Reverse Unreal Engine Games Using IDA Pro.
A REAL fcking spoiler. Don't look at this spoiler or use this tool if you actually want to learn.
Spoiler
I made a tool that automatically does everything in this tutorial. I highly encourage you to learn first, then be lazy about it. If you don't push yourself to learn, you will never make tools like this:
https://github.com/Do0ks/GSpots
It's still in development..
I've been giving this some thought, dreading every second of this because I hate making tutorials and this is going to be stupid long, but I did want to take the time to make this tutorial. Reversing Unreal Engine games is actually quite simple, just as easy as unity games in my opinion. Sorry for any typos or spelling errors I'll most likely make as I'm going to try to blow through this as quick as I can. I will try to touch on everything I can. Somethings I will tell you to google. I have to pick and choose battles, but if something is unclear don't hesitate to leave a comment.
I know there's some "cool" tools out there. There's Unreal dumpers that work directly with Cheat Engine, however these tools really make us lazy.. At least it did for me, and what do you really learn from it? How to click a few buttons? Dope... Let's get our hands dirty, find GWorld, GNames and GObjects base addresses in IDA Pro, Load them into a dumper called UEDumper and make some pretty baller Cheat Engine tables.
Scope Overview:
This tutorial focuses on advanced reverse-engineering techniques using IDA Pro to identify critical Unreal Engine components—GWorld, GNames, and GObjects—within any game. We will explore two primary methods:
Custom Game Analysis:
Develop a custom game as a controlled reference to better understand the underlying structure. I will be mainly covering the custom game as a controlled reference
Signature and Offset Extraction:
Utilize a specialized IDA Pro plugin to extract reliable Array of Bytes (AOB) signatures from your reference game. These signatures will serve as a basis for searching and identifying corresponding patterns in the target game. Additionally, integrate UEDumper to efficiently locate the necessary offsets to develop Cheat Engine Tables.
Prerequisite:
IDA Pro (Ghidra will work too, I won't be covering it though)
Unreal Engine Dumper - UEDumper
IDA plugin - SigMaker
Visual Studio
Epic Game Launcher
Okay, now that nonsense is out of the way, let's pick a game. Any Unreal game will do, but for this tutorial I'm going to choose a game off Steam called Easy Shooter. Perfect for our tutorial because the developer has abounded the game, It has horrible reviews and little to no effort was placed into building the game (all this really doesn't matter). Download your game!
Checking The Games Architecture:
I actually forgot about this part, lets just get this out of the way. We need to find out if the game we are reversing is a 32-bit or 64-bit game. We can easily do this by running the game, pressing CTRL+SHIFT+ESC >> Navigate to "Details" and looks for our game.
Spoiler
x64. Take Note.
Checking Unreal Engine Version:
Once you've download your game you want to reverse, navigate to the local directory where the game is saved. You can easily do this though your Steam client; Right Click your game >> Manage >> Browse local files.
Spoiler
This will open the directory where your the steam game is located. Now navigate to:
GameName (EasyShooter in this case) >> Binaries >> Win64 (may be Win32, still relevant)
You should see your games EXE.
Right Click >> Properties >> Details >> Under "Product Version".
Spoiler
4.22. Take Note.
Unreal Version not displayed here?:
Spoiler
Here is my source code that you can use to automatically find the version of Unreal Engine the game is running. All you need to do it build it into a .dll in Visual Studio and inject it into the running game. A message box will prompt telling you the Unreal Engine Version, then the game should close. I'm not going to explain how to do this, if you're at this stage in your game hacking journey you should know how to build and inject things.
⠀
https://github.com/Do0ks/UEVersionScanner
⠀
If you're not using Visual Studio to build, remove #include "pch.h"
Why are we doing this? We need to identify the Unreal Engine version used in the game we're reverse engineering so that we can develop a matching version for a solid point of comparison. As you may have experienced, decompiled pseudocode is often difficult to interpret without proper context, and having an accurate comparison can significantly simplify the reversal process.
Typically, the Unreal Engine version the original developer employed is the same one we would use. However, there are exceptions. Developers can download the Unreal Engine source code and modify its functionality to make decompilation more challenging. For example, Fortnite uses a proprietary version of Unreal, meaning its open-source code won’t align with the standard version—making this method less effective, especially since we aren’t reverse engineering online games.
One final point: some people prefer to work directly with the source code instead of creating and decompiling an additional game for comparison. While this approach is certainly possible, it leaves more room for errors. Since this tutorial is aimed at beginners using IDA and not necessary the coding aspect, we’ll focus on the less error-prone method. Let’s move on..
Let's Build A Game!
I'm assuming you already have epic. If not, Google it and install it. If not still, Here you go Epic Download 
.
After, launch Epic >> Left side click Unreal Engine >> Top bar click "Library" >> Click the plus sign >> Click the version number >> Pick the appropriate version number (4.22 for the tutorial) >> Click install... What a convoluted process.
Spoiler
Note: Disregard the patch number 4.22.3. Only focus on the major and minor version numbers 4.22.3
Once Installed, Click Launch.
This is where it gets weird. Because Unreal Engine changes between major versions, depending on what version you have the process on how to build the game changes. I'm going to cover UE4 and 5, just incase you have a game on something like 5.5, while I'm reversing 4.22.
Once launched, under New Project, pick either first or third person blueprint (I don't think it really matters, I always just choose third person). Pick the file path where you want your fame to be saved and give it a name, then click "Create Project".
Spoiler
Once Unreal has finished loading, there's only 2 things we need to do. We need to include debugging files with out game build so we can get the .pdbs, and, well build the game. (If the following steps doesn't match your unreal, hang tight! Keep reading and i'll explain newer versions before moving on). A PDB file contains debugging symbols and metadata about a program, such as function names, variable names, and line numbers. This information helps debuggers map the compiled binary back to the original source code, making it easier to diagnose and fix issues during development. As you can image, a pdb file can really aid us in our reversal process, especially if a developer forgets to remove them.
Building Older Unreal Games - UE4
Spoiler
Main Interface:
Spoiler
First, lets enable debugging files to be included in our shipping game.
Navigate to File >> Package Project >> Packaging Settings >> Tick "Include Debug Files".Spoiler
Now to build the game.
Navigate to File >> Package Project >> Build Configuration >> Click "Shipping"
Then navigate to File >> Package Project >> Windows >> Click Windows(64-bit), or 32-bit if that matches the game that's being reversed
Building Newer Unreal Games - UE5
Spoiler
Main Interface:
Spoiler
First, lets enable debugging files to be included in our shipping game.
Navigate to "Platforms" >> Packaging Settings >> Tick "Include Debug Files" (Search it if you cant find it).Spoiler
Spoiler
Now to build the game.
Navigate to "Platforms" >> Windows >> Tick "Shipping".
Then navigate to "Platforms" >> Windows >> Tick "Package Project".
Reversal Process Overview.
Now we covered all that, let's get into the fun stuff. In this section, we’ll demonstrate how to integrate our custom game into IDA Pro alongside its corresponding PDB files. We’ll then apply a similar process to the target game we intend to reverse engineer. In most cases games won’t include PDB files. Reputable developers typically remove PDB files from official releases to safeguard their code. However, on occasion, you might encounter a game that inadvertently includes these files. If that happens, you can skip the step of creating your own game for comparative purposes if you want. As noted earlier, PDB files contain essential debugging symbols and metadata, which greatly facilitate the reverse-engineering process. If you're new I recommend just following this tutorial until you are comfortable completing the reversal process without reference to this tutorial.
Adding SigMaker to IDA:
Really easy to do. Extract the contents from the SigMaker download, locate your IDA installation path and drag the contents over to IDAs plugin folder. You will know its the right plugins folder because it will have a bunch of .dll files in it.
Decompiling Our Referencing Game.
First, lets load up IDA choosing the appropriate executable that matches both of your referencing and reversal games architecture. Mine is x64 as we covered.
We should be greeted with a screen that looks similar to this;
Spoiler
Click "New", then a window will pop up asking for the file you want IDA to analyze. You want navigate to the folder where your game that you made is saved. Unreals default is your Documents. I did not change this for myself so it should be the same for you unless you've made changes.
Spoiler
Note the path in the picture. You are going to want the exe in the "binaries" directory
Right after, another window will pop up. Just stick to the defaults for the sake of simplicity of the tutorial. Technically you can manually load in the games you want to reverse, do the rebasing of the program right from there etc. but. whatever. Just hit "Okay".
Spoiler
Now a Important part. The next window that pops up Should be asking you if you want to load in the .pdb files associated with the game. Click YES.
Spoiler
This will take a hot minute so lets start decompiling the game we want to make cheats for.
Decompiling Our Reversal Game.
I'm not going to go into great detail with this one because the steps are the same as the referencing game. There is some minor differences which is as follows;
You do not need to include a pdb file. click NO to this part.
Sometimes, IDA will prompt a file explorer window asking you to include a audio file, you can just click cancel to this. It did not pop up for me this time, but if it does just know you don't have to add that.... Here's an example of what it looks like
Spoiler
You'll need to rebase this one. We didn’t rebase the reference game because its file offset on the hard drive was used solely for reference. However, for the game we’re reversing, it’s essential to view the actual file offset. Rebasing allows us to disregard the specific location on the hard drive and instead simulate the scenario where the game occupies the entire disk. I know this concept can be a bit confusing at first but the more you do this, the easier it becomes.
⠀
After everything is initialized (You will start seeing assembly on the screen), go to Edit >> Segments >> Rebase Program.
A new window will come up asking you how you want to rebase the program. The only thing you need to change here is the Value, and that should become 0. Press Okay.Spoiler
A Side By Side Comparison
At this point you should have both the Referencing Game and Reversal Game all decompiled. I just wanted to take a moment to go over some differences between the two, hopefully this may clear up any confusion. Below is a screenshot of both Referencing Game and Reversal Game (Reversal Game is on the left, Referencing Game is on the right).
Spoiler
You may notice differences right off the bat such as the Reversal Games Function list has a bunch of "sub_CrapHere", "unknown_libname_29", but the Referencing Game has much more meaningful names like "Locale::getRoot(void)" or "upvr_deleteIObject_53"... How about the actual Assembly. I don't know what "call sub_8338F0" is, but I have a good feeling I know what "call ?ToString@FName@@" is. This is just an example how a reference can make our life so much easier.. Thanks .pdbs!
Configuring IDA
I'm not going to get into detail about what the configuration is about. Just follow as I do.
Go to Options at the top menu bar >> General and apply the settings "Function offsets and set "Number of opcode bytes (non-graph) to 10). You can enable auto comments if you like, it just adds comments to assembly to make it a bit easier to read. Apply to both Referencing Game and Reversal Game.
Spoiler
After, we can load up the string viewer on both Referencing Game and Reversal Game.
Go to View >> Open Subviews >> Strings. (Or press Shift+F12)
Once the String Viewer loads up, right click anywhere in the string viewer and click "Setup....". Here you're going to want C-Style, Unicode C-Style, and C-Style(32-bit) Enabled. These settings will save globally so you wont have to redo this step again.
Spoiler
Spoiler
Sidenote: IF you want, you can clean up IDAs main face by closing out of everything but IDA View-A and Strings, you can and this is what I'll be doing.
Spoiler
