00000013] 00000168A62EAF80 Class /Script/PumpkinOnline.AnimNotify_PlaySoundForToolbase ~ Class /Script/Engine.AnimNotify
[00000014] 00000168A62EAC80 Class /Script/PumpkinOnline.Breakable_Object ~ Class /Script/Engine.Actor
[00000015] 00000168A62EA980 Class /Script/PumpkinOnline.BugSpawnManager ~ Class /Script/Engine.Actor
[00000016] 00000168A62EA800 Class /Script/PumpkinOnline.NpcBase ~ Class /Script/Engine.Character
[00000017] 00000168A62EA500 Class /Script/CoreUObject.Interface ~ Class /Script/CoreUObject.Object
[00000018] 00000168A62EA680 Class /Script/PumpkinOnline.PumpkinChildInterface ~ Class /Script/CoreUObject.Interface
[00000019] 00000168A62EA200 Class /Script/PumpkinOnline.NpcChar ~ Class /Script/PumpkinOnline.NpcBase
[00000020] 00000168A62EA080 Class /Script/PumpkinOnline.DummyNpc ~ Class /Script/Engine.Actor
[00000021] 00000168A62E9F00 Class /Script/PumpkinOnline.MinigameSetMasterCpp ~ Class /Script/Engine.Actor
[00000022] 00000168A62E9A80 Class /Script/Engine.Controller ~ Class /Script/Engine.Actor
[00000023] 00000168A62E9C00 Class /Script/Engine.PlayerController ~ Class /Script/Engine.Controller
[00000024] 00000168A62E9D80 Class /Script/PumpkinOnline.Main_Character_PC ~ Class /Script/Engine.PlayerController
and so looking here at the /PumpkinOnline.Main_Character_PC structure:
Image

Question2:

lets say I wanted to create a structure with the names populated for InventoryObjects (in tha pic). In the dump it shows:
00000168B6925D00 ArrayProperty /Script/PumpkinOnline.Main_Character_PC:InventoryObjects

So would you happen to know how to do that? This didn't work.
ue4createstruct(0x168B6925D00,'invent',0)
uecreatestruct(0x168B6925D00,'invent',0)

And what would THAT pointer look like if I wanted to add it to the table? Thanks, this would help me learn a lot!

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 5:14 am
by Cake-san
gideon25 wrote:
Sat Feb 13, 2021 12:27 am
...
Answer 1:

GameEngine -> GameInstance -> LocalPlayers[0]- > PlayerController ?

Answer 2:

Since it's an ArrayProperty , you need to find ScriptStruct for that Property, in your case might be ScriptStruct /Script/PumpkinOnline.InventoryItem ?

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 5:46 am
by gideon25
Cake-san wrote:
Sat Feb 13, 2021 5:14 am
gideon25 wrote:
Sat Feb 13, 2021 12:27 am
...
Answer 1:

GameEngine -> GameInstance -> LocalPlayers[0]- > PlayerController ?

Answer 2:

Since it's an ArrayProperty , you need to find ScriptStruct for that Property, in your case might be ScriptStruct /Script/PumpkinOnline.InventoryItem ?
So I see this:

Code: Select all

[00004992] 0000022C230F0C80 ScriptStruct /Script/PumpkinOnline.InventoryItem ~ ScriptStruct /Script/Engine.TableRowBase
[      98] 0000022C2DF52680 ArrayProperty /Script/PumpkinOnline.InventoryItem:ExtraOptions
[       0] 0000022C2DF52600 StructProperty /Script/PumpkinOnline.InventoryItem:ExtraOptions.ExtraOptions
[      88] 0000022C2DFDBDE0 StrProperty /Script/PumpkinOnline.InventoryItem:OptionsString
[      68] 0000022C2DF52580 AssetObjectProperty /Script/PumpkinOnline.InventoryItem:ShopMesh
[      60] 0000022C2DFDBD70 IntProperty /Script/PumpkinOnline.InventoryItem:SellPrice
[      5C] 0000022C2DFDBD00 IntProperty /Script/PumpkinOnline.InventoryItem:BuyPrice
[      5A] 0000022C2DF52500 ByteProperty /Script/PumpkinOnline.InventoryItem:ToolType
[      59] 0000022C2DF52480 ByteProperty /Script/PumpkinOnline.InventoryItem:ToolTier
[      58] 0000022C2DF52400 ByteProperty /Script/PumpkinOnline.InventoryItem:Category
[      54] 0000022C2DFDBC90 IntProperty /Script/PumpkinOnline.InventoryItem:MaxStack
[      50] 0000022C2DFDBC20 IntProperty /Script/PumpkinOnline.InventoryItem:StackAmount
[      30] 0000022C2DF52380 AssetObjectProperty /Script/PumpkinOnline.InventoryItem:Mesh
[      28] 0000022C2DF52300 ObjectProperty /Script/PumpkinOnline.InventoryItem:Thumbnail
[      18] 0000022C2DFDBBB0 StrProperty /Script/PumpkinOnline.InventoryItem:Description
[       8] 0000022C2DFDBB40 StrProperty /Script/PumpkinOnline.InventoryItem:Name
[       0] 0000022C2DFDBAD0 NameProperty /Script/PumpkinOnline.InventoryItem:RowName
and this:
[00003311] 0000022C230F5780 ScriptStruct /Script/Engine.TableRowBase

So what would the pointer look like? I guess Im having trouble understanding where it would go here and what it would be called, how it would look:
Image

While I can generate a dissect/structure for this using your lua commands:
[00004992] 0000022C230F0C80 ScriptStruct /Script/PumpkinOnline.InventoryItem ~ ScriptStruct /Script/Engine.TableRowBase

How can I tell where the stuff goes?

Also curious:
IF I don't have the actual address to put into that structure, it won't work. Lets say I generated the structure, and wanted to find out the address I needed to put into it and I just had this (without your pointers): [00004992] 0000022C230F0C80 <<--what would I need to do with it to find the address I need to put into the structure after I generated it? IS it all so nested that my pointer would look like the pic above? Everything comes from gEngine?

Thanks!

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 6:45 am
by Cake-san
I can't help much on forum , because it keep disconnecting...

Code: Select all

{$lua}
if syntaxcheck then return end
for i=memrec.Count-1,0,-1 do
  memoryrecord_delete(memrec.Child[i])
end
[ENABLE]
if not ItemList then
  memrec.setAddress('+PlayerController.InventoryItemsTable')
  memrec.OffsetCount=1
  memrec.Offset[0]=0
  local list,pointer,fname,len,name,desc=memrec.getCurrentAddress()+0x30
  ItemList='0000000000000000:None\n'
  for i=0 ,readInteger(list+8)-1
  do
    pointer=readPointer(readPointer(list)+i*0x18+8)
    fname=readQword(pointer)
    len=readInteger(pointer+0x10)
    name=readString(readPointer(pointer+8),len*2,true)
    len=readInteger(pointer+0x20)
    desc=readString(readPointer(pointer+0x18),len*2,true)
    if name and string.find(name,']') then name=name:sub(string.find(name,']')+1,name:len())end
    if desc and string.find(desc,']') then desc=desc:sub(string.find(desc,']')+1,desc:len())end
    ItemList=ItemList..string.format('%016X:%s     %s\n',fname,name,desc)
  end
end

memrec.setAddress('+PlayerController.InventoryObjects')
local count=readInteger(memrec.getCurrentAddress()+0x8)
memrec.OffsetCount=1
memrec.Offset[0]=0

local rec,tec,pointer,len,name
for i=0,count-1 do
  rec = getAddressList().createMemoryRecord()
  rec.setDescription('RowName')
  rec.setAddress(string.format('+%X',i*0xA8))
  rec.VarType='vtQword'
  rec.appendToEntry(memrec)
  rec.ShowAsHex=true
  rec.DontSave=true
  rec.DropDownList.Text=ItemList
  rec.DropDownDescriptionOnly=true
  rec.DisplayAsDropDownListItem=true
end
[DISABLE]

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 9:18 am
by gideon25
Cake-san wrote:
Sat Feb 13, 2021 6:45 am
I can't help much on forum , because it keep disconnecting...

Code: Select all

{$lua}
if syntaxcheck then return end
for i=memrec.Count-1,0,-1 do
  memoryrecord_delete(memrec.Child[i])
end
[ENABLE]
if not ItemList then
  memrec.setAddress('+PlayerController.InventoryItemsTable')
  memrec.OffsetCount=1
  memrec.Offset[0]=0
  local list,pointer,fname,len,name,desc=memrec.getCurrentAddress()+0x30
  ItemList='0000000000000000:None\n'
  for i=0 ,readInteger(list+8)-1
  do
    pointer=readPointer(readPointer(list)+i*0x18+8)
    fname=readQword(pointer)
    len=readInteger(pointer+0x10)
    name=readString(readPointer(pointer+8),len*2,true)
    len=readInteger(pointer+0x20)
    desc=readString(readPointer(pointer+0x18),len*2,true)
    if name and string.find(name,']') then name=name:sub(string.find(name,']')+1,name:len())end
    if desc and string.find(desc,']') then desc=desc:sub(string.find(desc,']')+1,desc:len())end
    ItemList=ItemList..string.format('%016X:%s     %s\n',fname,name,desc)
  end
end

memrec.setAddress('+PlayerController.InventoryObjects')
local count=readInteger(memrec.getCurrentAddress()+0x8)
memrec.OffsetCount=1
memrec.Offset[0]=0

local rec,tec,pointer,len,name
for i=0,count-1 do
  rec = getAddressList().createMemoryRecord()
  rec.setDescription('RowName')
  rec.setAddress(string.format('+%X',i*0xA8))
  rec.VarType='vtQword'
  rec.appendToEntry(memrec)
  rec.ShowAsHex=true
  rec.DontSave=true
  rec.DropDownList.Text=ItemList
  rec.DropDownDescriptionOnly=true
  rec.DisplayAsDropDownListItem=true
end
[DISABLE]
Hi, thanks but I get an error at line 1 attempt to perfom nil value for line 13.
Does it help that I created my player controller like this:

createThread(ue4createstruct('/Script/PumpkinOnline.Main_Character_PC','MainChar_PC',2))

which allowed me to see pawn and the inventory pointers..

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 4:26 pm
by Cake-san
gideon25 wrote:
Sat Feb 13, 2021 9:18 am
...
Aren't you a Table Maker... You're supposed to edit the script according to your needs & circumstances... :roll:

Here's an example table:

Re: Basic UE4 Win64 Base Table

Posted: Sat Feb 13, 2021 6:47 pm
by gideon25
Thanks!