I wanted to make a quick tutorial on a widely practiced technique for identifying new memory locations that link back to the original target of our injection process and different methods we can preform to find them. A common challenge arises when attempting to locate a primary address that, for example, directs us to the player class. However, upon inspecting this address, we encounter a complication such as every single value is routed through a singular address, single level pointers that render our efforts to inject here virtually unfeasible, and conducting a scan for commonalities results in the discovery of addresses that are both irrelevant and realistically unchangeable. We will be going over failed a scenario, then find the solution with some helpful tools while gaining a higher understanding of the game we are reversing.
As always, this tutorial will tie into a few other tutorials I have made. You should already have Cheat Engine Installed and configured, Know How to Scan for Values, and know How To Make Pointers Through Opcodes. If you don't know these, make sure to take some time to read these tutorials.
In this tutorial I will be demonstrating on the game Bum Simulator. Assuming you have already found the address from something you want to manipulate (health, ammo, whatever), we should be looking at something like this:
![[Image: w63SEtj.png]](https://i.imgur.com/w63SEtj.png)
Note: Some interesting points about the address, hunger.
Scenario:
Find Out What Addresses This Instruction Accesses:
If you don't already, It's a good habit to check to see if any other addresses use the instruction you're thinking about injecting into. Assuming we can just inject into an instruction and not gaining a fair understanding on how the game is operating will only lead to problems down the road. For this failed scenario, lets still see what instructions accesses this address. As this example demonstrates, we're "thinking" about injecting into the Hunger address, which will not work as expected.
In the memory viewer, click "Find out what addresses this instruction accesses" and let it scan.
![[Image: qpCLaEv.png]](https://i.imgur.com/qpCLaEv.png)
![[Image: UnVJ0st.png]](https://i.imgur.com/UnVJ0st.png)
After giving it a bit to gather the data, in hopes we can just inject into this instruction we find 10,000 addresses passing through this one instruction and it keeps climbing, so clearly that isn't going to work in our favor. Even trying to compare out instructions would be way to much effort and time consuming with a high probability we would fail. We could also look into the data dissect to try finding a new address, just to find out every address in there is also being passed through the same instruction and run circles around this, or we can take our note above into consideration.
Solution:
Reversing Unreal Engine Games:
In Unreal Engine, several core object types and structures are frequently targeted and manipulated in the context of game hacking. Understanding these objects is crucial for anyone trying to reverse-engineer or modify Unreal Engine games. Here is a brief overview of the primary objects and their roles:
UObject:
UObject is the base class for all objects in Unreal Engine. It provides the fundamental means for object management such as lifecycle management, serialization, and type information. UObject includes a wide range of game elements, from actors and components to data assets. Manipulating these objects can affect almost every aspect of the game.
UClass:
UClass is a subclass of UObject that represents the metadata for an object class in Unreal Engine. It describes the structure of its instances, including their properties and functions. Understanding UClass objects is essential for dynamically creating instances or modifying class definitions at runtime.
UActorComponent and USceneComponent:
UActorComponent is the base class for components that define functional behavior, while USceneComponent, a subclass of UActorComponent, includes transformation information such as location and rotation. Modifying these components can alter how actors behave and interact with the game world.
AActor:
AActor is a primary element used to represent characters, props, and other entities within the game world. Actors are complex objects that interact with the game environment and other actors. Actors are central in game hacking for modifying game dynamics or behavior, such as changing character abilities or attributes.
UPackage:
UPackage contains all the objects that are serialized together. This typically includes assets and all related data that Unreal Engine loads as a group. Understanding and manipulating packages can be crucial for modifying game content, loading custom assets, or unpacking game data for analysis.
UWorld:
UWorld is an object that encapsulates all data required to create a game world, including levels, actors, and environmental settings. Manipulating UWorld can affect global game settings and behaviors, such as changing game maps or the state of the game world.
UFunction:
UFunction, a subclass of UObject, represents a function in the scripting language of Unreal Engine (Blueprints or C++). It encapsulates executable code. Functions can be hooked or redirected to change game behavior dynamically, a common technique in cheat development.
UMaterial and UTexture:
These objects are used for graphical elements. UMaterial defines the surface appearance of objects, and UTexture is used for texture mapping. Altering these can change how objects appear in the game, which can be used for both aesthetic mods and practical cheats (like making walls transparent).
Blueprints:
Blueprints are a visual scripting system based on UObject that enables designers and developers to create complex game logic without writing code.
Relevance in Hacking: Reverse engineering or modifying Blueprints can significantly change game logic and behavior.
*I will make a full tutorial on each object and how to find them in later tutorials.
There's a lot of options here, where would we even start? How would we start to explore these object to miniplate values in our favor? Thankfully, we have some very talented developers within the game hacking community. The best part they took the time to make awesome tools at no cost to use. I am a huge fan of these developers, as it really shows they're here for the community, and not necessarily the dollar.
Lets take a moment to talk about the differences between paid tools and free tools. Besides the obvious, over the years of game hacking I have found free, open source tools to be more useful than paid ones. The problem with paid tools is they're just "re-skinning" the UI or functionality on the tool, then calming to be superior over their competition as if they are reinventing the wheel. Free tools have the same functionality as paid tools and in my experience are overall higher quality and have higher development rates.
Paid:
Free:
I'm not saying paid tools are horrible. I have enjoyed paid tools in the past. I tend to gravitate to the open-source for the reasons above and I have found paid tools essentially do the same thing as free tools.
Anyway, the tool of choice for this task is a Unreal Engine Dumber by a user named Cake-san over at FearLess Cheat Engine Forum. You can download it Here. I take no credit for this tool and a true thanks to Cake-san for taking the time to make this tool for all of us to use. *You can confirm if your game is using Unreal Engine by following this guide Here.
Scanning with Unreal Engine Dumper:
First, Open a new Cheat Engine and load in the dumper you've downloaded and attach the unreal engine game your targeting.
![[Image: VG2Hwt0.png]](https://i.imgur.com/VG2Hwt0.png)
I have downloaded every version that Cake-san has made. For some reason, sometimes older versions work on newer games, and vice versa. For this instances, I'll be using Dumper V7.3. Download and try the versions that work best for you.
Click "Unreal Engine" and navigate down and click "4 LocalPlayer", and look for "Pawn". As you can see, we have a new address, (2565925F340) pointing to our real player class... That was too easy.
![[Image: frNC2z8.png]](https://i.imgur.com/frNC2z8.png)
Lets copy that address, add it to our cheat table and see what accesses to that address.
![[Image: HTDHEM1.png]](https://i.imgur.com/HTDHEM1.png)
![[Image: uV6kNGI.png]](https://i.imgur.com/uV6kNGI.png)
All we have to do is find any instruction that is writing with our base player address, 2565925F340. For me, its instruction that moves rax into rdx. You may have to scroll down comparing but once you find something with the base address, we can show that in the disassembler, and find out what addresses that instruction accesses.
![[Image: 5vT9DGZ.png]](https://i.imgur.com/5vT9DGZ.png)
To make sure that our base player address is the only address that is being passed through.
![[Image: hn5d1yh.png]](https://i.imgur.com/hn5d1yh.png)
As you can see, 2565925F340 is the only address being passed. Now you can inject into this address and point out based on whats in your dissect data/structures which is explained in the tutorials listed above.
One last side note, with Cake-sans dumper, they have added a really handy option "Enable UE Structure Lookup". This will add names to your structure so you can more easily identify pointers.
As always, this tutorial will tie into a few other tutorials I have made. You should already have Cheat Engine Installed and configured, Know How to Scan for Values, and know How To Make Pointers Through Opcodes. If you don't know these, make sure to take some time to read these tutorials.
In this tutorial I will be demonstrating on the game Bum Simulator. Assuming you have already found the address from something you want to manipulate (health, ammo, whatever), we should be looking at something like this:
Note: Some interesting points about the address, hunger.
- First, we don't see any offsets indicating its a single level pointer.
- We also see RAX is pointing to the same address as Hunger, so that's not our player class.
Scenario:
Find Out What Addresses This Instruction Accesses:
If you don't already, It's a good habit to check to see if any other addresses use the instruction you're thinking about injecting into. Assuming we can just inject into an instruction and not gaining a fair understanding on how the game is operating will only lead to problems down the road. For this failed scenario, lets still see what instructions accesses this address. As this example demonstrates, we're "thinking" about injecting into the Hunger address, which will not work as expected.
In the memory viewer, click "Find out what addresses this instruction accesses" and let it scan.
After giving it a bit to gather the data, in hopes we can just inject into this instruction we find 10,000 addresses passing through this one instruction and it keeps climbing, so clearly that isn't going to work in our favor. Even trying to compare out instructions would be way to much effort and time consuming with a high probability we would fail. We could also look into the data dissect to try finding a new address, just to find out every address in there is also being passed through the same instruction and run circles around this, or we can take our note above into consideration.
Solution:
Reversing Unreal Engine Games:
In Unreal Engine, several core object types and structures are frequently targeted and manipulated in the context of game hacking. Understanding these objects is crucial for anyone trying to reverse-engineer or modify Unreal Engine games. Here is a brief overview of the primary objects and their roles:
UObject:
UObject is the base class for all objects in Unreal Engine. It provides the fundamental means for object management such as lifecycle management, serialization, and type information. UObject includes a wide range of game elements, from actors and components to data assets. Manipulating these objects can affect almost every aspect of the game.
UClass:
UClass is a subclass of UObject that represents the metadata for an object class in Unreal Engine. It describes the structure of its instances, including their properties and functions. Understanding UClass objects is essential for dynamically creating instances or modifying class definitions at runtime.
UActorComponent and USceneComponent:
UActorComponent is the base class for components that define functional behavior, while USceneComponent, a subclass of UActorComponent, includes transformation information such as location and rotation. Modifying these components can alter how actors behave and interact with the game world.
AActor:
AActor is a primary element used to represent characters, props, and other entities within the game world. Actors are complex objects that interact with the game environment and other actors. Actors are central in game hacking for modifying game dynamics or behavior, such as changing character abilities or attributes.
UPackage:
UPackage contains all the objects that are serialized together. This typically includes assets and all related data that Unreal Engine loads as a group. Understanding and manipulating packages can be crucial for modifying game content, loading custom assets, or unpacking game data for analysis.
UWorld:
UWorld is an object that encapsulates all data required to create a game world, including levels, actors, and environmental settings. Manipulating UWorld can affect global game settings and behaviors, such as changing game maps or the state of the game world.
UFunction:
UFunction, a subclass of UObject, represents a function in the scripting language of Unreal Engine (Blueprints or C++). It encapsulates executable code. Functions can be hooked or redirected to change game behavior dynamically, a common technique in cheat development.
UMaterial and UTexture:
These objects are used for graphical elements. UMaterial defines the surface appearance of objects, and UTexture is used for texture mapping. Altering these can change how objects appear in the game, which can be used for both aesthetic mods and practical cheats (like making walls transparent).
Blueprints:
Blueprints are a visual scripting system based on UObject that enables designers and developers to create complex game logic without writing code.
Relevance in Hacking: Reverse engineering or modifying Blueprints can significantly change game logic and behavior.
*I will make a full tutorial on each object and how to find them in later tutorials.
There's a lot of options here, where would we even start? How would we start to explore these object to miniplate values in our favor? Thankfully, we have some very talented developers within the game hacking community. The best part they took the time to make awesome tools at no cost to use. I am a huge fan of these developers, as it really shows they're here for the community, and not necessarily the dollar.
Lets take a moment to talk about the differences between paid tools and free tools. Besides the obvious, over the years of game hacking I have found free, open source tools to be more useful than paid ones. The problem with paid tools is they're just "re-skinning" the UI or functionality on the tool, then calming to be superior over their competition as if they are reinventing the wheel. Free tools have the same functionality as paid tools and in my experience are overall higher quality and have higher development rates.
Paid:
- Can revoke your access at any time.
- Premium prices for essentially the same tools.
- Tend to have lower development rates.
Free:
- Higher development rates due to being open-source.
- You can use the tool without fears of loosing access.
- A developer who actually cares about the advancement of the industry as a whole.
I'm not saying paid tools are horrible. I have enjoyed paid tools in the past. I tend to gravitate to the open-source for the reasons above and I have found paid tools essentially do the same thing as free tools.
Anyway, the tool of choice for this task is a Unreal Engine Dumber by a user named Cake-san over at FearLess Cheat Engine Forum. You can download it Here. I take no credit for this tool and a true thanks to Cake-san for taking the time to make this tool for all of us to use. *You can confirm if your game is using Unreal Engine by following this guide Here.
Scanning with Unreal Engine Dumper:
First, Open a new Cheat Engine and load in the dumper you've downloaded and attach the unreal engine game your targeting.
I have downloaded every version that Cake-san has made. For some reason, sometimes older versions work on newer games, and vice versa. For this instances, I'll be using Dumper V7.3. Download and try the versions that work best for you.
Click "Unreal Engine" and navigate down and click "4 LocalPlayer", and look for "Pawn". As you can see, we have a new address, (2565925F340) pointing to our real player class... That was too easy.
Lets copy that address, add it to our cheat table and see what accesses to that address.
All we have to do is find any instruction that is writing with our base player address, 2565925F340. For me, its instruction that moves rax into rdx. You may have to scroll down comparing but once you find something with the base address, we can show that in the disassembler, and find out what addresses that instruction accesses.
To make sure that our base player address is the only address that is being passed through.
As you can see, 2565925F340 is the only address being passed. Now you can inject into this address and point out based on whats in your dissect data/structures which is explained in the tutorials listed above.
One last side note, with Cake-sans dumper, they have added a really handy option "Enable UE Structure Lookup". This will add names to your structure so you can more easily identify pointers.
⠀
So, tell me where should I go?
To the left, where nothing's right. Or go right, where nothings left..
