UE5CEDumper -- A UE4/5 helper for making tables

Post by **bbfox** » Sun Feb 22, 2026 10:34 am

: UE5CEDumper.jpg (939.67 KiB) Viewed 2140 times

...it's named as dumper but not a really dumper. This tool provides a Live Bridge between the game runtime and Cheat Engine.

!	Message from:
	Disable Windows garbage setting: Smart App Control (ASC), or you cannot run this application. Be aware, once you turn it off, you cannot turn it on unless reinstall OS

UE5CEDumper — A Proper Cheat Engine Integration for Unreal Engine Games
Dedicated to everyone tired of manual offset hunting in UE4/UE5

What Is This?

UE5CEDumper is a high-performance injected DLL + Cheat Engine Lua bridge supporting UE4 (4.22+) and UE5 (5.0-5.7) games. The DLL performs deep scans for GObjects / GNames / GWorld, walks the entire UObject/UStruct/FField hierarchy, and streams structured data via named pipes to a standalone UI.

The Feature: It auto-generates hierarchical pointer chains and exports them as CE XML records / CE dissect data. Just click button, paste / import into your cheat table, and you’re almost done. For base address: dynamic address capture via AOB AA script/pointer map is needed after paste for repeat use. All child nodes are designed in relative addressing.

Tested game & UE version matrix ( full/partial Working)

UE Version	GObjects	GNames	DynOff	titles
4.18	✓	✓	✓	FF7 Remake Intergrade
4.21 – 4.24	✓	✓	✓	Star Wars Jedi, DQ XI S, IDOLM@STER STARLIT SEASON, Octopath Traveler, DQ I&II Remake, DQ III HD-2D Remake, Everspace
4.25 – 4.27	✓	✓	✓	FF7 Rebirth, Tower of Mask, Hogwarts Legacy, Romancing SaGa 2 RotS, Ghostwire: Tokyo
5.0 – 5.2	☐	☐	☐	(Confirmed support via generic patterns)
5.3 – 5.4	✓	✓	✓	Satisfactory (v1.1.3.1)
5.5 – 5.7	✓	✓*	✓**	Titan Quest II, EverSpace 2, Lushfoil Photography Sim, Manor Lords, Cat Island Petrichor Demo, Way of the Hunter 2 Demo, COMBAT PILOT: CARRIER QUALIFICATION Demo

*: GNames uses .data pointer-scan fallback for 5.5+
**: DynOff = Dynamic Offset Discovery: supports CasePreservingName (FName = 16 bytes) layout.

Please note most games' data were UE + native C++ structure. if the value is inside native C++, you won't see it appear in this tool.

The Struggle (Before This Tool)

If you’ve ever built a Cheat Table for UE games, you know the routine is something like:

Repeated AOB Scanning — Spend hours re-finding GObjects, GNames, and GWorld. Every. Single. Time.
FNamePool Layout Chaos — Switching between UE4 (double-deref) and UE5 (chunk table), not to mention those builds with 4-byte hash prefixes. It's a manual guessing game.
FField vs UProperty — The UE4.24 property system overhaul usually explodes old patterns. Writing universal code means maintaining two separate code paths and hoping for the best.
Manual Pointer Math — Even after finding an object, have to trace every field offset by hand. One typo ruins the entire pointer chain.
The Stride Guessing Game — Is FUObjectItem 16, 20, or 24 bytes? Guess wrong? ==> get silent garbage data.
Poor Tooling Integration — Most dumpers give addresses that can't even copy, or worse, they provide the wrong ones entirely.

...unless get paid tool can make it easier.
Basically, every new game felt like starting from zero. It was a total motivation killer.

How This Tool Fixes Workflow

Smart AOB Multi-Pattern — Uses a prioritized pattern list. It hits the right address with high probability, so we don't have to cycle through AOBs manually.
Auto Stride Detection — Automatically scores and validates stride candidates against FNamePool. It just works, no user input needed.
Universal FNamePool Reader — Handles UE4 TNameEntryArray, UE5 FNamePool (both Header A/B), and hash-prefixed builds out of the box.
Dynamic Offset Discovery — Offsets for UStruct/FField/FProperty are discovered at runtime via struct probing. No more hardcoded offsets that break on every engine sub-version.
Production-Ready CE XML Export — Generates proper hierarchical records with drop-down support. It handles BoolProperty bitmasks, signed integers, StructProperty expansion, and general ArrayProperty groups.
Live Walker via Named Pipes — The DLL runs inside the game process. Once the UI connects, the Live Walker is active even if no objects are loaded in the UI yet.

The Workflow: Inject DLL: Attach process -> Open Cheat Table -> Click Init. script -> inject -> Run UI: We get a populated object tree and exportable pointer chains in minutes.

Build your own from repos: https://github.com/bbfox0703/UE5CEDumper
New release will be on GitHub first: https://github.com/bbfox0703/UE5CEDumper/releases

TL;DR
Stop wasting weekends in re-scanning offsets. Let the tool handle the boring parts.

Any bug or error, please leave log/screenshot here (with zipped/7z format).

Logs location: %LOCALAPPDATA%\UE5CEDumper\Logs
Logs are well managed by UI/DLL. it will not flooding your disk.

UI screenshot (will not update)

Known issue and will not fix

GObjects, GNames, GWorld address value displayed in information may not correct. This may be caused by mis-AOBed address.

"Start from GWorld" is not always working or correct. This cannot be 100% fixed.
Reason: multiple AOB matches result, pointed to wrong address. How I check:

Verify: "Start from GWorld" -> "PersistentLeve" -> "OwningWorld" (first offset like 0xC0) -> "OwningGameInstance": pointer is null = maybe fake GWorld / or custom game build
I'm trying to reduce the wrong GWorld address, but it will not 100% work anyway.

Not working? This is a common UE tool. It can not 100% work in every title. Anyway, may take 10 minutes to try this, before you dive-in hours of dirty work.

Start from GWorld (if working in the game)

Spoiler

: Start_from_GWorld.gif; Start_from_GWorld.gif (10.1 MiB) Viewed 3078 times

Class finder

Spoiler

: Class Finder gif; Class_Finder.gif (3.04 MiB) Viewed 3078 times

Instance Finder

Spoiler

: Instance_Finder.gif; Instance_Finder.gif (6.73 MiB) Viewed 3078 times

Proxy mode DLL fast deployment (Steam)

Spoiler

: Proxy deploy; Proxy_Deploy.gif (3.44 MiB) Viewed 2889 times

Proxy DLL mode connection and play

Spoiler

: Proxy DLL mode connection; Proxy_dll_mode_connect.gif (19.82 MiB) Viewed 2888 times

Notice:
My personal testing angle is narrow, and resource is limited -- there may have bugs. I cannot test 17+ games w/ every function in every change.

Microsoft VC runtime is needed: https://aka.ms/vs/17/release/vc_redist.x64.exe

Notice: Latest release will put directly in GitHub (due to I set CI in GitHub): https://github.com/bbfox0703/UE5CEDumper/releases

Here is latest-1(+) versions

Still, any question can post here.

Old Releases

Spoiler

UE5CEDumper_v730.7z: 2026/05/25: v730; password oct730; for details please see release note post; (16.34 MiB) Downloaded 165 times

UE5CEDumper_v560.7z: 2026/05/09: v560; password oct560; More types drilldown; bug fix; (15.85 MiB) Downloaded 138 times

UE5CEDumper_v488.7z: 2026/05/08: v488; password: oct488; dual proxy dll mode (verson.dll is preferred); bug fix; (15.76 MiB) Downloaded 82 times

UE5CEDumper_v449.7z: 2026/04/06: v449; password: oct449; bug fix:Fix CE XML AOB mode producing wrong base when opened from Instance Finder; (14.38 MiB) Downloaded 191 times

UE5CEDumper_v447.7z: 2026/03/15: v447; password: oct447 ; bug fix / added bookmark function; (14.38 MiB) Downloaded 140 times

UE5CEDumper_v438.7z: 2026/03/07: v438; password: oct438; (14.37 MiB) Downloaded 113 times

UE5CEDumper_v315.7z: 2026/03/05: v315; password: oct315; lots of changes. Primary: implemented proxy DLL (version.dll) & one click proxy dll deployment ability for installed Steam games (you do not need to inject DLL via CE); (14.21 MiB) Downloaded 83 times

UE5Dumper_v169.zip: 2026/02/28: v169: password: oct; more inspected objects; CE dissect structure support; more AOB patterns with priorities.; (20.78 MiB) Downloaded 92 times

UE5CEDumper_v1.0.0.96.zip: 2026/02/24: v96; password: oct; Update in CE XML output; Added UE "ArrayProperty" data type drilldown (partial, tested in UE5 only). Fixed known bugs(?); (39.5 MiB) Downloaded 142 times

UE5CEDumper_v1.0.0.59.7z: v59; password: oct; Add a switch can copy address in 3 format: address without '0x' prefix, address with '0x' prefix, module+offset (module+RVA, may look strange because data is outside module); (29.24 MiB) Downloaded 115 times

UE5CEDumper_v1.0.0.58.7z: v58; password: oct; (29.24 MiB) Downloaded 114 times

Latest Release

Post by **MBRKiNG** » Wed Feb 25, 2026 5:44 am

you’re just the GOAT . Thanks for the release, it’s exactly what we needed!

Huge thanks to everyone who contributed to this. Legendary work by a legendary team

Post by **bbfox** » Mon May 11, 2026 2:04 am

Release notes here

UE5CEDumper Release Notes — v730 → v959

Spoiler

Period: 2026-05-25 → 2026-06-06 | Builds: ₇₃₀ → ₉₅₉ | 143 commits (PR #210 – #249)

Stable Features

Value Search (CE-style by-value scan) — Main Line This Cycle

Console tab: UFUNCTION(exec) discovery + one-click invoke; UCheatManager stripped-body hint.
First/Next Scan: CE-style iterative scanning over UPROPERTY fields.
Phase 2: string, vector, and TArray<T> scanning.
Multi-numeric meta scan: NumericNoByte / NumericAll (incl. with-byte variant) + result-volume warning.
Float/Double tolerance: matches CE's rounded-scan behavior.
StructProperty recursion: GAS / nested-struct leaves are now reachable.
Parallelization: ParallelGObjectsScan<T> template + thread-safe Ubel caches.
V3-A lean Candidate: shared FieldDescriptor / InstanceRecord pools to cut memory.
V1a: TSet / TMap key|value scan (closes the largest coverage gap).
V1c: TOptional<T> scan.
V3-C: server-side window + filter/sort (live-verified).
V2: maxResults cap raised to 1M + allocation-free filter.
App-wide DataGrid sorting fix (compiled bindings require explicit SortMemberPath) + Value Search keyword filter.

Property ↔ Function Bytecode Cross-Reference

Path 1 (Blueprint Kismet): find_property_xrefs, "Find functions using this field" UI, read/write distinction, ubergraph attribution to BP events, reverse edge walk_function_props.
Path 2 (native): resolves [this+off] property xrefs in native UFunctions via Zydis x64 disassembly.

Cheat Table / Invoke

Multi-row → single .CT batch generator (CT batch).
Structured-return DataGrid for struct return values.

DLL Stability

Cooperative cancellation for long DLL operations (Cancel.h + Fern disconnect-monitor + shutdown-abort + serial-loop checks), fixing "game won't close" and "DLL spins after UI close".
Fixed use-after-free in queued ProcessEvent invoke on timeout + two C# lifecycle bugs.
AOBMaker bridge ops serialized with a semaphore to close a pipe race.

AOT / Build

Windows-only Avalonia backend (dropped X11/macOS/FreeDesktop), warning-free AOT publish; HarfBuzz text shaping fix for the startup crash.
Removed <Run> StackOverflow landmine + added startup crash.log; TreatWarningsAsErrors on the UI project.

Release / CI

Tag-triggered Windows release workflow (draft release), with the release build number pinned to the tag (no +1 drift); cleared Node20 + xUnit1051 release-CI warnings.

UI Polish

Global stale-DLL badge in the top bar; Live Walker focus-on-field on Value Search cross-nav; fixed Live Walker button tooltip flicker; restore window to original position after un-maximize.

Docs / Tooling

diff_dumps.py: same-game patch comparison at UProperty granularity; dev-log split/archived (≤696); roadmap/architecture/lessons fully updated.

Experimental Tools (Three Features) — Not Yet Fully Functional

The following three tools are experimental and only unlock after you tick the opt-in consent checkbox on the System tab. They do not yet work reliably — do not use them in a serious analysis workflow, and go in expecting that they may fail or return inaccurate results:

1. Snapshot (Memory Snapshot)

Streams every UObject's numeric fields into a per-game SQLite DB (snapshots.<pe_hash>.db, write-once / immutable, schema v4).
Already supports: scalar numeric / string / struct-array inner-key capture, per-game quota with FIFO auto-eviction, capture progress (% / elapsed / ETA), Delete All / Delete Selected.
Limitations: capture is slow on large datasets; transient objects (//Engine/Transient/*) have unstable, colliding paths that can distort comparisons.

2. SPC Query (Same-Path Compare)

Compares numeric changes for the same property path across snapshots; supports in-memory diff/SPC, absolute-value predicates, and result filters (picker / global filter / value range).
Includes the N1 noise picker (Top-N contributors → single-click select → per-tab class denylist → re-run).
Limitations: same-session queries require In-session join to be correct (otherwise Strict mode collapses transient objects into one candidate — the "materials don't show up" misjudgment); large queries rely on the cancellation path and may still stall.

3. Class Pivot

Aggregates properties by class (DataTable / right-click handoff / array-element pivot).
Replaced the repeated COUNT(DISTINCT) query with a precomputed class_counts index table (built at finalize, lazy-built for old snapshots) to avoid a GROUP BY over ₁.7M rows on every selection.
Limitations: still early-stage; C2 find-by-value, gzip blob storage, etc. are unfinished; relies on cancellation when switching tabs / closing, and edge cases may linger.

All three tools now have heavy-query cancellation (per-VM CancellationTokenSource, cancel-on-tab-switch / on-close, explicit ThrowIfCancellationRequested inside SQLite read loops), but should still be treated as experimental and potentially unstable.

UE5CEDumper v730 — Release Notes (v560 → v730)

Spoiler

UE5CEDumper v730 — Release Notes (v560 → v730)

Window: 2026-05-09 → 2026-05-25 (16 days, 50 commits)
Tested games: 29 / 29 GWorld coverage (100%)
Tests: 770 → 1015 passing (+245)

This release closes the loop on invoking UFunctions as cheat-table actions, adds two large discovery surfaces (Interesting Funcs, Interesting Props), introduces class-wide property freeze, and lands a critical fix to a ProcessEvent hook that had been silently misfiring for 600+ builds.

Highlights

Theme	Build(s)	What
AA Script export from UFunction rows	590-596	Helper-in-table pattern, ₅₀-line AA Script per function
Interesting Functions Finder tab	597-687	Keyword + class + flag scorer
Interesting Properties Finder tab	670-687	Mirror of Funcs side + Unusual Location flag
Property Freeze (Route B)	719	Class-wide horizontal lock
Invoke param picker (Stages 1+2)	711-715	UClass surface + `[Pick…] [null] [self]`
Mailbox poll 10ms → 1ms	707-710	CE-Lua sequential invokes _5ms/call faster
ProcessEvent vtable detection (CRITICAL fix)	648	Function-body pattern scan + hook-fire validator

New features

Invoke pipeline — discover → invoke → ship as cheat table

Copy AA Script (Baked) on UFunction rows (build 590-596). Pre-filled params, no in-CE form. Helper-in-table pattern: one shared ue5_invoke_helper.lua loaded via findTableFile, AA Script per function ₅₀ lines.
Interesting Functions Finder tab (build 597-687). Scores all UFunctions across all UClasses. CamelCase tokeniser (build 609) so HP/MP/SP/XP/TP match safely without false-positives on Component/Spawn/etc.
Static-native ProcessEvent fast path (build 636). KismetMathLibrary / KismetSystemLibrary invokes no longer wait on the game thread. ES2 menu-state invokes that used to time out at 5-7s now return instantly.
Tools → Inject Helper into Current CE Table (build 611). One-click ships ue5_invoke_helper.lua into the open .CT via the AOBMaker pipe.
Verify Return Value toggle on the baked AA Script (build 637). Before/After raw-byte dump + typed return decode for diagnostic invokes.
Invoke param picker Stages 1+2 (build 711-715):
- Stage 1 — UObject\*/UClass\*/Soft\*/Weak\*/Lazy\*/Interface params now show the expected UClass: [UObject*: AActor, 8B, off=0x10] instead of a bare [UObject*, 8B].
- Stage 2 — [Pick…] [null] [self] buttons next to each pointer param. Pick opens a class-pre-filtered instance picker.
Mailbox poll 10ms → 1ms (build 707-710). timeBeginPeriod(1) bracket so the 1ms target is delivered even on hosts with the legacy 15.6ms scheduler tick.

Discovery surfaces

Interesting Properties Finder tab (build 670-687) — mirror of the Funcs Finder for properties. New concept: ⚠ Unusual Location flag for fields living in LocalPlayer / GameViewportClient / HUD / CheatManager — often the most cheat-tunable. Calibrated against a 15-game dump corpus.
Multi-select Copy CE Field(s) (build 660). LiveWalker DataGrid in Extended mode. Container multi-select emits ONE filtered container with N elements.
PropertySearch dedupe-by-defining-class (build 610). bCanBeDamaged no longer returns 4823 rows — single representative row plus an inheritor count badge.
search_properties_batch (build 685). 36-keyword Interesting Properties Load went 42s → ₁.5s by walking GObjects once instead of once per keyword.
walk_class_batch (build 693-696). Full SDK Export + Dump All Metadata batched at 200 classes per round-trip. Estimated 2-5× wall-time on big games.

Property freeze

Class-wide horizontal lock (build 719). PropertySearch row gets a Freeze button. Generated AA Script holds the value across every live instance of the owning class with 50ms tick + 5s instance rescan. Numerics + bool supported in v1.

Export / analysis

Export → Dump All Metadata (.jsonl) (build 676). Streams every class + props + funcs via existing pipe endpoints.
Python analyzer pipeline — scripts/analysis/analyze_dumps.py. Aggregates dumps cross-game, emits a Markdown report (top names / tokens / Unusual Locations). Reproducible scoring-table calibration.
15-game cross-game scoring calibration (build 678 + 687). PropertyScoringTable / KeywordScoringTable additions backed by empirical evidence across DQ7R / ES2 / FactoryGameSteam / Hogwarts / TQ2 / FF7R / Stray / others.

UX / polish

System tab (formerly Pointers) with a Diagnostics card — UI/DLL build match, AOBMaker plugin status, Self-Test button that auto-picks a KismetMathLibrary helper and verifies the return value.
⚙ Options popover (build 666) — collapses 5 export-shape sliders into a dropdown. Reclaims _600px so the toolbar stays one row at 4K@225%.
Shorter tab labels (build 666) — Instance Finder → Instances, Property Search → Properties, etc.
Function Goto (build 632) — Live button on Interesting Funcs now auto-expands the LiveWalker Functions section and scrolls to the target row.
Empty-class hint banner on ClassStruct (build 632) — BlueprintFunctionLibrary subclasses no longer read as "broken".
Credit footer in System tab + Live Walker empty state.

Critical fixes

ProcessEvent vtable wrong slot (build 648). Pre-648 detection picked a slot from a hardcoded version table and "validated" by reading 1 byte. ES2 / Geri ended up hooking the adjacent virtual; invokes silently returned result=0 without ever running the function. Rewrite uses a function-body pattern scan (Dumper-7 technique) matching FUNC_Native + high-flag-mask TEST instructions, plus a post-install validator that logs VALIDATION FAILED if the hook doesn't fire ≥1× in 1500ms. Verified live on ES2 (UE 5.5) and Geri (UE 4.27) — real PE slots were 0x278 and 0x220, both off by ≥1 slot from the old hardcoded values.
SoftClassProperty silent 4-byte truncation (build 717). [Pick…] declared 7 pickable pointer types but WriteParam only covered 6 — SoftClassProperty fell through to a size-based default that wrote 4 bytes of a 64-bit address before ProcessEvent. 14 contract theories now enforce the canonical type list at compile time.
DLL class filter dropped every BlueprintGeneratedClass (build 673). Aura::SearchProperties / ListClasses / EnumerateAllFunctions all had if (metaClassName != "Class") continue;. ₉₀% of game-specific classes live in BPGCs. New IsClassLikeMeta whitelist covers Class + BlueprintGeneratedClass + AnimBPGC + WidgetBPGC + DynamicClass.
SdkExportService BPGC filter (build 690). Same bug class on the C# side. Mirrored to IsClassLikeMetaName.
Satisfactory / hybrid-layout proxy-deploy scanner (build 691-692). Three UE shipping layouts (monolithic / hybrid / pure-modular) now handled cleanly by a two-tier search (primary roots first, Engine\ as fallback). Eliminates phantom Engine-side rows on StellarBlade / NMKART / Palworld / TQ2 / Satisfactory.
AOBMaker plugin InjectTableFile (build 632, AOBMaker-side fix). f.Stream.write set Size=0 silently. Switched to createStringStream + copyFrom — same pattern CE's own autorun/java.lua uses.

Quality / infrastructure

AOT-safe ObjectInstancePickerDialog (build 729) — 12 IL2026/IL3050 warnings (reflection-based Binding(string) columns) replaced with DataGridTemplateColumn + FuncDataTemplate<T>. AOT publish is now warning-clean at 41.9 MB.
Static MSVC CRT in Native AOT publish (build 718) — no VCRuntime DLL dependency.
Compile warning sweep (build 698) — 13 sites cleared (C4189 dead var + xUnit1051 cancellation tokens).

Tested games (29 / 29 GWorld = 100%)

New / re-verified this window: Star Wars Jedi: Fallen Order (UE 4.21), Ghostwire: Tokyo (UE 5.04), Frontiers (UE 4.26), The Artisan of Glimmith (UE 4.27). Plus revalidation across DQ7R / ES2 / Geri / Hogwarts Legacy / Octopath Traveler / Stray / TQ2 / FF7 Rebirth / FF7 Remake / Satisfactory / NMKART / Palworld / StellarBlade / Manor Lords / Tower of Mask / DQI&IIHD2D / Deep Rock Galactic.

Known limitations

EA-launcher games block proxy DLL preload — neither version.dll nor dinput8.dll loads when the EA app spawns the wrapped exe. Workaround: CE manual injection after the game is running.
Bitfield bool freeze not supported in v1 — helper writes a full byte; packed uint8 bFoo : 1 fields aren't surfaced as bitfields by PropertySearch yet.
FString / FName / TArray freeze out of v1 scope. Numerics + bool first.

Links

Repository: https://github.com/bbfox0703/UE5CEDumper
Forum thread: viewtopic.php?f=17&t=1797
AOBMaker (companion CE plugin): viewtopic.php?t=1788

Release v560 — Address Finder v3, Property Walker Coverage, UE Version Override

Spoiler

Range: v488 → v560 (41 commits, ₅ weeks of work)
Highlights: Reverse-reference scanning, OptionalProperty / MulticastSparseDelegate / Soft+Lazy+Delegate array drill-down, per-game UE version override with publisher bias detection, CE XML / CSX N-level pointer drill-down, UTF-8 hardening + dedicated C++ test suite.

Address Finder

Find References (v2 → v3)

Reverse pointer scan — given any UObject*, find every UPROPERTY field across the live object array that holds a pointer to it, so users can navigate from a CE-found instance back to its logical owner.
v2 coverage: WeakObjectProperty, SoftObjectProperty / SoftClassProperty, LazyObjectProperty, InterfaceProperty, TMap / TSet allocated slots (key + value sides for Object/Class).
v3 coverage: DelegateProperty single binding + MulticastInlineDelegateProperty / MulticastDelegateProperty (walks each FScriptDelegate's FWeakObjectPtr); TArray<FScriptDelegate>; nested in StructProperty / OptionalProperty<Struct> to depth 3. fieldName appends .Key / .Value for map matches; deadline 30 s.

Container-aware lookup

New Aura::FindInContainers scans ArrayProperty / MapProperty / SetProperty buffers, including nested in StructProperty and OptionalProperty<Struct> (depth 3).
Slack / freed-slot support, 15 s deadline, response carries container_scan stats.
Aura::FindByAddress returns match_kind (exact / contains / backward / nearest) for honest confidence reporting.

Property Walker — drill-down coverage

Inner type	Status
`SoftObjectProperty` / `SoftClassProperty` array	Phase G — asset path + resolved live `UObject*` + per-element `FName` leaf in CE XML
`LazyObjectProperty` array	Phase H — `FGuid` + resolved live `UObject*`
`InterfaceProperty` array	Phase I
`DelegateProperty` array (single multicast field also)	Phase J — Target::FunctionName + drill-into-target
`MulticastDelegateProperty` / `MulticastInlineDelegateProperty` array	Phase K — (N bindings) preview
`OptionalProperty<T>` (UE 5.2+)	Intrusive (UE 5.4+ pointer-shaped), `FIntrusiveUnsetOptionalState` (Str/Name/Text), and non-intrusive `{T value; uint8 bIsSet;}` layouts
`OptionalProperty<Struct>`	Walker stamps `{structClassAddr, structDataAddr, structTypeName}`; UI / CE XML / CSX reuse standard StructProperty path
`MulticastSparseDelegateProperty`	Bound-flag surfacing only (binding list still pending — see Known Issues)
Single Soft / Lazy fields	Resolve embedded `FWeakObjectPtr` → `UObject*` when asset is loaded

UI / Live Walker UX

Auto-scroll-to-field after Open from Find Refs.
Auto-drill into element [N] for direct-container hits (Container, Container.Key, Container.Value) — previously user had to click [N] manually.
Class Structure: fixed flash-blank on selection; class-like nodes now route to themselves; new Package column; auto-run Find Instances pre-fill.
Property Search: dedicated type-filter input + autocomplete; client-side result filter; type-only queries supported (e.g. browse all OptionalProperty fields).
ProxyDeploy: tooltip flicker fix — anchor above bottom controls.

Export — CE XML / CSX

N-level ObjectProperty drill-down for Copy CE Field, Copy CE XML, Export CSX. Drill Depth slider (0-4) drives both formats.
Recursive walk through ObjectProperty / ClassProperty / WeakObjectProperty / Soft* / LazyObjectProperty / InterfaceProperty targets, depth-capped, shared visited HashSet for cycle protection.
Cascade struct resolution: nested StructProperty / OptionalProperty<Struct> children inside drilled UObjects expand to real sub-fields (not empty GroupHeader placeholders).
TArray<TSoftObjectPtr> per-element CE XML group with FName leaf.
OptionalProperty CE XML emit: struct-typed → struct group; otherwise → 8 B hex leaf (was silently dropped).
Fix: emit ObjectProperty / ClassProperty / WeakObjectProperty as 8 B leaf when not drilled.

UE Version Detection

Per-game UE version override — new pipe cmd set_ue_version_override, persisted in HintCache JSON. UI ComboBox in Pointer panel: Auto / 4.18-4.27 / 5.0-5.8. Survives game restarts.
Publisher thumbprint detection — reads PE LegalCopyright / CompanyName, matches against publisher table (currently SQUARE_ENIX). Match → forces bLowConfidence=true and uses publisher's bias fallback (SquareEnix → 4.27 instead of 5.04).
Tier 3 hardening — bare "X.Y.D" pattern now requires Engine / Unreal / UE4 / UE5 / ++UE anchor in 256-byte window AND defers first hit so a real Tier 2 "Release-4.27" later in the module beats early stray "5.5.0" SDK strings. Tier 3 hits are flagged low-confidence even when accepted.
3-state UI badge: ✓ Detected / User Override / ⚠ Low Confidence + Publisher chip when thumbprint matched.

Affected games: DQ I&II HD-2D, FF7 Rebirth, FF7 Remake, Ghostwire (all UE4 forks previously misdetected as UE 5.5).

Stability / Hardening

CE XML emit pointer cycle (UWorld → PersistentLevel → OwningWorld back-edges) caused StringBuilder OOM (₂ GB). Fixed via thread-static _emitPath HashSet pushed/popped on EmitDrilledPointer entry; back-edges emit a flat 8 B hex leaf labeled (cycle elided). Belt-and-braces MaxEmitPointerDepth=16 cap.
UTF-16 surrogate handling in Serie::GetString wide path — root cause of recurring invalid UTF-8 byte at index 1: 0xA0 exceptions on UE 5.7 games (e.g. Squad, 240 K objects). Wide path was producing CESU-8 for surrogate range 0xD800..0xDFFF; nlohmann::json strict-validates and rejects. Fix: detect surrogate pairs → 4-byte UTF-8; lone surrogates → ?.
ReadFString hardening — WC_ERR_INVALID_CHARS strict flag + Utf8Helpers::Sanitize post-pass.
Utf8Helpers header-only extraction — Sanitize (Ubel) + EncodeUtf16 (Serie) merged; both call sites share one implementation.
31-case C++ self-test (dll/tests/utf8_helpers_test.cpp) — stand-alone executable, no GoogleTest. Covers ASCII, lone continuations (the 0xA0 case), CESU-8 surrogates, overlongs, truncated sequences, surrogate pairs → 4-byte UTF-8, idempotency, EncodeUtf16-output-passes-Sanitize-unchanged invariant. Wired into build.ps1 -Target Test before C# suite.

Documentation

New docs/dev-log.md — running milestone log + capability matrix (read first for current status).
docs/technical-notes.md — Phase B-K array reader and property-layout reference.
README + spec docs refreshed to reflect build 547+ capabilities.
Superseded design docs moved to docs/archive/.

Known Issues

MulticastSparseDelegateProperty bindings still unavailable (storage external to field — needs separate AOB; resolved in v577 via SPARSE_ES2_1, see future release).
FieldPathProperty drill-down (rare).
Find Refs: TMap / TSet with weak-like inner sides (currently Object/Class only).
GWorld: Star Wars Jedi untested; Satisfactory fails.
Other publishers shipping unreliable version strings will need adding to kPublishers[] in Genau.cpp.

Pull Requests Merged

#192 — Per-game UE version override + publisher bias + CE XML cycle fix
#193 — UTF-8 hardening + Utf8Helpers extraction + C++ test target

Full Changelog: https://github.com/bbfox0703/UE5CEDumpe ... 488...v560

Release v488 — Proxy DLL Deployment, DLL Lifecycle Hardening, UE 5.8 Support, Frieren-Themed Refactor

Spoiler

Range: v449 → v488 (40 commits)
Highlights: Proxy DLL injection workflow (version.dll / dinput8.dll alternatives, passive-mode mutex), UE 5.8 detection + chunked-layout preset, DLL lifecycle hardening (DllMain detach, scan-thread join, pipe-server lock-while-join), Avalonia 12.0 API migration, Live Walker destroyed-object hang fix, and codebase-wide rename to Frieren-themed module names.

Proxy DLL Deployment

A new injection mode that drops a renamed proxy stub into the game's directory so the DLL loads on game start — no Cheat Engine attach required for users who only want to read pipe data.

version.dll / dinput8.dll alternatives — pick whichever the target game's import table actually resolves. dinput8.dll chosen for games that don't link version.dll.
UI radio button in the ProxyDeploy panel to pick which proxy the deploy step copies.
Passive-mode mutex — proxy build of the DLL holds a named mutex so a second injection (e.g. CE) is detected and skipped.
Skip CE inject when proxy DLL already loaded — ue5dump.lua checks for the mutex before calling injectDll, preventing double-load.
Single-click UI refresh after Deploy / Undeploy (was: required a second click to update the deployed-state badge).

DLL Lifecycle Hardening (audits A + B)

Two-pass audit of teardown paths that previously could deadlock or use-after-free during process exit / DLL unload.

Audit A

DllMain(DLL_PROCESS_DETACH) is now a no-op — Windows holds the loader lock during detach, and any pipe-server / scan-thread cleanup that touches OS APIs is forbidden there.
Join missing scan thread — earlier builds could leak the scan thread if the user closed the game before scan completion; cleanup now joins explicitly.

Audit B

Fern (PipeServer): lock-while-join pattern — disconnect under lock, join outside lock, to avoid the worker thread re-entering the same mutex.
Mimic (Mailbox): explicit state machine for inflight IPC; rejects new requests once shutdown is signaled.
Stark (GameThreadDispatch): soft-disable path — MinHook unhook is best-effort during teardown; if the hook can't be cleanly removed, dispatch falls back to no-op rather than crashing.

UI side

IDisposable on timer-owning ViewModels; panel event handlers are explicitly unsubscribed when panels close (was: stale handlers fired against disposed VMs).

UE 5.8 Support

Version detection — Tier patterns extended to recognize UE 5.8 builds.
Chunked-layout preset — Aura::ObjectArray exposes a 5.8 preset (matches new FUObjectArray stride / chunk size).

Avalonia 12.0 API Migration

Fixed breaking API changes from Avalonia 12.0.0 — IClassicDesktopStyleApplicationLifetime access pattern, control template / template-binding adjustments, and assorted property renames.
Sweep of remaining Avalonia + xUnit compile warnings.

Live Walker — destroyed-object hang fix

Browsing a UObject whose owning class had since been GC'd would hang the walker indefinitely (offset reads against a torn-down UClass). Walker now validates the class pointer's signature before traversing properties; invalid → return cleanly with an error event rather than blocking the worker thread.

Frieren-Themed DLL Refactor (PR #175)

Codebase-wide rename of C++ DLL modules to Frieren-character names for thematic consistency and to keep namespaces short / unambiguous.

Module	New name
Memory	Macht
Logger	Sein
Signatures	Himmel
OffsetFinder	Genau
ObjectArray	Aura
FNamePool	Serie
UStructWalker	Ubel
ExportAPI	Frieren
PipeServer	Fern
GameThreadDispatch	Stark
Mailbox	Mimic
HintCache	Flamme
CEPlugin	Methode
ProxyVersion	Lugner

Done in two phases: A (file renames only, preserving behavior to keep diffs reviewable) → B (namespace + reference updates). See docs/naming-convention.md.

UI / UX Polish

Empty-state logo when LiveWalker DataGrid has no data (cleaner first-run experience).
Project logo (UE5CEDumper.jpg) added.
AOT / trim warnings swept across the C# tree (every project now builds clean under Native AOT).
xUnit analyzer warnings cleared.

Dependencies

NuGet packages refreshed (Avalonia, ReactiveUI, xUnit, source generators).
minhook and private submodules updated.
.gitignore: exclude build_proxy_dinput8/ build output.

Pull Requests Merged

#175 — Frieren-themed DLL rename (Phases A + B)
#178 — Avalonia 12.0 API compat
#180 — UE 5.8 version detection
#182 — Live Walker destroyed-object hang
#187 — AOT/trim + xUnit warning sweep
#188 — Proxy DLL deployment (version.dll / dinput8.dll, passive mutex)
#189 — DLL lifecycle hardening + UI lifetime + NuGet refresh
#190 — UE 5.8 chunked layout preset

Full Changelog: https://github.com/bbfox0703/UE5CEDumpe ... 449...v488

Post by **Marc** » Mon Jun 15, 2026 11:49 am

This thing is really awesome. Can say I tried almost every dumper on the market and I really love this one.

Open Cheat Tables