kp7742 / ue4dumper Goto Github PK

hello guys , just a simple question : this is the Gworld Address from IDA in pubg mobile 0.19.0 0x6333120 so basically how can we get the uworld from the Gworld i would luv to learn so i can do stuff by myself eventho i've tried so many ways including reading from gworld at memory runtime but no use

Hey i am using this dumper for a long time but i need to know how can i find the viewworld....i can find the gnames and gworld with 0 efforts now....but i need the viewworld or else directly the view matrix..or atleast update them in a new txt files cz i think many even dont know how to find gworld and gnames....or viewworld.....any help is appreciated.

Could you tell me , how can I find the 64bit mobile program.thanks!

I make dump of UE4.19 game with --sdkw. I need to change bCheatFlying, but his offset is same with some fields. ByteMask and FieldMask different. This is bug of dump or I can use ByteMask and FieldMask?
bool bIgnoreClientMovementErrorChecksAndCorrection;//(ByteOffset: 0, ByteMask: 1, FieldMask: 1)[Offset: 0x3dc , Size: 1] bool bNotifyApex;//(ByteOffset: 0, ByteMask: 2, FieldMask: 2)[Offset: 0x3dc , Size: 1] bool bCheatFlying;//(ByteOffset: 0, ByteMask: 4, FieldMask: 4)[Offset: 0x3dc , Size: 1] bool bWantsToCrouch;//(ByteOffset: 0, ByteMask: 8, FieldMask: 8)[Offset: 0x3dc , Size: 1] bool bCrouchMaintainsBaseLocation;//(ByteOffset: 0, ByteMask: 16, FieldMask: 16)[Offset: 0x3dc , Size: 1] bool bIgnoreBaseRotation;//(ByteOffset: 0, ByteMask: 32, FieldMask: 32)[Offset: 0x3dc , Size: 1] bool bFastAttachedMove;//(ByteOffset: 0, ByteMask: 64, FieldMask: 64)[Offset: 0x3dc , Size: 1] bool bAlwaysCheckFloor;//(ByteOffset: 0, ByteMask: 128, FieldMask: 128)[Offset: 0x3dc , Size: 1]

ue4dumper --package com.studiowildcard.wardrumstudios.ark --sdkw --gname 0x74ff700 --gworld 0x763e738 <
Process name: com.studiowildcard.wardrumstudios.ark, Pid: 9075
Base Address of libUE4.so Found At 780ca9c000
Dumping SDK List
UWorld: 77f3649210 | Name: x
2 Items Dumped in SDK in 0.001005S

Process name: com.studiowildcard.wardrumstudios.ark, Pid: 11453
Base Address of libUE4.so Found At 780ada1000
End Address of libUE4.so Found At 78120f4000
Lib Size: 120926208
Rebuilding Elf(So)
warning load size [124290944] is bigger than so size [120926208], dump maybe incomplete!!!

android 9.0
ue 4.17

Do I have to take this ue4dumper binary and copy it to system/bin/sh folder of the device?

Dumping libUE4.so from memory doesn't work. Fails at "Rebuilding ELF(so)"

Hey there kmods, can u please give a tutorial video or your telegram id?
Im on Korea version and im not able to change package name, please help!
Thnx.

I built the binary using ndk as well as tried the ones provided by you.I tried using termux as well as adb shell.Whenevr tried to execute it , it says permission denied.Any solution ??

Hello every everyone,how i fix this problem thanks for help

I type cd ~/UE4Dumper/libs/armeabi-v7a && su -c ./ue4dumper --lib --package com.studiowildcard.wardrumstudios.ark --output /sdcard/

Base Address of libUE4.so Found At 8d04a000
End Address of libUE4.so Found At 9438a000
Lib Size: 120848384
Rebuilding Elf(So)
source so file is invalid

why fast dumping may miss some data

auto *buffer = new uint8_t[libsize];
memset(buffer, '\0', libsize);
vm_readv((void *) start_addr, buffer, libsize);

char *buffer = new char[1];
while (libsize != 0) {
    vm_readv((void *) (start_addr++), buffer, 1);
    ldump.write(buffer, 1);
    --libsize;
}

can you tell me the reason? thank you !

hello , basically the dumping is working fine but i was just wondering where the output of the lib would be in the emulator files , of cours i've found the lib in the libs folder of pubg mobile but am not sure if that's the one to use , am kinda trying to get the uworld and the gnames for my hack ..

hi i try to dump with Guobject arg and dumper end with 0 ressult for Gaame for peace
i take a look at source and on game memory
i see that FUObjectArrayToTUObjectArray = 0x8; this is true
but TUObjectArrayToNumElements is diffrent on Game of peace
to goet the correct count must use this : TUObjectArrayToNumElements = 0x20;
any way after modifying it it worked but i think FUObjectItemSize is worng
i think it must be 0x20
i am not sure and UObjectToOuterPrivate is maybe wrong
i am able to loop throught all objects but unable to get names due to have wrong offsets
hope you can update Guobject dumper for this game
thankyou

Hello , UE4Dumper team , when i was in dumping proccess of PUBG Mobile , i stopped where i could input offsets of GNames & GUObject & GWorld , is there any way to find them by IDA7.5 , if yes , what to do and where to search

Good work mate!

This worked really fine last season for me. Since, I thought to try this out on 64bit KR too, but it didn't work.

For detailed description check below picture:

Great Work Sir.

I am trying to use th following switch

--sdkw Dump SDK with GWorld
--gname

i know GWorld is 6333120 please correct me if i am wrong
https://ibb.co/WzkT2CZ

What is gname address please.

In addition it would be great if you could just give me a hint where will i find GName

Thanks
Regards,
Hammad

/data/local/tmp # ./ue4dumper --sdku
Can't find the process

/data/local/tmp # ./ue4dumper --lib
Can't find the process

Why???

Hi.
I use this tool to dump the sdk and get the sdk which work well to find the offset of a property in class but the offset of the method is somehow not point to the real address of method(which I known) in the ghidra. This is what I tried:
Look at the source code of UE4 to find the UFunctionToFunc offset and I find it is 0x71 in 32bit and try change it in source code, build and dump but still generate false method offsets.
My question is can I convert the the method offset this tool generate to the method offset from the libbase(libUE4_base_address + offset)? Or this is a bug of the tools?
I appreciate any help. Anyway thanks for this great project.

SDK.txt
If it is not stopped manually, it will continue to generate unlimited "None;" ,and all offsets are 0.

I noticed the following code in offsets.h
if(isARKSurvival()){ //Class: UWorld UWorldToPersistentLevel = 0x58; }
Do other offsets need to be corrected? How can we discover these offsets, any tutorials?

How can I find those pointer address for dumping? any tutorials for it?

[arm64-v8a] Compile++ : ue4dumper64 <= fix.cpp
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:143:101: warning:
format specifies type 'unsigned int' but the argument has type 'size_t'
(aka 'unsigned long') [-Wformat]
...[%u] is bigger than so size [%u], dump maybe incomplete!!!\n", maxLoad, len);
~~ ^~~
%zu
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:526:2: note: in
instantiation of function template specialization
'_regen_section_header<elf32_hdr, elf32_shdr, elf32_phdr, unsigned int, unsigned
int, elf32_sym, dynamic, elf32_rel, true>' requested here
_regen_section_header<Elf_Ehdr_Type, Elf_Shdr_Type,
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:601:3: note: in
instantiation of function template specialization '_fix_elf<elf32_hdr, elf32_shdr,
elf32_phdr, unsigned int, unsigned int, elf32_sym, dynamic, elf32_rel, true>'
requested here
_fix_elf<Elf32_Ehdr, Elf32_Shdr, Elf32_Phdr, Elf32_Word, Elf32_A...
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:355:50: warning:
format specifies type 'unsigned long long' but the argument has type 'uint64_t'
(aka 'unsigned long') [-Wformat]
printf("warning .init exist at 0x%016llx\n", tmp);
~~~~~~~ ^~~
%016lx
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:54:75: warning:
format specifies type 'unsigned long long' but the argument has type 'uint64_t'
(aka 'unsigned long') [-Wformat]
printf("relocation off %llx invalid, out of border...\n", tmp);
~~~~ ^~~
%lx
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:531:2: note: in
instantiation of function template specialization
'_fix_relative_rebase<elf32_shdr, unsigned int, elf32_rel, true>' requested here
_fix_relative_rebase<Elf_Shdr_Type, Elf_Addr_Type, Elf_Rel_Type, isElf32...
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:601:3: note: in
instantiation of function template specialization '_fix_elf<elf32_hdr, elf32_shdr,
elf32_phdr, unsigned int, unsigned int, elf32_sym, dynamic, elf32_rel, true>'
requested here
_fix_elf<Elf32_Ehdr, Elf32_Shdr, Elf32_Phdr, Elf32_Word, Elf32_A...
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:143:101: warning:
format specifies type 'unsigned int' but the argument has type 'size_t'
(aka 'unsigned long') [-Wformat]
...[%u] is bigger than so size [%u], dump maybe incomplete!!!\n", maxLoad, len);
~~ ^~~
%zu
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:526:2: note: in
instantiation of function template specialization
'_regen_section_header<elf64_hdr, elf64_shdr, elf64_phdr, unsigned int, unsigned
long, elf64_sym, Elf64_Dyn, elf64_rela, false>' requested here
_regen_section_header<Elf_Ehdr_Type, Elf_Shdr_Type,
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:604:3: note: in
instantiation of function template specialization '_fix_elf<elf64_hdr, elf64_shdr,
elf64_phdr, unsigned int, unsigned long, elf64_sym, Elf64_Dyn, elf64_rela, false>'
requested here
_fix_elf<Elf64_Ehdr, Elf64_Shdr, Elf64_Phdr, Elf64_Word, Elf64_A...
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:355:50: warning:
format specifies type 'unsigned long long' but the argument has type 'uint64_t'
(aka 'unsigned long') [-Wformat]
printf("warning .init exist at 0x%016llx\n", tmp);
~~~~~~~ ^~~
%016lx
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:54:75: warning:
format specifies type 'unsigned long long' but the argument has type 'uint64_t'
(aka 'unsigned long') [-Wformat]
printf("relocation off %llx invalid, out of border...\n", tmp);
~~~~ ^~~
%lx
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:531:2: note: in
instantiation of function template specialization
'_fix_relative_rebase<elf64_shdr, unsigned long, elf64_rela, false>' requested
here
_fix_relative_rebase<Elf_Shdr_Type, Elf_Addr_Type, Elf_Rel_Type, isElf32...
^
/data/data/com.termux/files/home/.suroot/UE4Dumper/jni/ELF64/fix.cpp:604:3: note: in
instantiation of function template specialization '_fix_elf<elf64_hdr, elf64_shdr,
elf64_phdr, unsigned int, unsigned long, elf64_sym, Elf64_Dyn, elf64_rela, false>'
requested here
_fix_elf<Elf64_Ehdr, Elf64_Shdr, Elf64_Phdr, Elf64_Word, Elf64_A...
^
6 warnings generated.
[arm64-v8a] Compile++ : ue4dumper64 <= kmods.cpp
[arm64-v8a] Executable : ue4dumper64
[arm64-v8a] Install : ue4dumper64 => libs/arm64-v8a/ue4dumper64
[armeabi-v7a] Compile++ thumb: ue4dumper <= ElfReader.cpp
[armeabi-v7a] Compile++ thumb: ue4dumper <= ElfRebuilder.cpp
[armeabi-v7a] Compile++ thumb: ue4dumper <= kmods.cpp
[armeabi-v7a] Executable : ue4dumper
[armeabi-v7a] Install : ue4dumper => libs/armeabi-v7a/ue4dumper

The result of getUObjectFromid function in DUMPSDK is not UObjectBase. According to the source code of UE4.23,The return value should be FuObjectItem*, but your process is to use the return result as UObjectBase and look for its ClassPrivate member, why is that? Thank you

i have dumped libUE4.so and have Gname ; Gworld ;Guobject offset

How can i get Aes key from them to unpak obb file plz 💛

hello frind
after i duped the lib
IDA show me that file have bad file structure cause i think elf fixer didnt fix it
so i hope you can fix it
thank you

./UE4Dumper64 --lib --package 'com.tencent.ig' --output /sdcard/script/

Process name: com.tencent.ig, Pid: 27481
Base Address of libUE4.so Found At 736e041000
End Address of libUE4.so Found At 7377ef5000
Lib Size: 166412288
Rebuilding Elf(So)
warning .init exist at 0x0000000000000200
warning .got is not after .dynamic use __global_offset_table as .got base
fixed so has write to /sdcard/script//libUE4.so
Rebuilding Complete
warning .got is not after .dynamic use __global_offset_table as .got base

hi, I was Using this Tool, And I got 10 Years of Ban,
Luckily it was my test account.

Any Detailed Video on this?

How to get gname address???

I'm using this tool to dump the game of Lineage W, but as I execute the command ./ue4dumper64 --lib, results show on the console of Can't find the process. Could you help me find what's the problem? And how can I fix it? Thanks a lot!

Can you please upload the new SDK for 0.19.0

I'm dump game on UE4.25. The game has differed in UStructToSuperStruct and UStructToChildren, which seems to be correct. sdkw print only 2 Items Dumped in SDK in 0.000755S sdku: 2464 Items Dumped in SDK in 5.53312S but don't dump fields and offset look 0x3ff9030a90800. What can I do?

I will be very helpful if u tell how to use i try by using the instruction but cant not do anything. I have not much knowledge about android development. Please make a guide with screen shots (ss) if u can.
or sent me privately.

I am running pubg mobile 1.3 in background
And then clone the git in termux
Execute the ue4dumper
It shows can't find the process :(
Help

Hello, what does the hexadecimal value at the end of the function in the SDK mean？

Hello developers, I am a windows apps developer myself and a reverse engineer recently got interested in PUBG Reversals.
Here is the issue: On emulators running 7.1+ Android OS, the dumper executable is detected at runtime and is killed before it can complete one command. As an example check the screenshots:

I even changed the name of the executable but then remembered PUBG might be detecting certain hashes or signature functions, or it could be checking access to its code memory using shell executable files. Any ideas are welcome to make it work, e.g. can I change some methods inside the library by renaming them, or can I encrypt the library functions to avoid detection? But since that is your expertise, I would like to see your expert opinion on the matter. If you can point me to customizing/encrypting/android based virtualizing/ to avoid detection in memory, I will gladly contribute to the project.
Thank you

can you make it support IOS ?

Very curious. Please ask. How can I use IDA to locate and analyze the offset sizes of corresponding FNameEntryToNameString、ULevelToAActorsCount、ULevelToAActors, etc. in different games？

Hi bro.
it just closing after call any param

Can you please confirm if SDK Dump With GObjectArray Args is working on latest PUBG 1.0 and UEDumper4 v0.10 ?
I tried to dump with which I feel is correct offset for guobj pointer, but it's failing.

in order to get further offsets we need to know object or class offset.
but in sdk dumps these offsets are not mentioned for example

Class: Actor.Object
ActorTickFunction PrimaryActorTick;//[Offset: 0x1c , Size: 60]

here offset of PrimaryActorTick is relative offset to Class Actor.object. How can we get offset of Actor.object

Does not work in version 1.9.10

Hello, I use your tool and it works fine for me, but I find it difficult. For pubg new state, all I can extract is strings using gname. Are there things that need to be modified to extract the sdk ?

like PUBGM

I opened the address in IDA and I found that the function name had exec in it, and that the function contained functions from the SDK.I suspect I gave the wrong address.
IDA: UCameraComponent::execAddOrUpdateBlendable{
return UCameraComponent::AddOrUpdateBlendable;
}
sdk: void AddOrUpdateBlendable();// 0x715bd04
Please tell me that this is the correct SDK YES or NO? thanks

You made this application which we appriciate.

But if we cant use it then its useless to us.

We dont have GWorld and GName to use this application.
we you tell us how to find it for 64 bit?

if not then atleast can you please mention the GWorld and GName when you release the SDK. just include it as text.

Thanks
Regards,
Hammad

Sorry for the English, I use a translator
I came across your program but did not understand how to use it, I use the command

/data/local/tmp/ue4dumper64 --package com.wb.goog.mkx --strings

but i get

Process name: com.wb.goog.mkx, Pid: 9006
Base Address of libUE4.so Found At b8b14000
Please Enter Correct GName Addresses!!

I do not understand where to get GName Addresses
I will be grateful for any help

I also wanted to know if it is possible to somehow embed strings into the database created by the Ida Pro, as, for example, is implemented in the Il2CppDumper program, which creates script.py?

An example for understanding:

#encoding: utf-8
import idaapi

def SetString(addr, comm):
global index
name = "StringLiteral_" + str(index);
ret = idc.set_name(addr, name, SN_NOWARN)
idc.set_cmt(addr, comm, 1)
index += 1

def SetName(addr, name):
ret = idc.set_name(addr, name, SN_NOWARN | SN_NOCHECK)
if ret == 0:
new_name = name + '_' + str(addr)
ret = idc.set_name(addr, new_name, SN_NOWARN | SN_NOCHECK)

def MakeFunction(start, end):
next_func = idc.get_next_func(start)
if next_func < end:
end = next_func
if idc.get_func_attr(start, FUNCATTR_START) == start:
ida_funcs.del_func(start)
ida_funcs.add_func(start, end)

index = 1
print('Making method name...')
SetName(0x2EF33B4, '<>f__AnonymousType0<j__TPar>$$.ctor')
SetName(0x2EF33EC, '<>f__AnonymousType0<j__TPar>$$Equals')
SetName(0x2EF3494, '<>f__AnonymousType0<j__TPar>$$GetHashCode')
SetName(0x2EF34F8, '<>f__AnonymousType0<j__TPar>$$ToString')
SetName(0x3B4A954, 'Locale$$GetText')
SetName(0x3B4A958, 'Locale$$GetText')
SetName(0x379AA54, 'SR$$Format')
SetName(0x379AAD4, 'SR$$Format')

We know the entity structure offset for 32 bit is 0x10
can you please tell us what is the entity structure offset for 32bit?

Thanks
Regards,
Hammad

Hi, i wanna ask
GUObject is localplayer object ? or another mean ?

when i open pubg and put in termux su then
./ue4dumper -l
to get pubg libuE4.so
i didnt get the lib dumped
i get in storage libUE4.so (larger size)
what should i do with this file to dump and get gname? thank u

Can't find Library: libUE4.so
Why?

Does pubg dump support？