UnrealEngine GName 分析

IDA分析GName:

在`UnrealNames.cpp`中找到如下代码

static bool bNamePoolInitialized;
alignas(FNamePool) static uint8 NamePoolData[sizeof(FNamePool)];
 
// Only call this once per public FName function called
//
// Not using magic statics to run as little code as possible
static FNamePool& GetNamePool()
{
    if (bNamePoolInitialized)
    {
        return *(FNamePool*)NamePoolData;
    }
 
    FNamePool* Singleton = new (NamePoolData) FNamePool;
    bNamePoolInitialized = true;
    return *Singleton;
}

在UnrealEngine5.x的引擎版本中,GName以全局变量static uint8 NamePoolData的形式存在.
被定义的NamePoolData会在环境中通过FNamePool::FNamePool()初始化

我们跟随引用找到相应的`FNamePool::FNamePool()`函数

FNamePool::FNamePool()
{
    for (FNamePoolShardBase& Shard : ComparisonShards)
    {
        Shard.Initialize(Entries);
    }
 
#if WITH_CASE_PRESERVING_NAME
    for (FNamePoolShardBase& Shard : DisplayShards)
    {
        Shard.Initialize(Entries);
    }
#endif
 
    // Register all hardcoded names
#define REGISTER_NAME(num, name) ENameToEntry[num] 
    = Store(FNameStringView(#name, FCStringAnsi::Strlen(#name)));
#include "UObject/UnrealNames.inl"
#undef REGISTER_NAME
 
    // Make reverse mapping
    LargestEnameUnstableId = 0;
    for (uint32 ENameIndex = 0; 
        ENameIndex < (uint32)EName::MaxHardcodedNameIndex; ++ENameIndex)
    {
        if (ENameIndex == (uint32)NAME_None || ENameToEntry[ENameIndex])
        {
            EntryToEName.Add(ENameToEntry[ENameIndex], (EName)ENameIndex);
            LargestEnameUnstableId = 
                FMath::Max(LargestEnameUnstableId, 
                ENameToEntry[ENameIndex].ToUnstableInt());
        }
    }
 
    // Verify all ENames are unique
    if (NumAnsiEntries() != EntryToEName.Num())
    {
        if (FPlatformMisc::IsDebuggerPresent())
        {
            UE_DEBUG_BREAK();
        }
        else
        {
            FPlatformMisc::PromptForRemoteDebugging(false);
            FMessageDialog::Open(EAppMsgType::Ok, 
                NSLOCTEXT("UnrealEd", 
                "DuplicatedHardcodedName", 
                "Duplicate hardcoded name"));
            FPlatformMisc::RequestExit(false);
        }
    }
}

有明显的明文字符串 DuplicatedHardcodedName于是通过IDA搜索字符串

在IDA中搜索字符串

Name	Address
aDuplicatedhard	00000001439ADA30

继续跟踪反汇编

if ( v336 - v2 != *(_DWORD *)(a1 + 93000) - *(_DWORD *)(a1 + 93092) )
  {
    v338 = sub_140F60170(v685, L"Duplicate hardcoded name", L"UnrealEd", L"DuplicatedHardcodedName");
    sub_141022D50(0i64, v338, 0i64);
    v339 = v686;
    if ( v686 && _InterlockedExchangeAdd(v686 + 2, 0xFFFFFFFF) == 1 )
    {
      (**(void (__fastcall ***)(volatile signed __int32 *))v339)(v339);
      if ( _InterlockedExchangeAdd(v339 + 3, 0xFFFFFFFF) == 1 )
        (*(void (__fastcall **)(volatile signed __int32 *, __int64))(*(_QWORD *)v339 + 8i64))(v339, 1i64);
    }
    sub_1410714B0(0i64);
  }

这里伪代码很明显就是与上述代码相对应的部分
可以判断出来这就是构造函数,于是在IDA中改名为void __fastcall FNamePool_FNamePool(__int64 a1)

使用IDA分析交叉引用

Direction	Type	Address	Text
Up	p	sub_141055510+D1	call FNamePool_FNamePool
Down	p	sub_141059000+50	call FNamePool_FNamePool
Down	p	sub_141059110+51	call FNamePool_FNamePool
Down	p	sub_141059EA0+42	call FNamePool_FNamePool
Down	p	sub_141059F60+42	call FNamePool_FNamePool
Down	p	sub_14105A7D0+4E	call FNamePool_FNamePool
Down	p	sub_14105BBC0+20	call FNamePool_FNamePool
Down	p	sub_14105BC60+31	call FNamePool_FNamePool
Down	p	sub_14105BCC0+2F	call FNamePool_FNamePool
Down	p	sub_14105BD50+38	call FNamePool_FNamePool
Down	p	sub_14105BDE0+38	call FNamePool_FNamePool
Down	p	sub_14105BE50+38	call FNamePool_FNamePool
Down	p	sub_14105C1A0+47	call FNamePool_FNamePool
Down	p	sub_14105D4F0+82	call FNamePool_FNamePool
Down	p	sub_14105F090+A1	call FNamePool_FNamePool
Down	p	sub_14105F390+11A	call FNamePool_FNamePool
Down	p	sub_141062740+47	call FNamePool_FNamePool
Down	p	sub_141062740+A8	call FNamePool_FNamePool
Down	p	sub_1410628E0+51	call FNamePool_FNamePool
Down	p	sub_1410629D0+49	call FNamePool_FNamePool
Down	p	sub_141062AA0+47	call FNamePool_FNamePool
Down	o	.pdata:0000000144CEE0AC	RUNTIME_FUNCTION <rva FNamePool_FNamePool, rva algn_141058B15, \

很显然要继续分析的是第一个表项

这个函数就是完成NamePoolData初始化的函数

_QWORD *__fastcall sub_141055510(_QWORD *a1, __int64 a2)
{
  bool v2; // zf
  __int64 v3; // r8
  __int64 v5; // rax
  unsigned int v6; // eax
  _QWORD *result; // rax
  RTL_SRWLOCK *v8; // rax
  unsigned int v9; // ecx
  __m128i v10; // [rsp+20h] [rbp-18h] BYREF
  char v11; // [rsp+40h] [rbp+8h] BYREF
 
  v2 = *(_BYTE *)(a2 + 4) == 0;
  v3 = a2 + 6;
  v10.m128i_i64[0] = a2 + 6;
  v5 = -1i64;
  if ( v2 )
  {
    do
      ++v5;
    while ( *(_BYTE *)(v3 + v5) );
    v10.m128i_i8[12] = 0;
  }
  else
  {
    do
      ++v5;
    while ( *(_WORD *)(v3 + 2 * v5) );
    v10.m128i_i8[12] = 1;
  }
  v10.m128i_i32[2] = v5;
  if ( (unsigned int)_mm_cvtsi128_si32(_mm_srli_si128(v10, 8)) < 0x400 )
  {
    if ( byte_144A3AA64 )
    {
      v8 = &stru_144A56400;
    }
    else
    {
      FNamePool_FNamePool((__int64)&stru_144A56400);
      byte_144A3AA64 = 1;
    }
    v9 = *(_DWORD *)sub_1410624C0(v8, &v11, &v10);
    result = a1;
    *a1 = v9;
  }
  else
  {
    v10.m128i_i32[2] = 24;
    v10.m128i_i64[0] = (__int64)"ERROR_NAME_SIZE_EXCEEDED";
    v6 = sub_1410552F0("ERROR_NAME_SIZE_EXCEEDED", &v10.m128i_u64[1]);
    sub_14105F340(a1, &v10, 1i64, v6);
    return a1;
  }
  return result;
}

FNamePool_FNamePool((__int64)&stru_144A56400)完成了对NamePoolData的初始化
计算0x144A56400-0x140000000=0x4A56400得到GName偏移为0x4A56400,其中0x140000000是所在模块基地址