# Finding FName Funcs

## **FName::GetNames():**

**Description:** Returns TNameEntryArray\* (GNames).

It usually looks like

`var_8 = qword ptr -8`\
`sub rsp, 28`  \
`mov rax, cs:(GNames Address)`  \
`test rax, rax`  \
`jnz short loc_7FFxxxxxxxxx`  \
`mov ecx, 408h`

The string that you can normally use is "%d.%d.%d.%d.%d.%s".\
If that doesn't work then use, "Windows (unknown version)"\
On both of them, you want to scroll up, you will see the assembly eventually.

IDA String: ?GetNames\@FName@@CAAEAV?$TStaticIndirectArrayThreadSafeRead\@UFNameEntry@@$0CAAAAA@$0EAAA@@@XZ

## FName::ToString():

You can recognize it as it calls GetNames and GetPlainNameString.\
It also has a var 28, var 20, and arg 0.

The string that you can normally use is "Couldn't start up the Auto Reporting process!"\
Scroll down for about 3 seconds and you should find it.

IDA String: ?ToString\@FName@@QEBA?AVFString@@XZ

## FNameEntry::GetPlainNameString():

You can recognize it as it has a var 18, arg 0, and arg 8.

The string that you can normally use is "MachineGuid".\
Scroll down for a bit.

By the way, this function will decrypt the names, FName::ToString and a couple of others\
will too. This is preferred over directly calling DecryptName as it is easier and in some\
cases less complicated.

IDA String: ?GetPlainNameString\@FNameEntry@@QEBA?AVFString@@XZ

## FName::StaticInit():

You can recognize it as it has **a lot** of args/vars.

This is extremely easy, the string to use is "ByteProperty".\
Press F5 (Decompile to pseudo-code) and scroll to the top. The sub at the top is the function.

IDA String: ?StaticInit\@FName@@SAXXZ

## FName::Init():

You can recognize it as it has like 5 args and 5 vars.

The string you use is "Attempting to run KillAllPopUpBlockingWindows"\
Scroll down for like a second and you should find it.

IDA String: ?Init\@FName@@AEAAXPEB\_WHW4EFindName@@\_NH\@Z

## FName::GetComparisonNameEntry():

## FName::GetNameEntry