Source [Source] APB Reloaded — Unreal Engine Auto Offset Finder

[byte_corvus]

Found this little Python utility for APB. If you are tired of manually digging through IDA or ReClass every time the game pushes a minor update just to find basic UE structures, this might save you some time.

The Logic
It is a pattern scanner that looks for common instruction prologues and decodes the RIP-relative addresses. It is specifically tuned for APB dumps, targeting the usual suspects: GNames, GObjects, GWorld, and ProcessEvent. This is basic Unreal Engine 3/4 reversing 101, but having it automated in a script is always cleaner than doing it by hand.

Requirements
You will need pefile, capstone, and termcolor installed in your environment. Note that while capstone is imported, this specific base relies primarily on raw byte finding and manual offset calculation.

import pefile
import sys
import json
from capstone import *
from termcolor import colored
 
DUMP_FILE = "APB_dump.exe"
LOG_FILE = "OffsetScanLog.txt"
JSON_OUT = "DetectedOffsets.json"
 
# Define patterns to search for (simplified)
patterns = {
    "GNames": b"\x48\x8D\x0D",         # lea rcx, [rip+offset] (common pattern for GNames)
    "GObjects": b"\x48\x8B\x05",       # mov rax, [rip+offset]
    "GWorld": b"\x48\x8B\x1D",         # mov rbx, [rip+offset]
    "UEngine": b"\x48\x8B\x0D",        # mov rcx, [rip+offset]
    "ProcessEvent": b"\x40\x53\x48\x83\xEC"  # prologue of ProcessEvent
}
 
def find_offsets(data):
    results = {}
    for name, pattern in patterns.items():
        offset = data.find(pattern)
        if offset != -1:
            # Decode RIP-relative address
            try:
                relative_offset = int.from_bytes(data[offset+3:offset+7], byteorder='little', signed=True)
                address = offset + 7 + relative_offset
                results[name] = hex(address)
                print(colored(f"[✓] Found {name} at {hex(address)}", "green"))
            except:
                print(colored(f"[!] Failed decoding offset for {name}", "yellow"))
        else:
            print(colored(f"[X] {name} not found", "red"))
    return results
 
def main():
    try:
        with open(DUMP_FILE, "rb") as f:
            data = f.read()
    except FileNotFoundError:
        print(colored("Dump file not found!", "red"))
        return
 
    print(colored("�� Scanning dump for offsets...", "cyan"))
    results = find_offsets(data)
 
    with open(JSON_OUT, "w") as json_file:
        json.dump(results, json_file, indent=4)
 
    with open(LOG_FILE, "w") as log:
        for key, value in results.items():
            log.write(f"{key}: {value}\n")
 
    print(colored(f"✅ Done! Results saved to {JSON_OUT} and {LOG_FILE}", "cyan"))
 
if __name__ == "__main__":
    main()

How to use this:

1. Get a clean dump of the game (use Scylla or any standard dumper).
2. Rename the file to APB_dump.exe and place it in the same directory as the script.
3. Run it. The script will generate a DetectedOffsets.json which you can then parse into your project.

Technical Note
This method assumes the signatures remain unique and the instruction length for the RIP-relative move/lea is 7 bytes (which is standard for these UE globals). If the compiler optimization changes how these are accessed, you'll need to adjust the relative_offset calculation logic.

It is a solid starting point for an auto-updater. It is not a full SDK generator, but for grabbing core globals for an external radar or basic aimbot, it does the job efficiently.

Anyone tweaked the signatures for the latest build or added more structures to the list?