首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. Android安全
    3. 发新帖
[原创] 2025騰訊遊戲安全大賽(安卓初賽)
发表于: 2025-4-14 09:53 26368

[原创] 2025騰訊遊戲安全大賽(安卓初賽)

ngiokweng 活跃值
5
2025-4-14 09:53
26368

第一次聽說這比賽是上年偶然和舍友聊天時他告訴我的,沒想到還有以遊戲安全為主的比賽,當時看到有安卓的賽道就報名了,然後比賽時就被那門卡了2天,然後就沒有然後了。

今年沒意外的話是我大學生涯的最後一年,也許也是最後一年打這個比賽了吧,下年也不知道有沒有空看看題。

以下是我的解題記錄,一部份是比賽時寫的,一部份是賽後補充的,有寫錯的還請指正。

版本:4.27

GName:0xADF07C0

GObject:0xAE34A98

dump sdk by GObject,記為SDKO.txt

dump all objects,記為Objects.txt

題目說明如下,純粹的UE4逆向,無任何反調試。

hook pthread_create,patch掉libGame.so創建唯一一個線程後,速度不再異常。

由此可知相關邏輯就在libGame.so創建的線程中。接下來分析它的實現原理。

用IDA動調線程回調函數sub_1B9C

進入後會看到明顯的控制流平坦化,先不管。

打斷點進入case 12623,分析後發現就是通過/proc/self/maps獲取libUE4.so的基址。

之後本想手動還原下控制流,但突然想起IDA有個D-810插件貌似能解控制流混淆,嘗試下,發現效果很好。

獲取了libUE4_base後會賦給infos[19]

然後*(_QWORD *)(libUE4_base_1 + 0xAFAC398)獲取了libUE4.so的一個全局變量,猜測是GWorld

用ue4dumper來驗證,發現能順利dump出SDK,由此可知0xAFAC398的確是GWorld

記dump出來的文件為SDKW.txt

獲取GWorld後,就能通過遍歷其中的屬性定位到FirstPersonCharacter_C,具體原理如下,這是用frida實現的。

其中用了vtabs( UObject的第0個成員屬性,虛表 )的函數偏移是否等於0xA63BE28來確定是否FirstPersonCharacter_C對象,0xA63BE28大概是FirstPersonCharacter_C的一個特徵?

最終通過修改CharacterMovementComponentMaxAccelerationMaxWalkSpeed來改變人物速度。

SDKO.txt裡可以看到我的角色類裡有個ProjectileClass成員,而它有個OnHit成員函數

嘗試hook OnHit,分別在enter和leave時打印CameraRotation,發現兩者相等,即在enter前就已經完成自瞄,代表相關的自瞄邏輯不在這裡。

CameraRotation下硬斷( 寫 ),命中信息如下:

命中PC:0x799F6637C0

libUE4 base:0x7996b2b000

計算得Offset為0x8B387C0

IDA跳到0x8B387C0,如下:

0x8B387C0所在函數為mb_aimbot,嘗試直接patch掉mb_aimbot,發現patch後人物無法轉動視角。

hook mb_aimbot,打印調用棧,未點擊時,調用棧如下

點擊後,多了一個不同的調用棧0x670f3fc

嘗試patch掉0x670f3fc所在函數0x670F110,雖然點擊後不會再自動瞄到某處,但子彈射不出。

由此猜測0x670F110是射擊的回調函數,自瞄邏輯應該就在裡面。

0x670F110process_before_shoot

0x670F110中從調用mb_aimbot處向上分析,發現是否調用mb_aimbot邏輯是由sub_680B790(v32, "E")決定的。

hook sub_680B790,打印參數和返回值。

注:hexdump後可知是unicode編碼的字符串,因此要用readUtf16String

輸出如下,可以看出是字符串對比函數,resa0a1第1個不相等字符的差值,若相等則為0( 不區分大小寫 )。記sub_680B790utf16_cmp

可以看到前面一直在和EditorCube8對比,明顯它就是自瞄的目標,

嘗試在a1EditorCube8時將返回值固定replace為一個大於0的值。

結果是射擊時不再自動瞄到指定目標,但手槍在射完後會向上抬一下,類似後座力?不知是否屬於異常點。

下面簡單看看它的自瞄實現原理:

process_before_shoot開始看,一開始先遍歷自瞄目標。

然後調用calcTargetOffset計算自瞄值,然後根據這個值來設置CameraRotation( 人物相機的轉向,使它朝向目標以實現自瞄的效果 )。

calcTargetOffset實現大概像這樣:利用目標location與人物的location向量來計算。

可以明顯看出子彈發射的起始位置是隨機的。

猜測可能與MyProjectCharacterGunOffset有關。

GunOffset下硬斷( 讀 )。

命中如下兩處地址:

0x6930A6C所在函數是sub_6930A3C

hook sub_6930A3C打印調用棧。

其中0x670f658位於0x670F110函數( 即process_before_shoot )。

process_before_shoot中有調用rand()生成隨機值,猜測這與槍口的隨機有關。

嘗試hook rand固定其返回值。

結果是子彈發射位置固定了,但是固定在了人物的頭上偏左的位置。

繼續嘗試其他修復思路。

process_before_shoot中的a1[0x14A] & 1不為0,目的是讓執行流無法走到上述的0x6930A6C位置。

結果同樣可以固定子彈發射的位置,但這次是在人物的下方固定向正前方發射,上下抬頭時不會改變發射方向。

以下部份是賽後的分析。

a1[0x14A] & 10,會調用about_bullt_loc1生成一些隨機值,調用about_bullt_loc2生成一個基於GunOffset等參數而來的值,最終傳入mb_process_bullet_shoot_loc做最後的處理。

而當a1[0x14A] & 11時,則會從VR_MuzzleLocation裡獲取一些參數,最終同樣傳入mb_process_bullet_shoot_loc

注:通過hook所在函數,將*((QWORD*)a1 + 155)當成UObject來打印它的名字,從而確定它是VR_MuzzleLocation對象。

VR_MuzzleLocation看名字來說是給VR設備使用的,安卓設備感覺是使用FP_MuzzleLocation才對。

因此合理懷疑這也是一個異常點。

hook process_before_shoot,從IDA裡可知args[0].add(0x4D8)保存著VR_MuzzleLocation對象的地址,嘗試將它改為FP_MuzzleLocation的地址。

結果是子彈終於會隨著槍口的變化而變化,但卻是從槍口往左發射的,正常應該是往前才對。

接下來嘗試修改FP_MuzzleLocation裡的一些參數,看看能否改變發射方向。

FP_MuzzleLocation屬於USceneComponent類,其中有以下這兩個屬性:

利用K2_SetRelativeLocationK2_SetRelativeRotation函數來修改。通過不斷嘗試,發現只需要將Rotation設置為[0, 90, 0]即可,相當於旋轉了90度。完整修複代碼如下:

注:不能直接通過內存來修改,要用API來修改。

Objects.txt裡可以看到FirstPersonCharacter_CThirdPersonCharacter_C,它們分別是我控制的人物和假人。

嘗試一:替換Material。( 沒效果 )

嘗試二:設置bDisableDepthTest0。( 沒效果 )

嘗試三:利用SetTexture隨便設置一個Texture。( 沒效果 )

以下部份是賽後的分析。

找資料時發現類似這遊戲的人物透視效果基本上有以下兩種實現思路:

但嘗試後發現遊戲似乎不是用上述方法實現透視效果的( 不太確定,也有可能是我修改的地方不對 )?

找了很久都沒有什麼思路,最終只好退而求其次,用一種「掩耳盜鈴」的方式來修復,具體思路如下:

具體調用LineTraceSingle、獲取HitResult.Distance的代碼如下:

時機選擇在Actor類的ReceiveTick函數,在其中判斷是否渲染:

當然這肯定不是正解,而且效果也非常一般,之後看看有沒有其他大佬分析下正解吧。

子彈射在白色的Cube上不會反彈。

白色的Cube應是就是EditorCubeN

子彈射在EditorCubeN上會瞬間消失,但EditorCubeN是有被擊退的效果,而子彈射在黑色的Cube上能正常被反彈。

嘗試一:看看是否因為物理模擬未啟用。( 沒效果 )

嘗試二:設置物理材質的反彈系數為1。( 沒效果 )

嘗試三:設置與所有物體的碰撞響應都為Block( 具體值是2 )。( 沒效果 )

經過上述嘗試,可知子彈消失大概率與Collision無關。

猜測子彈是在擊中EditorCubeN時執行了一段Destroy邏輯。

hook MyProjectProjectileOnHit,打印調用棧:

Destroy邏輯可能就在其中,但沒時間看了。。

以下部份是賽後的分析。

OnHit最後調會return sub_88A8D2C((__int64)v4, 0, 1),而sub_88A8D2C函數如下。

about_ActorDestroying中有"ActorDestroying"字符串,猜測會不會就是那段Destroy邏輯。

嘗試直接patch掉該函數,使其固定返回1

結果是射到EditorCubeN時也會正常反彈,成功修復該異常點。

在測試過程中還發現以下一些不確定算不算異常點的:

frida -U -f com.ACE2025.Game -l final.js

今年跟上年一樣是UE4的題型,猜到了會出UE4,賽前本想找些遊戲來練練手,但一直沒找到合適的,只能說可惜了。這也導致了比賽前2天基本都在熟悉UE4,直到最後也沒有完整地修復幾個異常點。

本以為決賽無望的,沒想到運氣挺好居然進了,算是圓了上一年的遺憾吧。

./ue4dumper64 --sdku --newue+ --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game
./ue4dumper64 --sdku --newue+ --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game
./ue4dumper64 --objs --newue+ --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game
./ue4dumper64 --objs --newue+ --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game
function hook_pthread() {
 
    var pthread_create_addr = Module.findExportByName(null, 'pthread_create');
    console.log("pthread_create_addr,", pthread_create_addr);
 
    var pthread_create = new NativeFunction(pthread_create_addr, "int", ["pointer", "pointer", "pointer", "pointer"]);
 
    Interceptor.replace(pthread_create_addr, new NativeCallback(function (parg0, parg1, parg2, parg3) {
        var so_name = Process.findModuleByAddress(parg2).name;
        var so_path = Process.findModuleByAddress(parg2).path;
        var so_base = Module.getBaseAddress(so_name);
        var offset = parg2 - so_base;
        // console.log("so_name", so_name, "offset", offset, "path", so_path, "parg2", parg2);
        var PC = 0;
        if ((so_name.indexOf("libGame.so") > -1)) {
            console.log("find thread func offset", so_name, offset);
            if ((7068 === offset)) {
                console.log("anti bypass");
            else {
                PC = pthread_create(parg0, parg1, parg2, parg3);
                console.log("ordinary sequence", PC)
            }
        } else {
            PC = pthread_create(parg0, parg1, parg2, parg3);
            // console.log("ordinary sequence", PC)
        }
        return PC;
    }, "int", ["pointer", "pointer", "pointer", "pointer"]))
 
}
function hook_pthread() {
 
    var pthread_create_addr = Module.findExportByName(null, 'pthread_create');
    console.log("pthread_create_addr,", pthread_create_addr);
 
    var pthread_create = new NativeFunction(pthread_create_addr, "int", ["pointer", "pointer", "pointer", "pointer"]);
 
    Interceptor.replace(pthread_create_addr, new NativeCallback(function (parg0, parg1, parg2, parg3) {
        var so_name = Process.findModuleByAddress(parg2).name;
        var so_path = Process.findModuleByAddress(parg2).path;
        var so_base = Module.getBaseAddress(so_name);
        var offset = parg2 - so_base;
        // console.log("so_name", so_name, "offset", offset, "path", so_path, "parg2", parg2);
        var PC = 0;
        if ((so_name.indexOf("libGame.so") > -1)) {
            console.log("find thread func offset", so_name, offset);
            if ((7068 === offset)) {
                console.log("anti bypass");
            else {
                PC = pthread_create(parg0, parg1, parg2, parg3);
                console.log("ordinary sequence", PC)
            }
        } else {
            PC = pthread_create(parg0, parg1, parg2, parg3);
            // console.log("ordinary sequence", PC)
        }
        return PC;
    }, "int", ["pointer", "pointer", "pointer", "pointer"]))
 
}
./ue4dumper64 --sdkw --newue+ --gname 0xADF07C0 --gworld 0xAFAC398 --package com.ACE2025.Game
./ue4dumper64 --sdkw --newue+ --gname 0xADF07C0 --gworld 0xAFAC398 --package com.ACE2025.Game
let GWorld = base.add(0xAFAC398).readPointer(); // FirstPersonExampleMap (GWorld)
let PersistentLevel = GWorld.add(0x30).readPointer()       // PersistentLevel
let StreamingLevels = PersistentLevel.add(0x98).readPointer();    // StreamingLevelsToConsider.StreamingLevels
let StreamingLevelsNum = PersistentLevel.add(0xA0).readU32();
 
let FirstPersonCharacter_C = null;
for(let i = 0; i < StreamingLevelsNum; i++) {
    let StreamingLevel = StreamingLevels.add(i * 8).readPointer();
    let vtabs = StreamingLevel.readPointer();
 
    if (vtabs.sub(base) == 0xA63BE28) {
        // console.log(i, vtabs.readPointer());
        FirstPersonCharacter_C = StreamingLevel;
    }
}
 
let CharacterMovementComponent = FirstPersonCharacter_C.add(0x288).readPointer()
CharacterMovementComponent.add(0x1a0).writeFloat(1000000000)
CharacterMovementComponent.add(0x18c).writeFloat(1000000000)
let GWorld = base.add(0xAFAC398).readPointer(); // FirstPersonExampleMap (GWorld)
let PersistentLevel = GWorld.add(0x30).readPointer()       // PersistentLevel
let StreamingLevels = PersistentLevel.add(0x98).readPointer();    // StreamingLevelsToConsider.StreamingLevels
let StreamingLevelsNum = PersistentLevel.add(0xA0).readU32();
 
let FirstPersonCharacter_C = null;
for(let i = 0; i < StreamingLevelsNum; i++) {
    let StreamingLevel = StreamingLevels.add(i * 8).readPointer();
    let vtabs = StreamingLevel.readPointer();
 
    if (vtabs.sub(base) == 0xA63BE28) {
        // console.log(i, vtabs.readPointer());
        FirstPersonCharacter_C = StreamingLevel;
    }
}
 
let CharacterMovementComponent = FirstPersonCharacter_C.add(0x288).readPointer()
CharacterMovementComponent.add(0x1a0).writeFloat(1000000000)
CharacterMovementComponent.add(0x18c).writeFloat(1000000000)
Class: MyProjectCharacter.Character.Pawn.Actor.Object
    SkeletalMeshComponent* Mesh1P;//[Offset: 0x4b8, Size: 0x8]
    SkeletalMeshComponent* FP_Gun;//[Offset: 0x4c0, Size: 0x8]
    SceneComponent* FP_MuzzleLocation;//[Offset: 0x4c8, Size: 0x8]  // 槍口位置
    SkeletalMeshComponent* VR_Gun;//[Offset: 0x4d0, Size: 0x8]
    SceneComponent* VR_MuzzleLocation;//[Offset: 0x4d8, Size: 0x8]
    CameraComponent* FirstPersonCameraComponent;//[Offset: 0x4e0, Size: 0x8]
    MotionControllerComponent* R_MotionController;//[Offset: 0x4e8, Size: 0x8]  // for VR
    MotionControllerComponent* L_MotionController;//[Offset: 0x4f0, Size: 0x8]  // for VR
    float BaseTurnRate;//[Offset: 0x4f8, Size: 0x4]         // 左右轉向速率
    float BaseLookUpRate;//[Offset: 0x4fc, Size: 0x4]       // 上下轉向速率
    Vector GunOffset;//[Offset: 0x500, Size: 0xc]
    class MyProjectProjectile* ProjectileClass;//[Offset: 0x510, Size: 0x8]
    SoundBase* FireSound;//[Offset: 0x518, Size: 0x8]
    AnimMontage* FireAnimation;//[Offset: 0x520, Size: 0x8]
    bool bUsingMotionControllers;//(ByteOffset: 0, ByteMask: 1, FieldMask: 1)[Offset: 0x528, Size: 0x1]
    float RecoilPitch;//[Offset: 0x52c, Size: 0x4]              // 後座力
    float RecoilYaw;//[Offset: 0x530, Size: 0x4]                // 後座偏航
    float RecoilRecoverySpeed;//[Offset: 0x534, Size: 0x4]      // 後座力恢復速度
    float RecoilAccumulationRate;//[Offset: 0x538, Size: 0x4]   // 後座力累積率
 
Class: MyProjectProjectile.Actor.Object
    SphereComponent* CollisionComp;//[Offset: 0x220, Size: 0x8]
    ProjectileMovementComponent* ProjectileMovement;//[Offset: 0x228, Size: 0x8]
    void OnHit(PrimitiveComponent* HitComp, Actor* OtherActor, PrimitiveComponent* OtherComp, Vector NormalImpulse, out const HitResult Hit);// 0x67138e8
Class: MyProjectCharacter.Character.Pawn.Actor.Object
    SkeletalMeshComponent* Mesh1P;//[Offset: 0x4b8, Size: 0x8]
    SkeletalMeshComponent* FP_Gun;//[Offset: 0x4c0, Size: 0x8]
    SceneComponent* FP_MuzzleLocation;//[Offset: 0x4c8, Size: 0x8]  // 槍口位置
    SkeletalMeshComponent* VR_Gun;//[Offset: 0x4d0, Size: 0x8]
    SceneComponent* VR_MuzzleLocation;//[Offset: 0x4d8, Size: 0x8]
    CameraComponent* FirstPersonCameraComponent;//[Offset: 0x4e0, Size: 0x8]
    MotionControllerComponent* R_MotionController;//[Offset: 0x4e8, Size: 0x8]  // for VR
    MotionControllerComponent* L_MotionController;//[Offset: 0x4f0, Size: 0x8]  // for VR
    float BaseTurnRate;//[Offset: 0x4f8, Size: 0x4]         // 左右轉向速率
    float BaseLookUpRate;//[Offset: 0x4fc, Size: 0x4]       // 上下轉向速率
    Vector GunOffset;//[Offset: 0x500, Size: 0xc]
    class MyProjectProjectile* ProjectileClass;//[Offset: 0x510, Size: 0x8]
    SoundBase* FireSound;//[Offset: 0x518, Size: 0x8]
    AnimMontage* FireAnimation;//[Offset: 0x520, Size: 0x8]
    bool bUsingMotionControllers;//(ByteOffset: 0, ByteMask: 1, FieldMask: 1)[Offset: 0x528, Size: 0x1]
    float RecoilPitch;//[Offset: 0x52c, Size: 0x4]              // 後座力
    float RecoilYaw;//[Offset: 0x530, Size: 0x4]                // 後座偏航
    float RecoilRecoverySpeed;//[Offset: 0x534, Size: 0x4]      // 後座力恢復速度
    float RecoilAccumulationRate;//[Offset: 0x538, Size: 0x4]   // 後座力累積率
 
Class: MyProjectProjectile.Actor.Object
    SphereComponent* CollisionComp;//[Offset: 0x220, Size: 0x8]
    ProjectileMovementComponent* ProjectileMovement;//[Offset: 0x228, Size: 0x8]
    void OnHit(PrimitiveComponent* HitComp, Actor* OtherActor, PrimitiveComponent* OtherComp, Vector NormalImpulse, out const HitResult Hit);// 0x67138e8
function hook_onHit() {
    // void OnHit(PrimitiveComponent* HitComp, Actor* OtherActor, PrimitiveComponent* OtherComp, Vector NormalImpulse, out const HitResult Hit);// 0x67138e8
    Interceptor.attach(base.add(0x6711D34), {
        onEnter: function(args) {
            console.log("[onHit] enter: ", JSON.stringify(getCameraRotation()))
        },
        onLeave: function() {
            // setCameraRotation([100, 200, 0])
            console.log("[onHit] leave: ", JSON.stringify(getCameraRotation()))
 
        }
    })
}
function hook_onHit() {
    // void OnHit(PrimitiveComponent* HitComp, Actor* OtherActor, PrimitiveComponent* OtherComp, Vector NormalImpulse, out const HitResult Hit);// 0x67138e8
    Interceptor.attach(base.add(0x6711D34), {
        onEnter: function(args) {
            console.log("[onHit] enter: ", JSON.stringify(getCameraRotation()))
        },
        onLeave: function() {
            // setCameraRotation([100, 200, 0])
            console.log("[onHit] leave: ", JSON.stringify(getCameraRotation()))
 
        }
    })
}
function patch_mb_aimbot() {
    Interceptor.replace(base.add(0x8B3861C), new NativeCallback(() => {
        console.log("patch mb_aimbot")
    }, "void", []))
}
function patch_mb_aimbot() {
    Interceptor.replace(base.add(0x8B3861C), new NativeCallback(() => {
        console.log("patch mb_aimbot")
    }, "void", []))
}
[hook_aimbot]
799fa8e604 is in libUE4.so offset: 0x8f9b604
799fa92444 is in libUE4.so offset: 0x8f9f444
799fa9a358 is in libUE4.so offset: 0x8fa7358
799fcf0b8c is in libUE4.so offset: 0x91fdb8c
799d2c1bb0 is in libUE4.so offset: 0x67cebb0
799d2c1730 is in libUE4.so offset: 0x67ce730
799d2c0e24 is in libUE4.so offset: 0x67cde24
799fcecc04 is in libUE4.so offset: 0x91f9c04
799fcea3bc is in libUE4.so offset: 0x91f73bc
799f82e760 is in libUE4.so offset: 0x8d3b760
799f6f98f0 is in libUE4.so offset: 0x8c068f0
799d93f614 is in libUE4.so offset: 0x6e4c614
799c5ee728 is in libUE4.so offset: 0x5afb728
799c5e83bc is in libUE4.so offset: 0x5af53bc
799c5e6514 is in libUE4.so offset: 0x5af3514
[hook_aimbot]
79a03df660 is in libUE4.so offset: 0x98ec660
799fcf0b8c is in libUE4.so offset: 0x91fdb8c
799d2c1bb0 is in libUE4.so offset: 0x67cebb0
799d2c1730 is in libUE4.so offset: 0x67ce730
799d2c0e24 is in libUE4.so offset: 0x67cde24
799fcecc04 is in libUE4.so offset: 0x91f9c04
799fcea3bc is in libUE4.so offset: 0x91f73bc
799f82e760 is in libUE4.so offset: 0x8d3b760
799f6f98f0 is in libUE4.so offset: 0x8c068f0
799d93f614 is in libUE4.so offset: 0x6e4c614
799c5ee728 is in libUE4.so offset: 0x5afb728
799c5e83bc is in libUE4.so offset: 0x5af53bc
799c5e6514 is in libUE4.so offset: 0x5af3514
[hook_aimbot]
799fa8e604 is in libUE4.so offset: 0x8f9b604
799fa92444 is in libUE4.so offset: 0x8f9f444
799fa9a358 is in libUE4.so offset: 0x8fa7358
799fcf0b8c is in libUE4.so offset: 0x91fdb8c
799d2c1bb0 is in libUE4.so offset: 0x67cebb0
799d2c1730 is in libUE4.so offset: 0x67ce730
799d2c0e24 is in libUE4.so offset: 0x67cde24
799fcecc04 is in libUE4.so offset: 0x91f9c04
799fcea3bc is in libUE4.so offset: 0x91f73bc
799f82e760 is in libUE4.so offset: 0x8d3b760
799f6f98f0 is in libUE4.so offset: 0x8c068f0
799d93f614 is in libUE4.so offset: 0x6e4c614
799c5ee728 is in libUE4.so offset: 0x5afb728
799c5e83bc is in libUE4.so offset: 0x5af53bc
799c5e6514 is in libUE4.so offset: 0x5af3514
[hook_aimbot]
79a03df660 is in libUE4.so offset: 0x98ec660
799fcf0b8c is in libUE4.so offset: 0x91fdb8c
799d2c1bb0 is in libUE4.so offset: 0x67cebb0
799d2c1730 is in libUE4.so offset: 0x67ce730
799d2c0e24 is in libUE4.so offset: 0x67cde24
799fcecc04 is in libUE4.so offset: 0x91f9c04
799fcea3bc is in libUE4.so offset: 0x91f73bc
799f82e760 is in libUE4.so offset: 0x8d3b760
799f6f98f0 is in libUE4.so offset: 0x8c068f0
799d93f614 is in libUE4.so offset: 0x6e4c614
799c5ee728 is in libUE4.so offset: 0x5afb728
799c5e83bc is in libUE4.so offset: 0x5af53bc
799c5e6514 is in libUE4.so offset: 0x5af3514
[hook_aimbot]
799d2f83fc is in libUE4.so offset: 0x670f3fc
7a136f0c94 is in libart.so offset: 0x2e6c94
799d2f8eb0 is in libUE4.so offset: 0x670feb0
799fe51e38 is in libUE4.so offset: 0x9268e38
799fe4fe04 is in libUE4.so offset: 0x9266e04
799fb8958c is in libUE4.so offset: 0x8fa058c
799fb886f4 is in libUE4.so offset: 0x8f9f6f4
799d3b9420 is in libUE4.so offset: 0x67d0420
799fb88374 is in libUE4.so offset: 0x8f9f374
799f49b7bc is in libUE4.so offset: 0x88b27bc
799fb90358 is in libUE4.so offset: 0x8fa7358
799fde6b8c is in libUE4.so offset: 0x91fdb8c
799d3b7bb0 is in libUE4.so offset: 0x67cebb0
799d3b7730 is in libUE4.so offset: 0x67ce730
799d3b6e24 is in libUE4.so offset: 0x67cde24
799fde2c04 is in libUE4.so offset: 0x91f9c04
[hook_aimbot]
799d2f83fc is in libUE4.so offset: 0x670f3fc
7a136f0c94 is in libart.so offset: 0x2e6c94
799d2f8eb0 is in libUE4.so offset: 0x670feb0
799fe51e38 is in libUE4.so offset: 0x9268e38
799fe4fe04 is in libUE4.so offset: 0x9266e04
799fb8958c is in libUE4.so offset: 0x8fa058c
799fb886f4 is in libUE4.so offset: 0x8f9f6f4
799d3b9420 is in libUE4.so offset: 0x67d0420
799fb88374 is in libUE4.so offset: 0x8f9f374
799f49b7bc is in libUE4.so offset: 0x88b27bc
799fb90358 is in libUE4.so offset: 0x8fa7358
799fde6b8c is in libUE4.so offset: 0x91fdb8c
799d3b7bb0 is in libUE4.so offset: 0x67cebb0
799d3b7730 is in libUE4.so offset: 0x67ce730
799d3b6e24 is in libUE4.so offset: 0x67cde24
799fde2c04 is in libUE4.so offset: 0x91f9c04
Interceptor.replace(base.add(0x670F110), new NativeCallback(() => {
    return 1;
}, "int", []))
Interceptor.replace(base.add(0x670F110), new NativeCallback(() => {
    return 1;
}, "int", []))
function hook_680B790() {
    Interceptor.attach(base.add(0x680B790), {
        onEnter: function(args) {
            this.a1 = args[1];
            console.log("a0: ", args[0].readUtf16String());
            console.log("a1: ", args[1].readUtf16String());
        },
        onLeave: function(retval) {
            console.log("res: ", retval);
 
        }
    })
}
function hook_680B790() {
    Interceptor.attach(base.add(0x680B790), {
        onEnter: function(args) {
            this.a1 = args[1];
            console.log("a0: ", args[0].readUtf16String());
            console.log("a1: ", args[1].readUtf16String());
        },
        onLeave: function(retval) {
            console.log("res: ", retval);
 
        }
    })
}
a0:  BigWall
a1:  EditorCube8
res:  0xfffffffd
a0:  BigWall2   
a1:  EditorCube8
res:  0xfffffffd
a0:  EditorCube10
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube11
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube12
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube13
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube14
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube15
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube16
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube17
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube18
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube19
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube20
a1:  EditorCube8
res:  0xfffffffa
a0:  EditorCube21
a1:  EditorCube8
res:  0xfffffffa
a0:  EditorCube8
a1:  EditorCube8
res:  0x0
a0:  EditorCube9
a1:  EditorCube8
res:  0x1
a0:  Floor_12
a1:  EditorCube8
res:  0x1
a0:  Wall1
a1:  EditorCube8
res:  0x12
a0:  Wall2_11
a1:  EditorCube8
res:  0x12
a0:  Wall3
a1:  EditorCube8
res:  0x12
a0:  Wall4
a1:  EditorCube8
res:  0x12
a0:  ../../../MyProject/Saved/Config/Android/Engine.ini
a1:  ../../../MyProject/Saved/Config/Android/Engine.ini
res:  0x0
a0:  true
a1:  True
res:  0x0
a0:  Android
a1:  Android
res:  0x0
a0:  Android
a1:  Android
res:  0x0
a0:  Android
a1:  Android
res:  0x0
a0:  BigWall
a1:  EditorCube8
res:  0xfffffffd
a0:  BigWall2   
a1:  EditorCube8
res:  0xfffffffd
a0:  EditorCube10
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube11
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube12
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube13
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube14
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube15
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube16
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube17
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube18
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube19
a1:  EditorCube8
res:  0xfffffff9
a0:  EditorCube20
a1:  EditorCube8
res:  0xfffffffa
a0:  EditorCube21
a1:  EditorCube8
res:  0xfffffffa
a0:  EditorCube8
a1:  EditorCube8
res:  0x0
a0:  EditorCube9
a1:  EditorCube8
res:  0x1
a0:  Floor_12
a1:  EditorCube8
res:  0x1
a0:  Wall1
a1:  EditorCube8
res:  0x12
a0:  Wall2_11
a1:  EditorCube8
res:  0x12
a0:  Wall3
a1:  EditorCube8
res:  0x12
a0:  Wall4
a1:  EditorCube8
res:  0x12
a0:  ../../../MyProject/Saved/Config/Android/Engine.ini
a1:  ../../../MyProject/Saved/Config/Android/Engine.ini
res:  0x0
a0:  true
a1:  True
res:  0x0
a0:  Android
a1:  Android
res:  0x0
a0:  Android
a1:  Android
res:  0x0
a0:  Android
a1:  Android
res:  0x0
Interceptor.attach(base.add(0x680B790), {
    onEnter: function(args) {
        this.a1 = args[1];
    },
    onLeave: function(retval) {
        if (this.a1.readUtf16String() == "EditorCube8") {
            retval.replace(5);
        }
    }
})
Interceptor.attach(base.add(0x680B790), {
    onEnter: function(args) {
        this.a1 = args[1];
    },
    onLeave: function(retval) {
        if (this.a1.readUtf16String() == "EditorCube8") {
            retval.replace(5);
        }
    }
})
function calcTargetOffset(targetLoc, cameraLoc) {
    let x = targetLoc.x - cameraLoc.x;
    let y = targetLoc.y - cameraLoc.y;
    let z = targetLoc.z - cameraLoc.z;
 
    let angleX = 0;
    let angleY = 0;
 
    if (x > 0 && y == 0) angleX = 0;
    if (x > 0 && y > 0) angleX = Math.abs(Math.atan(y / x)) / Math.PI * 180;
 
    if (x == 0 && y > 0) angleX = 90;
    if (x < 0 && y > 0) angleX = 90 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
 
    if (x < 0 && y == 0) angleX = 180;
    if (x < 0 && y < 0) angleX = 180 + Math.abs(Math.atan(y / x)) / Math.PI * 180;
 
    if (x == 0 && y < 0) angleX = 270;
    if (x > 0 && y < 0) angleX = 270 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
 
    if (angleX < 0) {
        angleX += 360;
    }
     
    if (angleX > 360) {
        angleX -= 360;
    }
 
    angleY = Math.atan(z / Math.sqrt(x * x + y * y)) / Math.PI * 180;
 
    if (angleY < 0) {
        angleY += 360;
    }
 
    return [angleY, angleX, 0]
 
}
function calcTargetOffset(targetLoc, cameraLoc) {
    let x = targetLoc.x - cameraLoc.x;
    let y = targetLoc.y - cameraLoc.y;
    let z = targetLoc.z - cameraLoc.z;
 
    let angleX = 0;
    let angleY = 0;
 
    if (x > 0 && y == 0) angleX = 0;
    if (x > 0 && y > 0) angleX = Math.abs(Math.atan(y / x)) / Math.PI * 180;
 
    if (x == 0 && y > 0) angleX = 90;
    if (x < 0 && y > 0) angleX = 90 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
 
    if (x < 0 && y == 0) angleX = 180;
    if (x < 0 && y < 0) angleX = 180 + Math.abs(Math.atan(y / x)) / Math.PI * 180;
 
    if (x == 0 && y < 0) angleX = 270;
    if (x > 0 && y < 0) angleX = 270 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
 
    if (angleX < 0) {
        angleX += 360;
    }
     
    if (angleX > 360) {
        angleX -= 360;
    }
 
    angleY = Math.atan(z / Math.sqrt(x * x + y * y)) / Math.PI * 180;
 
    if (angleY < 0) {
        angleY += 360;
    }
 
    return [angleY, angleX, 0]
 
}
Class: MyProjectCharacter.Character.Pawn.Actor.Object
        // ...
        Vector GunOffset;//[Offset: 0x500, Size: 0xc]
Class: MyProjectCharacter.Character.Pawn.Actor.Object
        // ...
        Vector GunOffset;//[Offset: 0x500, Size: 0xc]
// libUE4 base: 6f6c74e000
1. PC: 0x6F7307EA6C (0x6930A6C)   LR: 0x6F7307EA68
2. PC: 0x6F7307EA7C (0x6930A7C)   LR: 0x6F7307EA68
// libUE4 base: 6f6c74e000
1. PC: 0x6F7307EA6C (0x6930A6C)   LR: 0x6F7307EA68
2. PC: 0x6F7307EA7C (0x6930A7C)   LR: 0x6F7307EA68
6f72e75e24 is in libUE4.so offset: 0x670fe24
6f72e75658 is in libUE4.so offset: 0x670f658 (位於0x670F110)
6f72e75eb0 is in libUE4.so offset: 0x670feb0
6f72e75eb0 is in libUE4.so offset: 0x670feb0
6f759cee38 is in libUE4.so offset: 0x9268e38
6f759cce04 is in libUE4.so offset: 0x9266e04
6fe951f09c is in libart.so offset: 0x59b09c
6f72e75e24 is in libUE4.so offset: 0x670fe24
6f72e75658 is in libUE4.so offset: 0x670f658 (位於0x670F110)
6f72e75eb0 is in libUE4.so offset: 0x670feb0
6f72e75eb0 is in libUE4.so offset: 0x670feb0
6f759cee38 is in libUE4.so offset: 0x9268e38
6f759cce04 is in libUE4.so offset: 0x9266e04
6fe951f09c is in libart.so offset: 0x59b09c
function hook_rand() {
    Interceptor.attach(Module.findExportByName(null, "rand"), {
        onLeave: function(retval) {
            retval.replace(100);
            console.log("[rand] res: ", retval);
        }
    })
}
function hook_rand() {
    Interceptor.attach(Module.findExportByName(null, "rand"), {
        onLeave: function(retval) {
            retval.replace(100);
            console.log("[rand] res: ", retval);
        }
    })
}
function hook_process_before_shoot() {
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            let val = args[0].add(0x528).readU8();
            args[0].add(0x528).writeU8(val | 1);
            console.log("[process_before_shoot] a1[0x14A] & 1: ", args[0].add(0x528).readU8() & 1)
        },
        onLeave: function(retval) {
             
             
        }
    })
}
function hook_process_before_shoot() {
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            let val = args[0].add(0x528).readU8();
            args[0].add(0x528).writeU8(val | 1);
            console.log("[process_before_shoot] a1[0x14A] & 1: ", args[0].add(0x528).readU8() & 1)
        },
        onLeave: function(retval) {
             
             
        }
    })
}
Class: MyProjectCharacter.Character.Pawn.Actor.Object
    SkeletalMeshComponent* Mesh1P;//[Offset: 0x4b8, Size: 0x8]
    SkeletalMeshComponent* FP_Gun;//[Offset: 0x4c0, Size: 0x8]
    SceneComponent* FP_MuzzleLocation;//[Offset: 0x4c8, Size: 0x8]  // 槍口位置
    SkeletalMeshComponent* VR_Gun;//[Offset: 0x4d0, Size: 0x8]
    SceneComponent* VR_MuzzleLocation;//[Offset: 0x4d8, Size: 0x8]
Class: MyProjectCharacter.Character.Pawn.Actor.Object
    SkeletalMeshComponent* Mesh1P;//[Offset: 0x4b8, Size: 0x8]
    SkeletalMeshComponent* FP_Gun;//[Offset: 0x4c0, Size: 0x8]
    SceneComponent* FP_MuzzleLocation;//[Offset: 0x4c8, Size: 0x8]  // 槍口位置
    SkeletalMeshComponent* VR_Gun;//[Offset: 0x4d0, Size: 0x8]
    SceneComponent* VR_MuzzleLocation;//[Offset: 0x4d8, Size: 0x8]
function hook_test() {
 
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            console.log("[process_before_shoot]");
            let VR_MuzzleLocation = args[0].add(0x4D8)
            VR_MuzzleLocation.writePointer(All_Objects["MuzzleLocation"])
            printName(VR_MuzzleLocation.readPointer());
             
        },
        onLeave: function(retval) {
             
 
        }
    })
}
function hook_test() {
 
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            console.log("[process_before_shoot]");
            let VR_MuzzleLocation = args[0].add(0x4D8)
            VR_MuzzleLocation.writePointer(All_Objects["MuzzleLocation"])
            printName(VR_MuzzleLocation.readPointer());
             
        },
        onLeave: function(retval) {
             
 
        }
    })
}
Class: SceneComponent.ActorComponent.Object
    //...
    Vector RelativeLocation;//[Offset: 0x11c, Size: 0xc]
    Rotator RelativeRotation;//[Offset: 0x128, Size: 0xc]
Class: SceneComponent.ActorComponent.Object
    //...
    Vector RelativeLocation;//[Offset: 0x11c, Size: 0xc]
    Rotator RelativeRotation;//[Offset: 0x128, Size: 0xc]
function fix_MuzzleLocation() {
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            console.log("[process_before_shoot]");
            /* API */
            let K2_SetRelativeLocation = new NativeFunction(base.add(0x8AE6D70), "void", ["pointer", "float", "float", "float", "bool", "pointer", "bool"]);
            let K2_SetRelativeRotation = new NativeFunction(base.add(0x8AE6F00), "void", ["pointer", "float", "float", "float", "bool", "pointer", "bool"]);
 
            // K2_SetRelativeLocation(All_Objects["MuzzleLocation"], 0, 0, 0, 0, ptr(0), 0);
            K2_SetRelativeRotation(All_Objects["MuzzleLocation"], 0, 90, 0, 0, ptr(0), 0);
             
            /* Prop */
            let RelativeLocation = All_Objects["MuzzleLocation"].add(0x11c);
            let RelativeRotation = All_Objects["MuzzleLocation"].add(0x128);
 
            console.log("location: ", JSON.stringify(readVector(RelativeLocation)))
            console.log("rotation: ", JSON.stringify(readVector(RelativeRotation)))
 
            // Replace
            let MuzzleLocation = args[0].add(0x4D8)
            MuzzleLocation.writePointer(All_Objects["MuzzleLocation"])
             
        },
        onLeave: function(retval) {
        }
    })
}
function fix_MuzzleLocation() {
    Interceptor.attach(base.add(0x670F110), {
        onEnter: function(args) {
            console.log("[process_before_shoot]");
            /* API */
            let K2_SetRelativeLocation = new NativeFunction(base.add(0x8AE6D70), "void", ["pointer", "float", "float", "float", "bool", "pointer", "bool"]);
            let K2_SetRelativeRotation = new NativeFunction(base.add(0x8AE6F00), "void", ["pointer", "float", "float", "float", "bool", "pointer", "bool"]);
 
            // K2_SetRelativeLocation(All_Objects["MuzzleLocation"], 0, 0, 0, 0, ptr(0), 0);
            K2_SetRelativeRotation(All_Objects["MuzzleLocation"], 0, 90, 0, 0, ptr(0), 0);
             
            /* Prop */
            let RelativeLocation = All_Objects["MuzzleLocation"].add(0x11c);
            let RelativeRotation = All_Objects["MuzzleLocation"].add(0x128);
 
            console.log("location: ", JSON.stringify(readVector(RelativeLocation)))

[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!

收藏
免费 10
支持
分享
最新回复 (17)
.KK
雪    币: 3584
活跃值: (9385)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
.KK
2
tql~
2025-4-14 10:10
0
ngiokweng
雪    币: 6803
活跃值: (5990)
能力值: ( LV12,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
3
.KK tql~
2025-4-14 10:15
0
陈可牛
雪    币: 6474
活跃值: (6162)
能力值: ( LV5,RANK:76 )
在线值:
发帖
回帖
粉丝
私信
4
后续方向应该还是游戏吧
2025-4-14 10:22
0
ngiokweng
雪    币: 6803
活跃值: (5990)
能力值: ( LV12,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
5
陈可牛 后续方向应该还是游戏吧[em_065]
希望是吧
2025-4-14 10:30
0
安卓逆向test
雪    币: 495
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
6
好家伙,原来这个比赛已经开始了吗,不过是ue游戏我也不会搞
2025-4-14 10:30
0
ngiokweng
雪    币: 6803
活跃值: (5990)
能力值: ( LV12,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
7
安卓逆向test 好家伙,原来这个比赛已经开始了吗,不过是ue游戏我也不会搞
昨天剛比完決賽
2025-4-14 10:39
0
Kevin·
雪    币: 28
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
8
太强了大佬
2025-4-14 14:55
0
wx_Dispa1r
雪    币: 1566
活跃值: (3157)
能力值: ( LV4,RANK:55 )
在线值:
发帖
回帖
粉丝
私信
9
太强了老哥,能分享下初赛和决赛的附件吗
2025-4-15 10:51
0
ngiokweng
雪    币: 6803
活跃值: (5990)
能力值: ( LV12,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
10
wx_Dispa1r 太强了老哥,能分享下初赛和决赛的附件吗
文件有點大, 我放網盤了:
初賽: a6aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4K9p5#2r3j5g2m8n7k6q4)9J5k6r3#2F1K9e0k6j5f1o6y4m8e0s2W2z5N6p5y4m8i4K6y4r3M7s2N6V1i4K6y4p5y4e0c8C8P5l9`.`.
決賽: 868K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4y4#2p5J5K9Y4c8Y4h3i4Z5@1k6X3g2B7d9i4k6t1k6$3V1$3x3V1q4z5k6#2)9K6c8Y4m8%4k6q4)9K6c8r3A6Y4z5r3V1`.
2025-4-15 10:58
1
wx_Dispa1r
雪    币: 1566
活跃值: (3157)
能力值: ( LV4,RANK:55 )
在线值:
发帖
回帖
粉丝
私信
11
ngiokweng 文件有點大, 我放網盤了: 初賽: cebK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4K9p5#2r3j5g2m8n7k6q4)9J5k6r3#2F1K9e0k6j5f1o6y4m8e0s2W2z5N6p5y4m8i4K6y4r3M7s2N6V1i4K6y4p5y4e0c8C8P5l9`.`. 決賽: 4b4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3x3`. ...
谢谢~
2025-4-15 11:06
0
灬哈密瓜
雪    币: 3102
活跃值: (2723)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
ngiokweng 文件有點大, 我放網盤了: 初賽: 決賽: ...

感谢

最后于 2025-4-15 15:53 被灬哈密瓜编辑 ,原因:
2025-4-15 15:51
0
嘎嘎真的很棒
雪    币: 744
活跃值: (2757)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
13
师傅,运行
./ue4dumper64 --sdku --newue --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game
输出
Process name: com.ACE2025.Game, Pid: 2940
Base Address of libUE4.so Found At 73cdeb3000
Dumping SDK List
Objects Counts: 15612
就一直卡着不动了,没啥反应,设备问题吗还是。
2025-4-16 16:10
0
ngiokweng
雪    币: 6803
活跃值: (5990)
能力值: ( LV12,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
14
嘎嘎真的很棒 师傅,运行 ./ue4dumper64 --sdku --newue --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game ...
我也遇過這問題, 重試幾次或者重開機看看吧, 不行的話用frida版本的ue4dumper: f19K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6Z5j5h3y4C8j5$3q4@1L8h3I4Q4x3V1k6X3M7X3W2V1j5g2)9J5k6s2g2W2y4r3c8#2L8i4m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1^5i4@1f1&6i4K6R3H3i4K6V1&6i4@1f1#2i4K6R3H3i4K6S2n7i4@1f1^5i4K6R3J5i4@1q4r3i4@1f1#2i4@1q4q4i4K6W2m8i4@1f1#2i4K6S2r3i4@1q4r3i4@1f1@1i4@1u0n7i4@1p5#2i4K6t1&6
2025-4-16 16:16
0
嘎嘎真的很棒
雪    币: 744
活跃值: (2757)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
15
ngiokweng 我也遇過這問題, 重試幾次或者重開機看看吧, 不行的話用frida版本的ue4dumper: d35K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6Z5j5h3y4C8j5$3q4@1L8h3I4Q4x3V1k6X3M7X3W2V1j5g2)9J5k6s2g2W2y4r3c8#2L8i4l9`. (這個肯定可以)
可以了师傅,感谢
2025-4-16 21:24
0
xxxxxxxxxoo
雪    币: 2043
活跃值: (365)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
我觉得游戏安全这个事情真的很难做好,因为写挂的 只需要攻破某一些点就可以取得不对称的优势。而防御的,是要防范全部。而且防御方,需要游戏的玩家配合才能做到完善的防御,但是玩家往往是希望开挂的那一方,别人根本不会配合游戏厂商防御。
2025-4-17 04:40
0
MsScotch
雪    币: 3653
活跃值: (3356)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
17
有lanzou 盘么,BD是真的龟速啊
2025-4-18 08:31
0
x1aob1n
雪    币: 3
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
18
嘎嘎真的很棒 师傅,运行 ./ue4dumper64 --sdku --newue --gname 0xADF07C0 --guobj 0xAE34A98 --package com.ACE2025.Game ...
要用v0.21的newue+参数,v0.20的newue就是会卡住
2026-1-11 15:32
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回