UE4引擎逆向分析：FName系统与GName加密算法实现<\/h1>

前言<\/h2>
本文基于UE4.27.2源码，详细分析虚幻引擎中的FName名称管理系统，并实现一个独立的GName加密算法。FName系统是UE4中高效的名称管理机制，用于快速查找和处理名称字符串。<\/p>

一、FName系统核心结构分析<\/h2>

1.1 FName基本调用流程<\/h3>

\/\/ 获取对象名称的基本调用链
<\/span><\/span><\/span><\/span>FString GetName<\/span>() const<\/span> {
<\/span><\/span>    return<\/span> GetFName().ToString();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>FName GetFName<\/span>() const<\/span> {
<\/span><\/span>    return<\/span> NamePrivate;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.2 关键数据结构<\/h3>
FName结构<\/h4>
class<\/span> CORE_API<\/span> FName {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    FORCEINLINE FNameEntryId GetDisplayIndex() const<\/span> {
<\/span><\/span>        const<\/span> FNameEntryId Index =<\/span> GetDisplayIndexFast();
<\/span><\/span>        checkName(IsWithinBounds(Index));
<\/span><\/span>        return<\/span> Index;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    FORCEINLINE FNameEntryId GetDisplayIndexFast<\/span>() const<\/span> {
<\/span><\/span>        #if WITH_CASE_PRESERVING_NAME
<\/span><\/span><\/span><\/span>        return<\/span> DisplayIndex;
<\/span><\/span>        #else
<\/span><\/span><\/span><\/span>        return<\/span> ComparisonIndex;
<\/span><\/span>        #endif
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>FNameEntryId结构<\/h4>
struct<\/span> FNameEntryId<\/span> {
<\/span><\/span>    FNameEntryId() :<\/span> Value(0<\/span>) {}
<\/span><\/span>    
<\/span><\/span>    uint32 ToUnstableInt<\/span>() const<\/span> {
<\/span><\/span>        return<\/span> Value;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>private<\/span>:<\/span>
<\/span><\/span>    uint32 Value;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>FNameEntryHandle结构<\/h4>
struct<\/span> FNameEntryHandle<\/span> {
<\/span><\/span>    uint32 Block =<\/span> 0<\/span>;
<\/span><\/span>    uint32 Offset =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    FNameEntryHandle(uint32 InBlock, uint32 InOffset) 
<\/span><\/span>        :<\/span> Block(InBlock), Offset(InOffset) {}
<\/span><\/span>        
<\/span><\/span>    FNameEntryHandle(FNameEntryId Id)
<\/span><\/span>        :<\/span> Block(Id.ToUnstableInt() >><\/span> FNameBlockOffsetBits),
<\/span><\/span>          Offset(Id.ToUnstableInt() &<\/span> (FNameBlockOffsets -<\/span> 1<\/span>)) {}
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>1.3 FNamePool系统<\/h3>
static<\/span> FNamePool&<\/span> GetNamePool() {
<\/span><\/span>    if<\/span> (bNamePoolInitialized) {
<\/span><\/span>        return<\/span> *<\/span>(FNamePool*<\/span>)NamePoolData;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    FNamePool*<\/span> Singleton =<\/span> new<\/span> (NamePoolData) FNamePool;
<\/span><\/span>    bNamePoolInitialized =<\/span> true;
<\/span><\/span>    return<\/span> *<\/span>Singleton;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>FNamePool关键方法<\/h4>
class<\/span> FNamePool<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    FNameEntry&<\/span> Resolve(FNameEntryHandle Handle) const<\/span> {
<\/span><\/span>        return<\/span> Entries.Resolve(Handle);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>private<\/span>:<\/span>
<\/span><\/span>    FNameEntryAllocator Entries;
<\/span><\/span>    \/\/ 其他成员...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>FNameEntryAllocator解析<\/h4>
class<\/span> FNameEntryAllocator<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    enum<\/span> { Stride =<\/span> alignof<\/span>(FNameEntry) };
<\/span><\/span>    enum<\/span> { BlockSizeBytes =<\/span> Stride *<\/span> FNameBlockOffsets };
<\/span><\/span>    
<\/span><\/span>    FNameEntry&<\/span> Resolve(FNameEntryHandle Handle) const<\/span> {
<\/span><\/span>        return<\/span> *<\/span>reinterpret_cast<\/span><<\/span>FNameEntry*><\/span>(
<\/span><\/span>            Blocks[Handle.Block] +<\/span> Stride *<\/span> Handle.Offset);
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>1.4 FNameEntry结构<\/h3>
struct<\/span> FNameEntry<\/span> {
<\/span><\/span>private<\/span>:<\/span>
<\/span><\/span>    #if WITH_CASE_PRESERVING_NAME
<\/span><\/span><\/span><\/span>    FNameEntryId ComparisonId;
<\/span><\/span>    #endif
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    FNameEntryHeader Header;
<\/span><\/span>    union<\/span> {
<\/span><\/span>        ANSICHAR AnsiName[NAME_SIZE];
<\/span><\/span>        WIDECHAR WideName[NAME_SIZE];
<\/span><\/span>    };
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>二、GName加密算法逆向分析<\/h2>
2.1 关键加密点分析<\/h3>
加密算法核心位于FNameEntryHandle的构造过程中：<\/p>
FNameEntryHandle(FNameEntryId Id)
<\/span><\/span>    :<\/span> Block(Id.ToUnstableInt() >><\/span> 16<\/span>),
<\/span><\/span>      Offset(Id.ToUnstableInt() &<\/span> ((1<\/span> <<<\/span> 16<\/span>) -<\/span> 1<\/span>)) {}
<\/span><\/span><\/code><\/pre>2.2 加密算法还原<\/h3>
完整解析流程：<\/p>
FNameEntry&<\/span> Resolve(FNameEntryHandle Handle) const<\/span> {
<\/span><\/span>    return<\/span> *<\/span>reinterpret_cast<\/span><<\/span>FNameEntry*><\/span>(
<\/span><\/span>        Blocks[ID >><\/span> 16<\/span>] +<\/span> 2<\/span> *<\/span> (ID &<\/span> ((1<\/span> <<<\/span> 16<\/span>) -<\/span> 1<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 定位GName\/FNamePool<\/h3>
在IDA中定位FNamePool的步骤：<\/p>

搜索字符串"ByteProperty"<\/li>
定位到FNamePool::FNamePool()构造函数<\/li>
查找交叉引用找到GetNamePool()函数<\/li>
计算偏移量：程序偏移 = 地址 - 基地址(0x140000000)<\/li>
<\/ol>
三、反调试绕过方法<\/h2>
游戏常见的反调试检测：<\/p>
FindWindow("WinDbgFrameClass"<\/span>, NULL);
<\/span><\/span>FindWindow("OLLYDBG"<\/span>, NULL);
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

在IDA中找到相关函数<\/li>
将函数体替换为直接返回(ret)<\/li>
应用修改<\/li>
<\/ol>
四、GName加密算法实现<\/h2>
4.1 核心数据结构实现<\/h3>
FString实现<\/h4>
class<\/span> FString<\/span> :<\/span> public<\/span> std::<\/span>string {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    using<\/span> std::<\/span>string::<\/span>string;
<\/span><\/span>    
<\/span><\/span>    int32_t<\/span> Len<\/span>() const<\/span> {
<\/span><\/span>        return<\/span> static_cast<\/span><<\/span>int32_t<\/span>><\/span>(this<\/span>-><\/span>length());
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>FNameEntry实现<\/h4>
class<\/span> FNameEntry<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    static<\/span> FString EncryptName(const<\/span> FString&<\/span> InName);
<\/span><\/span>    static<\/span> FString DecryptName<\/span>(const<\/span> FString&<\/span> InName);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>4.2 加密\/解密算法实现<\/h3>
FString FNameEntry::<\/span>EncryptName(const<\/span> FString&<\/span> InName) {
<\/span><\/span>    FString EncryptedName =<\/span> InName;
<\/span><\/span>    for<\/span> (int32_t<\/span> i =<\/span> 0<\/span>; i <<\/span> InName.Len(); ++<\/span>i) {
<\/span><\/span>        EncryptedName[i] =<\/span> InName[i] +<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> EncryptedName;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>FString FNameEntry::<\/span>DecryptName(const<\/span> FString&<\/span> InName) {
<\/span><\/span>    FString DecryptedName =<\/span> InName;
<\/span><\/span>    for<\/span> (int32_t<\/span> i =<\/span> 0<\/span>; i <<\/span> InName.Len(); ++<\/span>i) {
<\/span><\/span>        DecryptedName[i] =<\/span> InName[i] -<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> DecryptedName;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 完整示例代码<\/h3>
#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> "FName.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    FString OriginalName =<\/span> "ExampleName"<\/span>;
<\/span><\/span>    FName Name(OriginalName);
<\/span><\/span>    
<\/span><\/span>    FString EncryptedName =<\/span> FNameEntry::<\/span>EncryptName(Name.ToString());
<\/span><\/span>    FString DecryptedName =<\/span> FNameEntry::<\/span>DecryptName(EncryptedName);
<\/span><\/span>    
<\/span><\/span>    std::<\/span>cout <<<\/span> "Original Name: "<\/span> <<<\/span> OriginalName <<<\/span> std::<\/span>endl;
<\/span><\/span>    std::<\/span>cout <<<\/span> "Encrypted Name: "<\/span> <<<\/span> EncryptedName <<<\/span> std::<\/span>endl;
<\/span><\/span>    std::<\/span>cout <<<\/span> "Decrypted Name: "<\/span> <<<\/span> DecryptedName <<<\/span> std::<\/span>endl;
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、关键点总结<\/h2>

FName系统结构<\/strong>：理解FName、FNameEntry、FNamePool之间的关系<\/li>
加密算法核心<\/strong>：掌握FNameEntryHandle的构造和解析过程<\/li>
内存布局<\/strong>：了解UE4对象的内存布局和偏移计算<\/li>
反调试绕过<\/strong>：识别常见反调试技术并实现绕过<\/li>
算法实现<\/strong>：能够独立实现名称加密\/解密功能<\/li>
<\/ol>
六、扩展应用<\/h2>

Dump SDK<\/strong>：基于此技术可以实现完整的SDK导出工具<\/li>
游戏安全<\/strong>：应用于反作弊系统和游戏数据保护<\/li>
引擎扩展<\/strong>：作为理解UE4引擎内部机制的切入点<\/li>
<\/ol>
通过本教程，开发者可以深入理解UE4的名称管理系统，并掌握相关的逆向分析和加密算法实现技术。<\/p>

UE4引擎逆向分析：FName系统与GName加密算法实现<\/h1>

前言<\/h2> 本文基于UE4.27.2源码，详细分析虚幻引擎中的FName名称管理系统，并实现一个独立的GName加密算法。FName系统是UE4中高效的名称管理机制，用于快速查找和处理名称字符串。<\/p>

一、FName系统核心结构分析<\/h2>

1.2 关键数据结构<\/h3>

二、GName加密算法逆向分析<\/h2>

四、GName加密算法实现<\/h2>

4.1 核心数据结构实现<\/h3>

前言<\/h2>
本文基于UE4.27.2源码，详细分析虚幻引擎中的FName名称管理系统，并实现一个独立的GName加密算法。FName系统是UE4中高效的名称管理机制，用于快速查找和处理名称字符串。<\/p>