Finding FName Funcs

This will go over reversing stuff like FName::GetNames, FName::StaticInit, etc.

FName::GetNames():

Description: Returns TNameEntryArray* (GNames).

It usually looks like

var_8 = qword ptr -8 sub rsp, 28 mov rax, cs:(GNames Address) test rax, rax jnz short loc_7FFxxxxxxxxx mov ecx, 408h

The string that you can normally use is "%d.%d.%d.%d.%d.%s". If that doesn't work then use, "Windows (unknown version)" On both of them, you want to scroll up, you will see the assembly eventually.

IDA String: ?GetNames@FName@@CAAEAV?$TStaticIndirectArrayThreadSafeRead@UFNameEntry@@$0CAAAAA@$0EAAA@@@XZ

FName::ToString():

You can recognize it as it calls GetNames and GetPlainNameString. It also has a var 28, var 20, and arg 0.

The string that you can normally use is "Couldn't start up the Auto Reporting process!" Scroll down for about 3 seconds and you should find it.

IDA String: ?ToString@FName@@QEBA?AVFString@@XZ

FNameEntry::GetPlainNameString():

You can recognize it as it has a var 18, arg 0, and arg 8.

The string that you can normally use is "MachineGuid". Scroll down for a bit.

By the way, this function will decrypt the names, FName::ToString and a couple of others will too. This is preferred over directly calling DecryptName as it is easier and in some cases less complicated.

IDA String: ?GetPlainNameString@FNameEntry@@QEBA?AVFString@@XZ

FName::StaticInit():

You can recognize it as it has a lot of args/vars.

This is extremely easy, the string to use is "ByteProperty". Press F5 (Decompile to pseudo-code) and scroll to the top. The sub at the top is the function.

IDA String: ?StaticInit@FName@@SAXXZ

FName::Init():

You can recognize it as it has like 5 args and 5 vars.

The string you use is "Attempting to run KillAllPopUpBlockingWindows" Scroll down for like a second and you should find it.

IDA String: ?Init@FName@@AEAAXPEB_WHW4EFindName@@_NH@Z

FName::GetComparisonNameEntry():

FName::GetNameEntry