Awesome
ts-ue4dumper
Using TypeScript and Frida to do UE4dump, highly based on project frida-ue4dump. But it is more modular, and uses C++ to get offsets, making it easier to read and modify.
- UE4 version : 4.26~4.27
- Frida version : 16.4.1
- Tested on
com.netease.race
andcom.ShuiSha.FPS2
.
What should you do before using it
- Manually find the offset in libUE4.so and replace them in
utils/GAME.cpp
- Modify CMakeList.txt to build your own so, or use the so in
utils/output
.libUE4Offset_1.so
forcom.netease.race
, andlibUE4Offset_2.so
forcom.ShuiSha.FPS2
or other game that has standard offset. - push the offset-so to the phone
How to compile & load
$ git clone https://github.com/yring-me/ts-ue4dumper.git
$ cd frida-agent/
$ npm install
$ adb push ./utils/output/libUE4Offset_1.so /data/local/tmp/libUE4Offset.so
$ frida -U -f com.example.android --no-pause -l _agent.js
How to dump
In frida terminal
$ rpc.exports.DumpSdk()
$ rpc.exports DumpActor()
In terminal
adb pull /sdcard/dump.txt dump.txt
Development workflow
To continuously recompile on change, keep this running in a terminal:
$ npm run watch
To switch the Game between com.netease.race
and com.ShuiSha.FPS2
, in utils/GAME.h
#define COM_NETEASE_RACE 1 // true for com.netease.race, false for com.ShuiSha.FPS2 or standard offset
Some issues
dlopen failed: couldn't map "/data/local/tmp/xxx.so" segment 1: Permission denied
$ adb shell
$ su
$ getenforce // output: Enforcing
$ setenforce 0
$ getenforce // output: Permissive