UE5CEDumper v730 — Release Notes (v560 → v730)

Window: 2026-05-09 → 2026-05-25 (16 days, 50 commits)
Tested games: 29 / 29 GWorld coverage (100%)
Tests: 770 → 1015 passing (+245)

This release closes the loop on invoking UFunctions as cheat-table actions, adds two large discovery surfaces (Interesting Funcs, Interesting Props), introduces class-wide property freeze, and lands a critical fix to a ProcessEvent hook that had been silently misfiring for 600+ builds.

Highlights

New features

Invoke pipeline — discover → invoke → ship as cheat table

• Copy AA Script (Baked) on UFunction rows (build 590-596). Pre-filled params, no in-CE form. Helper-in-table pattern: one shared ue5_invoke_helper.lua loaded via findTableFile, AA Script per function ₅₀ lines.
• Interesting Functions Finder tab (build 597-687). Scores all UFunctions across all UClasses. CamelCase tokeniser (build 609) so HP/MP/SP/XP/TP match safely without false-positives on Component/Spawn/etc.
• Static-native ProcessEvent fast path (build 636). KismetMathLibrary / KismetSystemLibrary invokes no longer wait on the game thread. ES2 menu-state invokes that used to time out at 5-7s now return instantly.
• Tools → Inject Helper into Current CE Table (build 611). One-click ships ue5_invoke_helper.lua into the open .CT via the AOBMaker pipe.
• Verify Return Value toggle on the baked AA Script (build 637). Before/After raw-byte dump + typed return decode for diagnostic invokes.
• Invoke param picker Stages 1+2 (build 711-715):
  • Stage 1 — UObject\*/UClass\*/Soft\*/Weak\*/Lazy\*/Interface params now show the expected UClass: [UObject*: AActor, 8B, off=0x10] instead of a bare [UObject*, 8B].
  • Stage 2 — [Pick…] [null] [self] buttons next to each pointer param. Pick opens a class-pre-filtered instance picker.
• Mailbox poll 10ms → 1ms (build 707-710). timeBeginPeriod(1) bracket so the 1ms target is delivered even on hosts with the legacy 15.6ms scheduler tick.

Discovery surfaces

• Interesting Properties Finder tab (build 670-687) — mirror of the Funcs Finder for properties. New concept: ⚠ Unusual Location flag for fields living in LocalPlayer / GameViewportClient / HUD / CheatManager — often the most cheat-tunable. Calibrated against a 15-game dump corpus.
• Multi-select Copy CE Field(s) (build 660). LiveWalker DataGrid in Extended mode. Container multi-select emits ONE filtered container with N elements.
• PropertySearch dedupe-by-defining-class (build 610). bCanBeDamaged no longer returns 4823 rows — single representative row plus an inheritor count badge.
• search_properties_batch (build 685). 36-keyword Interesting Properties Load went 42s → ₁.5s by walking GObjects once instead of once per keyword.
• walk_class_batch (build 693-696). Full SDK Export + Dump All Metadata batched at 200 classes per round-trip. Estimated 2-5× wall-time on big games.

Property freeze

• Class-wide horizontal lock (build 719). PropertySearch row gets a Freeze button. Generated AA Script holds the value across every live instance of the owning class with 50ms tick + 5s instance rescan. Numerics + bool supported in v1.

Export / analysis

• Export → Dump All Metadata (.jsonl) (build 676). Streams every class + props + funcs via existing pipe endpoints.
• Python analyzer pipeline — scripts/analysis/analyze_dumps.py. Aggregates dumps cross-game, emits a Markdown report (top names / tokens / Unusual Locations). Reproducible scoring-table calibration.
• 15-game cross-game scoring calibration (build 678 + 687). PropertyScoringTable / KeywordScoringTable additions backed by empirical evidence across DQ7R / ES2 / FactoryGameSteam / Hogwarts / TQ2 / FF7R / Stray / others.

UX / polish

• System tab (formerly Pointers) with a Diagnostics card — UI/DLL build match, AOBMaker plugin status, Self-Test button that auto-picks a KismetMathLibrary helper and verifies the return value.
• ⚙ Options popover (build 666) — collapses 5 export-shape sliders into a dropdown. Reclaims _600px so the toolbar stays one row at 4K@225%.
• Shorter tab labels (build 666) — Instance Finder → Instances, Property Search → Properties, etc.
• Function Goto (build 632) — Live button on Interesting Funcs now auto-expands the LiveWalker Functions section and scrolls to the target row.
• Empty-class hint banner on ClassStruct (build 632) — BlueprintFunctionLibrary subclasses no longer read as "broken".
• Credit footer in System tab + Live Walker empty state.

Critical fixes

• ProcessEvent vtable wrong slot (build 648). Pre-648 detection picked a slot from a hardcoded version table and "validated" by reading 1 byte. ES2 / Geri ended up hooking the adjacent virtual; invokes silently returned result=0 without ever running the function. Rewrite uses a function-body pattern scan (Dumper-7 technique) matching FUNC_Native + high-flag-mask TEST instructions, plus a post-install validator that logs VALIDATION FAILED if the hook doesn't fire ≥1× in 1500ms. Verified live on ES2 (UE 5.5) and Geri (UE 4.27) — real PE slots were 0x278 and 0x220, both off by ≥1 slot from the old hardcoded values.
• SoftClassProperty silent 4-byte truncation (build 717). [Pick…] declared 7 pickable pointer types but WriteParam only covered 6 — SoftClassProperty fell through to a size-based default that wrote 4 bytes of a 64-bit address before ProcessEvent. 14 contract theories now enforce the canonical type list at compile time.
• DLL class filter dropped every BlueprintGeneratedClass (build 673). Aura::SearchProperties / ListClasses / EnumerateAllFunctions all had if (metaClassName != "Class") continue;. ₉₀% of game-specific classes live in BPGCs. New IsClassLikeMeta whitelist covers Class + BlueprintGeneratedClass + AnimBPGC + WidgetBPGC + DynamicClass.
• SdkExportService BPGC filter (build 690). Same bug class on the C# side. Mirrored to IsClassLikeMetaName.
• Satisfactory / hybrid-layout proxy-deploy scanner (build 691-692). Three UE shipping layouts (monolithic / hybrid / pure-modular) now handled cleanly by a two-tier search (primary roots first, Engine\ as fallback). Eliminates phantom Engine-side rows on StellarBlade / NMKART / Palworld / TQ2 / Satisfactory.
• AOBMaker plugin InjectTableFile (build 632, AOBMaker-side fix). f.Stream.write set Size=0 silently. Switched to createStringStream + copyFrom — same pattern CE's own autorun/java.lua uses.

Quality / infrastructure

• AOT-safe ObjectInstancePickerDialog (build 729) — 12 IL2026/IL3050 warnings (reflection-based Binding(string) columns) replaced with DataGridTemplateColumn + FuncDataTemplate<T>. AOT publish is now warning-clean at 41.9 MB.
• Static MSVC CRT in Native AOT publish (build 718) — no VCRuntime DLL dependency.
• Compile warning sweep (build 698) — 13 sites cleared (C4189 dead var + xUnit1051 cancellation tokens).

Tested games (29 / 29 GWorld = 100%)

New / re-verified this window: Star Wars Jedi: Fallen Order (UE 4.21), Ghostwire: Tokyo (UE 5.04), Frontiers (UE 4.26), The Artisan of Glimmith (UE 4.27). Plus revalidation across DQ7R / ES2 / Geri / Hogwarts Legacy / Octopath Traveler / Stray / TQ2 / FF7 Rebirth / FF7 Remake / Satisfactory / NMKART / Palworld / StellarBlade / Manor Lords / Tower of Mask / DQI&IIHD2D / Deep Rock Galactic.

Known limitations

• EA-launcher games block proxy DLL preload — neither version.dll nor dinput8.dll loads when the EA app spawns the wrapped exe. Workaround: CE manual injection after the game is running.
• Bitfield bool freeze not supported in v1 — helper writes a full byte; packed uint8 bFoo : 1 fields aren't surfaced as bitfields by PropertySearch yet.
• FString / FName / TArray freeze out of v1 scope. Numerics + bool first.

Links

• Repository: https://github.com/bbfox0703/UE5CEDumper
• Forum thread: viewtopic.php?f=17&t=1797
• AOBMaker (companion CE plugin): viewtopic.php?t=1788

Range: v488 → v560 (41 commits, ₅ weeks of work)
Highlights: Reverse-reference scanning, OptionalProperty / MulticastSparseDelegate / Soft+Lazy+Delegate array drill-down, per-game UE version override with publisher bias detection, CE XML / CSX N-level pointer drill-down, UTF-8 hardening + dedicated C++ test suite.

Address Finder

Find References (v2 → v3)

• Reverse pointer scan — given any UObject*, find every UPROPERTY field across the live object array that holds a pointer to it, so users can navigate from a CE-found instance back to its logical owner.

• v2 coverage: WeakObjectProperty, SoftObjectProperty / SoftClassProperty, LazyObjectProperty, InterfaceProperty, TMap / TSet allocated slots (key + value sides for Object/Class).

• v3 coverage: DelegateProperty single binding + MulticastInlineDelegateProperty / MulticastDelegateProperty (walks each FScriptDelegate's FWeakObjectPtr); TArray<FScriptDelegate>; nested in StructProperty / OptionalProperty<Struct> to depth 3. fieldName appends .Key / .Value for map matches; deadline 30 s.

Container-aware lookup

• New Aura::FindInContainers scans ArrayProperty / MapProperty / SetProperty buffers, including nested in StructProperty and OptionalProperty<Struct> (depth 3).

• Slack / freed-slot support, 15 s deadline, response carries container_scan stats.

• Aura::FindByAddress returns match_kind (exact / contains / backward / nearest) for honest confidence reporting.

Property Walker — drill-down coverage

UI / Live Walker UX

• Auto-scroll-to-field after Open from Find Refs.

• Auto-drill into element [N] for direct-container hits (Container, Container.Key, Container.Value) — previously user had to click [N] manually.

• Class Structure: fixed flash-blank on selection; class-like nodes now route to themselves; new Package column; auto-run Find Instances pre-fill.

• Property Search: dedicated type-filter input + autocomplete; client-side result filter; type-only queries supported (e.g. browse all OptionalProperty fields).

• ProxyDeploy: tooltip flicker fix — anchor above bottom controls.

Export — CE XML / CSX

• N-level ObjectProperty drill-down for Copy CE Field, Copy CE XML, Export CSX. Drill Depth slider (0-4) drives both formats.

• Recursive walk through ObjectProperty / ClassProperty / WeakObjectProperty / Soft* / LazyObjectProperty / InterfaceProperty targets, depth-capped, shared visited HashSet for cycle protection.

• Cascade struct resolution: nested StructProperty / OptionalProperty<Struct> children inside drilled UObjects expand to real sub-fields (not empty GroupHeader placeholders).

• TArray<TSoftObjectPtr> per-element CE XML group with FName leaf.

• OptionalProperty CE XML emit: struct-typed → struct group; otherwise → 8 B hex leaf (was silently dropped).

• Fix: emit ObjectProperty / ClassProperty / WeakObjectProperty as 8 B leaf when not drilled.

UE Version Detection

• Per-game UE version override — new pipe cmd set_ue_version_override, persisted in HintCache JSON. UI ComboBox in Pointer panel: Auto / 4.18-4.27 / 5.0-5.8. Survives game restarts.

• Publisher thumbprint detection — reads PE LegalCopyright / CompanyName, matches against publisher table (currently SQUARE_ENIX). Match → forces bLowConfidence=true and uses publisher's bias fallback (SquareEnix → 4.27 instead of 5.04).

• Tier 3 hardening — bare "X.Y.D" pattern now requires Engine / Unreal / UE4 / UE5 / ++UE anchor in 256-byte window AND defers first hit so a real Tier 2 "Release-4.27" later in the module beats early stray "5.5.0" SDK strings. Tier 3 hits are flagged low-confidence even when accepted.

• 3-state UI badge: ✓ Detected / User Override / ⚠ Low Confidence + Publisher chip when thumbprint matched.

Affected games: DQ I&II HD-2D, FF7 Rebirth, FF7 Remake, Ghostwire (all UE4 forks previously misdetected as UE 5.5).

Stability / Hardening

• CE XML emit pointer cycle (UWorld → PersistentLevel → OwningWorld back-edges) caused StringBuilder OOM (₂ GB). Fixed via thread-static _emitPath HashSet pushed/popped on EmitDrilledPointer entry; back-edges emit a flat 8 B hex leaf labeled (cycle elided). Belt-and-braces MaxEmitPointerDepth=16 cap.

• UTF-16 surrogate handling in Serie::GetString wide path — root cause of recurring invalid UTF-8 byte at index 1: 0xA0 exceptions on UE 5.7 games (e.g. Squad, 240 K objects). Wide path was producing CESU-8 for surrogate range 0xD800..0xDFFF; nlohmann::json strict-validates and rejects. Fix: detect surrogate pairs → 4-byte UTF-8; lone surrogates → ?.

• ReadFString hardening — WC_ERR_INVALID_CHARS strict flag + Utf8Helpers::Sanitize post-pass.

• Utf8Helpers header-only extraction — Sanitize (Ubel) + EncodeUtf16 (Serie) merged; both call sites share one implementation.

• 31-case C++ self-test (dll/tests/utf8_helpers_test.cpp) — stand-alone executable, no GoogleTest. Covers ASCII, lone continuations (the 0xA0 case), CESU-8 surrogates, overlongs, truncated sequences, surrogate pairs → 4-byte UTF-8, idempotency, EncodeUtf16-output-passes-Sanitize-unchanged invariant. Wired into build.ps1 -Target Test before C# suite.

Documentation

• New docs/dev-log.md — running milestone log + capability matrix (read first for current status).

• docs/technical-notes.md — Phase B-K array reader and property-layout reference.

• README + spec docs refreshed to reflect build 547+ capabilities.

• Superseded design docs moved to docs/archive/.

Known Issues

• MulticastSparseDelegateProperty bindings still unavailable (storage external to field — needs separate AOB; resolved in v577 via SPARSE_ES2_1, see future release).

• FieldPathProperty drill-down (rare).

• Find Refs: TMap / TSet with weak-like inner sides (currently Object/Class only).

• GWorld: Star Wars Jedi untested; Satisfactory fails.

• Other publishers shipping unreliable version strings will need adding to kPublishers[] in Genau.cpp.

Pull Requests Merged

• #192 — Per-game UE version override + publisher bias + CE XML cycle fix

• #193 — UTF-8 hardening + Utf8Helpers extraction + C++ test target

Full Changelog: https://github.com/bbfox0703/UE5CEDumpe ... 488...v560

Range: v449 → v488 (40 commits)
Highlights: Proxy DLL injection workflow (version.dll / dinput8.dll alternatives, passive-mode mutex), UE 5.8 detection + chunked-layout preset, DLL lifecycle hardening (DllMain detach, scan-thread join, pipe-server lock-while-join), Avalonia 12.0 API migration, Live Walker destroyed-object hang fix, and codebase-wide rename to Frieren-themed module names.

Proxy DLL Deployment

A new injection mode that drops a renamed proxy stub into the game's directory so the DLL loads on game start — no Cheat Engine attach required for users who only want to read pipe data.

• version.dll / dinput8.dll alternatives — pick whichever the target game's import table actually resolves. dinput8.dll chosen for games that don't link version.dll.

• UI radio button in the ProxyDeploy panel to pick which proxy the deploy step copies.

• Passive-mode mutex — proxy build of the DLL holds a named mutex so a second injection (e.g. CE) is detected and skipped.

• Skip CE inject when proxy DLL already loaded — ue5dump.lua checks for the mutex before calling injectDll, preventing double-load.

• Single-click UI refresh after Deploy / Undeploy (was: required a second click to update the deployed-state badge).

DLL Lifecycle Hardening (audits A + B)

Two-pass audit of teardown paths that previously could deadlock or use-after-free during process exit / DLL unload.

Audit A

• DllMain(DLL_PROCESS_DETACH) is now a no-op — Windows holds the loader lock during detach, and any pipe-server / scan-thread cleanup that touches OS APIs is forbidden there.

• Join missing scan thread — earlier builds could leak the scan thread if the user closed the game before scan completion; cleanup now joins explicitly.

Audit B

• Fern (PipeServer): lock-while-join pattern — disconnect under lock, join outside lock, to avoid the worker thread re-entering the same mutex.

• Mimic (Mailbox): explicit state machine for inflight IPC; rejects new requests once shutdown is signaled.

• Stark (GameThreadDispatch): soft-disable path — MinHook unhook is best-effort during teardown; if the hook can't be cleanly removed, dispatch falls back to no-op rather than crashing.

UI side

• IDisposable on timer-owning ViewModels; panel event handlers are explicitly unsubscribed when panels close (was: stale handlers fired against disposed VMs).

UE 5.8 Support

• Version detection — Tier patterns extended to recognize UE 5.8 builds.

• Chunked-layout preset — Aura::ObjectArray exposes a 5.8 preset (matches new FUObjectArray stride / chunk size).

Avalonia 12.0 API Migration

• Fixed breaking API changes from Avalonia 12.0.0 — IClassicDesktopStyleApplicationLifetime access pattern, control template / template-binding adjustments, and assorted property renames.

• Sweep of remaining Avalonia + xUnit compile warnings.

Live Walker — destroyed-object hang fix

Browsing a UObject whose owning class had since been GC'd would hang the walker indefinitely (offset reads against a torn-down UClass). Walker now validates the class pointer's signature before traversing properties; invalid → return cleanly with an error event rather than blocking the worker thread.

Frieren-Themed DLL Refactor (PR #175)

Codebase-wide rename of C++ DLL modules to Frieren-character names for thematic consistency and to keep namespaces short / unambiguous.

Done in two phases: A (file renames only, preserving behavior to keep diffs reviewable) → B (namespace + reference updates). See docs/naming-convention.md.

UI / UX Polish

• Empty-state logo when LiveWalker DataGrid has no data (cleaner first-run experience).

• Project logo (UE5CEDumper.jpg) added.

• AOT / trim warnings swept across the C# tree (every project now builds clean under Native AOT).

• xUnit analyzer warnings cleared.

Dependencies

• NuGet packages refreshed (Avalonia, ReactiveUI, xUnit, source generators).

• minhook and private submodules updated.

• .gitignore: exclude build_proxy_dinput8/ build output.

Pull Requests Merged

• #175 — Frieren-themed DLL rename (Phases A + B)

• #178 — Avalonia 12.0 API compat

• #180 — UE 5.8 version detection

• #182 — Live Walker destroyed-object hang

• #187 — AOT/trim + xUnit warning sweep

• #188 — Proxy DLL deployment (version.dll / dinput8.dll, passive mutex)

• #189 — DLL lifecycle hardening + UI lifetime + NuGet refresh

• #190 — UE 5.8 chunked layout preset

Full Changelog: https://github.com/bbfox0703/UE5CEDumpe ... 449...v488

This is the common "Runtime" method.

Mechanism: Uses Windows APIs (like OpenProcess and CreateRemoteThread) to force the game process to run LoadLibrary().
Workflow:

• Open the target process.

• Allocate memory inside the game for the DLL path.

• Trigger a new thread to load your Payload DLL.

Pros: Very flexible; you can inject anytime after the game is running.
Cons: manual injection every time, dirty routine job. Also antivirus may block this operation -- need to set as exclude list. Easy to be detected.

This is a "Startup" method that leverages the Windows DLL search order.
Mechanism: You place a malicious DLL with the same name as a legitimate system DLL (e.g., version.dll, dxgi.dll, dinput8.dll) into the game folder.

Workflow:

• Game starts and looks for the required DLL in its own folder first.

• Game loads your Fake DLL instead of the real system one.

• The Fake DLL "proxies" (forwards) all legitimate function calls to the original system DLL while executing your hack code in the background.

Pros: Excellent for early-stage hooking (before the game's anti-cheat fully initializes), lazy for everyone -- one install, executed everytime.
Cons: Fake DLL name is limited. If you use multiple hacking tools, there will be conflict. Also if the game don't need DLL we placed, it will not work (i.e. some UE games don't need dinput8.dll, or it will be load on demand)