/frida-ue4dump

UE4 dump frida script

Primary LanguageJavaScriptMIT LicenseMIT

frida-ue4dump

UE4 dump frida script for UE >= 4.23 64bit
Heavily based on UE4Dumper
Tested on the games listed below. It might not work correctly with other games unless you fix the offsets in script.js

  • NIGHT CROWS (Android, iOS, UE5? seems fine)
  • Arena Breakout (KR, CN) (Android, iOS)
  • Odin, Vahalla Rising (Android, iOS)
  • Real Boxing 2 (Android, iOS)
  • Mortal Kombat (Android)
  • Dislyte (Android)
  • Octopath Traveler: Champions of the Continent (Android, iOS)
  • Torchlight: Infinite (Android, iOS)
  • Black Clover Mobile (KR, JP) (Android, iOS)
  • Tower of Fantasy (Android, iOS)
  • 아스달 연대기: 세개의 세력 (Arthdal Chronicles) (Android, iOS)
  • 아키에이지 워 (ArcheAge War) (Android)
  • 명조: 워더링 웨이브 (Wuthering Waves) (Android, iOS)

Usage

  1. Attach
  • Real Device
frida -Ul script.js <UE4 Game>
  • Emulator
frida -Ul script.js --realm=emulated <UE4 Game>
  1. Set
Call set(<moduleName>) on terminal(ex. set("libUE4.so"))

It will set moduleBase, GUObjectArray, GName
If it cannot find GUObjectArray, GName, need to provide those values manually
  1. Dump
dumpSdk()

image

  1. Hook ProcessEvent (Optional)
(1) After successfully completing the dump, call `hookProcessEvent()`

or

(2) If you already know the ProcessInternal offset and have found and fixed all the offsets for the game, then...
set(<moduleName>)
processInternal_offset = <ProcessInternal offset you found. e.g, 0x123123>
hookProcessEvent()

or

(3) If you already know the ProcessEvent offset and have found and fixed all the offsets for the game, then...
set(<moduleName>)
processEvent = moduleBase.add(<ProcessEvent offset you found. e.g, 0x123123>)
hookProcessEvent()

image

Contact

Credits