Reversing Unreal Engine 4 and Finding GName, GObject and GWorld (Reversing my friends game Part 1)

hello everybody i'm russell j

and as the title says today i'm going to

be reversing my friends game

along with going into a little bit of an

in-depth explanation on how to find

g-names g objects g-world and a couple

other things that you would want

if you plan to reverse unreal engine 4

games or generate sdks if you're into

that which i very much

am so full disclaimer that i did get

permission from my friend to reverse his

game i'm not a douche bag

to that degree so i will feel no remorse

doing this and you can try this on his

game but he'll have an update out

already because this is a previous

version so yeah

have fun with that but basically i'm

going to say a couple things right off

the bat

this will not this will be preferably

for

games made with unreal engine 4.22

and lower because at 4.23 g

names was deprecated and replaced with f

name it's a complete it's you know a

different thing but

you can use it the same but base i'm not

going to go over that in this tutorial

this is for unreal engine 4.22

or lower so pretty much what we're going

to want to do

is if you are new to reversing unreal

engine 4 games or

you know you should have some experience

with things like ida

or understanding what patterns are

if not i'll explain a little bit of that

but you should have a basic

understanding and you should be using

ue4 you know to a degree that you will

understand

things reversing you want to use it

really before you reverse it

so what i'm going to do is i'm going to

go over how to find g

names which is the global name array has

all the names in a game

the global objects array it's an array

of all the objects in a game

and global world uh g world which is

basically a pointer to all the objects

in the world

so that's that we're also going to be

searching for something called process

event

now process event is

basically a function that you can use

in 104 games to call other functions in

fact the parameters are even you

functions and the struct

or you know a struct of parameters that

you want to use for the function you

want to call

and that's very useful because if you

decide to generate an sdk

for you know let's say this game sector

452

well then if you want to generate an sdk

you can't really call any functions or

anything

without having the pattern to

process event so it is a very important

thing in my mind you don't need it to

generate an sdk but you damn well needed

to use it

to the degree i like to use it so yeah

there's that

but pretty much that's what i'm going to

be going over

i will say that there is a better

tutorial that explains if you

want to learn more if you're watching

and like hey what's this whole g name g

object bullcrap i will have a link in

the in the description and actually up

on the screen

basically this guy made a video that

explains it

better than i could explain it so if you

don't know what i'm talking about and

you're very confused and you're just

starting to reverse uv4 games

you're going to want to watch that guy's

video and learn more about what

everything is that guy made a very good

video

so to start off if you are reverse new

to reversing ue4 games

which i assume you are good rule of

thumb is to

create a test game for yourself

i have a test game up in ida right now

that i made

basically you want the test game to have

a pdb

or include debug files and if you don't

know if you're not being able to get it

when you

well package a project the engine has to

have engine

debugging symbols included which is like

another 10 gig

download but it is very good for

practicing

because when you have a pdb which i hope

you know but a pdb allows you to view

all the functions in a game this game

right here that i have is a test game

uh it's literally just the uh default

first person shooter template

or yeah so but if i look for a function

for example something as simple as

jump

you just give it just a second to load

through all the stuff you can see a

bunch of functions a character can jump

internal

however if i was to do that to my

friend's game which doesn't have an sd

which doesn't have a pdb nothing will

pop up because none of the functions are

named

so it's always good to kind of match up

take a look at a game that you made that

you know the functions to

and basically compare stuff and see

you know what works and what doesn't so

first off i'm going to show you how to

get the g

world g object and g names and actually

process event

with a game that you have a pdb with so

let's get this out of the way first for

pdb users i know a lot of games like

satisfactory and stuff do that so if

you're into that

let's just get that out of the way and

then i'll reverse the game and i'll show

you how to do it so if you do not have a

pdb just skip ahead from here

so for a pdb if you want to scan for g

names you're going to want to go into

the function box by the way

assuming you've used ida before you're

going to want to

wait until the initial analysis is

complete you will know that when this

yellow ball right here turns green like

it is now

you'll be able to search for much more

things and there will be a lot more

results

once you let the analysis fix uh finish

uh secondly let's go into options

general and you want to set the op codes

to 10.

basically the op codes are the bytes

that are displayed over here so if i set

them back to 10

you can see they appear and it'll be

easier to copy and paste and overall

just easier

if you're in graph view just press space

to get out of it

you should know the basics of ida now

back to the good stuff

so for g names the function that you

want to search for is

fname get names

right here and basically you are going

to want to copy the bytes from

here the move to the jnz

so basically these right here and i'll

just copy and paste them over real quick

to show you

these are the three bites that you were

going to want

should be 12 bites you can have more but

this is what i do

and that is that's good right there so

you have the gnames bytes right there

perfect if you want to find the g

object you don't have to search for

anything

uh function wise you just select g

object

copy this this is an address so to go to

an address in

ida you want to press the g button let's

paste this address in there

press ok it takes you to here where it's

actually named

then you just click the xref and boom

there is your g object array so again

according to right here this document i

have that i made

you want to have the bytes from the li

and the call so let's just go over there

should be another 12 bytes you can do

more again

okay there we go

and if you are you know more in depth

when we get the pattern scanning and

stuff you can just use patterns and

sometimes you'll never have to update

the actual game if you have good wild

cards

so that's done now g world

it's just like g object you're gonna

copy this address

you're gonna press the g button search

for the address

go to the xref and down here it states

you're going to want

move test and jnz so if we look at this

we can see should be another 12 if i'm

not mistaken

boom boom

boom so there you go there's that

very easy very simple when you have a

pdb i'm also going to show you process

event

you just literally go into the function

search search view object

colon colon process event

and there you go you can copy any bytes

from here i like to do these two little

moves right here like 11

bytes so that's perfect so right there

you have what you're looking for so

you're fine now

again that was for with the pdb now

we're going to go over

to without a pdb we're going to actually

start reversing my friend's game

as i wanted to do but now you have this

little info if you ever come across a

game with the pdb

or just want to practice for yourself

because this will come up later just

remember that

so if you go into here we did process

event there is another thing i forgot to

talk about which is create default

object

i don't really feel like going into this

because honestly most games have the

exact same pattern this little thing

right here these patterns right here but

for the hell of it

and um if you have a game with the pdb

you can just type in

create default object

you class create default object you can

just copy the bytes here but

i've never had a game that didn't work

with the pattern that was provided so

you really don't need that but there you

go a little bonus tip of the day

wow so let's start reversing games

like you probably have that don't have

pdbs because developers aren't that cool

anymore

so this game doesn't have a pdb so we're

going to be abusing strings

hopefully you did watch you know the

front part the first part so you know

how to set the op codes and you

you know know the importance of ida and

stuff how to get out of graph view

so what we're going to want to do you're

going to want to go to view

open sub views and strings again

the ball up here turn from yellow to

green so it is finished analyzing

let it do its little thing with its

generating strings it's going to

generate a lot of them

we're only going to be searching for a

few them a few that work for us so let's

get rid of this little tab here

i like to have a little document open

just to you know

keep a record of things for later all

right

all the strings are done generating so

what we're going to want to do

is i have two strings you can abuse here

but this one right here is the one that

i see in most ue4 games

so let's just copy this this string

we're going to be abusing it

beat the hell out of the strings you see

the string

it's been found in the string list we

want to click it

and we want to go to xref so basically

the way the string

you know search works is this string

isn't a function

and in that function you know when you

go to the x ref it takes you to the

function it's actually listed in

click you click the sub is a function

it takes you to the function in fact i

think it is a version function if i'm

yes it is

so this is perfect so what we're going

to want to do

if you watch the first part you remember

that when we were searching

for the g names and we found it

it looked like this this was the

structure of it well

the structure should be the same for

this game as the engine versions are

relatively close

in fact if i even scroll down a bit

what do you see here in the pdb version

of the game

you see the same exact layout

except this function isn't named this

one is get os version but it has the

same exact stuff the same setup the same

bytes not same bytes the same strings so

in fact

nice little tip on how to rename

function

let's take copy this name of the

function over to here you don't have to

do this ain't mandatory at all but just

so we don't lose our track

boom that's how you name a function but

as you can see it's exactly the same

and if in the pdb when you scroll up

you see the nice little g names right

here should mean

for the non-pdb game after searching for

this string

when you scroll up you should also get

the g names

so there we go that is the g names

now i do have it written to the side so

you don't have to have another thing of

i to open

but pretty much you want to copy the

move the test and the jnz

there is what the g g names are supposed

to look like and

we found them over here it's very simple

so now let's copy down the three bytes i

said we want the move

we want the test

and we want the jnz

there we found the g names one down a

couple more to go

so now that you understand the basic of

abusing the string and

you know comparing i'm going to be

comparing some more

so we have g names down and i'm actually

in fact i'm going to name the function

because i don't want to lose this in

case i decide the modest game in the

future so

there's the name boom now if we search

it in here

f name get named void yeah

peers should be fine excuse me

so i also have a little bit of notes

here the g

name should always start with 48 a b 0

5. i've always seen that

so as you can see 48 ab05 started with

it we have the three we copied it down

we're perfect

now for g objects we are going to want

to abuse the string

this string called a accent grave i

don't know how to say that so let's go

with it yay

so let's do the same thing we did before

let's search for the string

and it says we want the first result

usually so let's go to the first result

again you want to click the xref this

function

perfect now it's a little far

up for g objects it's not right above

if you remember but a good comparison is

if you have another game open again with

the pdb

you can search for the string in here

too

and see if it appears it appeared here

let's go to the xref if i scroll up a

bit

on uh the pdb game we can see

that it gets to a point where it shows

the g objects it is in this function

list

so in theory now that we have a string

that properly works

one of the ones i listed if we to scroll

up

and we compare each function to this

setup

we should find the g objects this way so

let's scroll up a bit

nope nope nope nope

nope nope nope nope

nope nope nope nope

nope nope jesus christ nope

nope you can see we're still scrolling

up

oh but what is this right here this

looks a little familiar

srw lock look right down here

in the pdb game there is something else

called

uh initialize srw lock and it has the

same type of setup

and above this is apparently the g

object array if we look above there it

is

there's the g object array and again you

can compare it with this

notepad i have here which basically

tells you the setup it should be it

should be a sub

lee call lee add jump sub something like

that and

if you look it seems to be exactly what

it is

now does it start with 48 ad 0d

4880 we [ __ ] got it

so now g object

g object now according to this and

according to what i say

we want the 12 bytes here on the li and

the call so let's just copy these babies

over

for the record i even get confused every

now and then and again i'm not some kind

of you know

i'm not a pro reverser i'm just some one

who's

bored pretty much wow i really screwed

up notepad plus plus there

but i get confused sometimes i got

you will not believe how many times i

saw this

in a non-pdb game didn't see the

initialize srw lock and thought oh my

god i found the g

names or g object so it's all right to

make mistakes

you know you just gotta learn from them

see what you did wrong

so we got the g objects i'm actually

gonna label this

so that we have it in the future lee

yep let's rename this to that

just some housekeeping

there we go now what we're going to want

to find

next is g world

i have another string that we can abuse

so

if we look at this g world should almost

always look

somewhat similar to this and it should

always start usually

with always start usually am i talking

about always or usually

most of the time i'll say that it'll

save my ass

so the string that i have to abuse is

failed to load unreal engine class

the first result so let's search for

that in the friends game

there's a result let's go to the xref

it's the same one here it doesn't matter

what you press and i note here to scroll

down

if you remember we've been scrolling up

so to have the note to scroll down

really remember so what we're going to

be looking for is in the instruction

list

we're going to scroll until we find a

move ss

x corps you commit blah blah blah or

something similar to this kind of setup

i'm not going to compare it to a pdb

because i feel like that's taking more

time and i think you got the idea the

first time

so now that we have it let's start

scrolling down until we see it i'm not

going to say no million times

i'm just going to be going with my line

so this here this isn't it yet

you can keep scrolling it is a bit far

down and depending on the game it could

be very far down but you just want to

keep scrolling

it's a new function here

a lot of moves but not the move we're

looking for

no oh

is this let's see nope does not look set

up right

it looks like it in the beginning but it

isn't let's keep scrolling then

oh right here

is this it move ss yep it's a d word

one one zero one

the rba yes this looks like it is and

let's compare it

with the game with the pdb if i search

for g

world is it set up the same

why yes it is and as i said in here we

want the move the test and the j and z

just like the g names so what we're

gonna want to do is let's go down

until we see the move perfect let's copy

this bad boy

let's paste it right here let's copy

this

paste it right here and finally the j z

i don't know why i said j and z

perfect should be another 12 you can do

more again but this works fine

and just for some housekeeping i'm going

to label g

world

yeah alright i was right i was a little

confused there for a second

boom so we found three now

let's search for process event which is

the next thing on our list

process event

if we go back over to our g docs

we scroll down now i have a couple ways

that i use to find process event i'm

going to show you the string abuse and

i'm going to show you the possible sig

that i have i went through many unreal

engine games

and i found this sig works for a lot of

them so maybe it'll work for you

so pretty much let's abuse this string

right here i have

access none no context and it says to

scroll down

and this should be the setup hopefully

and a lot of and some games will not

have the setup so it'll take a little

digging on your part

to find it sometimes but for this game

and this purpose

this is what we're gonna do so let's go

to strings

let's search the string perfect there's

a result

an x-ray perfect sometimes they won't

have extras which really sucks but there

it is so

that just click it and i say to scroll

down so let's scroll down

jesus oh

oh wow it was right there it was right

beneath it it will not always be like

that but yeah if you scroll down from

the xref

look at the comparison

more importantly though look at this it

looks identical

and let's go into quickly the

pdb game and let's search for the

process event here

object process event it looks

like it's fairly similar might not be a

hundred percent but let's take a look

yeah it looks like it is so what we're

gonna want from here you can pick any

bites you want for this because it is

just a function

but i like these little two moves right

here

so let's do them these should be 11

bytes if i recall

and boom that was the first method of

finding the process event

now let's name it real quick so that i

can see which sig one is right when i do

the sig thing

so let's name this function process

event like it should be called

boom done so now that was one method of

finding process event

the other method i have is this possible

sig here

you would copy it you would press alt

and b

to pull up a pattern scan find all the

currencies you want to select and you

would search this pattern

now again it wouldn't actually have the

name because i just put the name when i

found it with the string

so you know it is here but you would

usually go through these

if you find this as an easier option and

once you scroll through these you should

find the process event one which we did

in fact find

so bravo

so yes we did find in fact the correct

process event

because there is another one but we

didn't search for that so we have the g

name g object g world and the process

event all in bytes because bytes are

better than offsets in my opinion

so there is that so we are done the

first part

needed in reversing my friends game or

your game

so that's the end of this part the next

part will involve

updating an sd update oh god my words

updating the sdk gen to

you know the correct uh [ __ ] classes

or whatever

uh through reclass and through you know

visual studio the project we make i'll

show you how to update the patterns and

stuff the sdk gens i use which are

basically both from connector but one of

them's a little modified that someone

posted so that's pretty good

i like that but yeah so we have the most

important

patterns that we need and hopefully to

shed some light on how to

find them my method i'm no expert but

you know

and uh yeah i'll see you all later