Apex Legends Fix?

[josiahshank16]

Is there any chance you can look into a similar issue with Apex Legends? I believe the problem is nearly identical, the launcher requires POPCNT but the game itself doens't actually need it. I've attempted to find the Hex code that is searching for POPCNT but I cannot figure out which it is. Any help would vastly appreciated, there's a whole community working on finding a remedy to this fix on the EA forums but none of them have considered going into the code and therefore are looking in vain.

[ogurets]

Hi! The hex code for popcnt is F3 0F B8 (https://www.felixcloutier.com/x86/popcnt), but it's not what you're looking for. What you really need is cpuid (https://www.felixcloutier.com/x86/cpuid), returning your CPU capabilities and some generic cmp/test/jump code checking for popcnt feature in the data returned.

What you would wish to look for is: cpuid instruction with argument eax = 01h and the following code checking for bit 23 in ecx (search for "A value of 1 indicates that the processor supports the POPCNT instruction." in https://www.felixcloutier.com/x86/cpuid).

And you absolutely need a disassembler to do this. Searching for hex in a multi-megabyte exe/dll is tedious and unnecessary.

[beatcracker]

I've looked at this and seems that you're out of luck, because Apex Legends is using Easy Anti-Cheat. This means two things:

1. The r5apex.exe binary is packed/protected, so you can't easily patch it. And patching it will probably trigger anti-cheat system and get you banned.
2. @ogurets popcnt_emulator will probably get you banned too, since it injects DLL into the game process and anti-cheat systems do not take that lightly.

[SergioPrinci]

I'm trying to learn how to use a disassambler only for a game and for the incompetence of Respawn.

Seems legit.

[SergioPrinci]

Can't we just modify the minor or major index in the code(i don't know nothing of Assembly)so it will proceed if the value is not major or equal to 0?

[ogurets]

@SergioPrinci as @beatcracker mentioned, we cannot modify the code, we cannot inject DLL (both my original program and SDE depend on it). The solution would be a sophisticated loader, which starts the program in debug mode, circumventing all attempts to detect it (anti-debugging techniques) and patches the game in real time, in memory. Or unpacking/decrypting the game, disabling anti-cheat and doing that every time a game update is released. This is where buying a new CPU is starting to become the least expensive solution I suppose.

[SergioPrinci]

or we can do nothing and let them die :D just kidding, i will try the second option, i will update you if i reach something playable :P

[Cozzolino92]

Ciao Sergio! I'm interested in your effort at fixing the POPCNT Apex problem and I will be following your progress. Can we get in touch?

[alainazpe]

The real solution:

Write to EA to solve this using this thread.

https://answers.ea.com/t5/Technical-Issues/Cpu-does-not-have-POPCNT-help/td-p/7478453/highlight/false/page/24

[ogurets]

@alainazpe I'd be very surprised if it resolves that way, Microsoft spent years of not giving a shit about the same issue with Quantum Break (and still doesn't, AFAIK). At least they had released DX11 version though.

[Cozzolino92]

I'm in that very thread, I'm Cozzolino Thanks for your interest and support 🙂

On Saturday, February 23, 2019, alainazpe notifications@github.com wrote:

The real solution:

Write to EA to solve this using this thread.

https://answers.ea.com/t5/Technical-Issues/Cpu-does-not- have-POPCNT-help/td-p/7478453/highlight/false/page/24

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ogurets/popcnt_emulator/issues/3#issuecomment-466640242, or mute the thread https://github.com/notifications/unsubscribe-auth/Als9kBQ8nUfLhvwnivrXR1lSCntqZjurks5vQST0gaJpZM4a_V73 .

[SergioPrinci]

ok, so i tried to find commands in the disassembled code like "cpuid" and see what were the valor of eax and ecx, but the results were very insufficient and now i don't have any ideas: how about you guys? please update (i don't want to do deadposting :p) thanks

[SergioPrinci]

i read an article that was talking about tracing the command by the message box with the error, i should try that when i get home.

[SergioPrinci]

@Cozzolino92 if you want you can email me in sergioprinci03@live.com, so se can talk in a better way than this

[donwombo]

Could we put that instruction in the cpuid?

[mirh]

I'm relatively sure you can fake cpuid from vmware and whatnot. Thing is, that isn't also emulating any new instruction (but maybe some fancy hypervisor could? Idk)

Anyway, I just wanted to say that there are lots of methods to inject dlls into EAC. AFAIU if you don't fuck with game memory (which we wouldn't), it should not even be a big deal detection/anticheat wise. https://www.unknowncheats.me/forum/anti-cheat-bypass/227530-eac-detecting-dll-injection.html https://www.unknowncheats.me/forum/anti-cheat-bypass/261176-silentjack-ultimate-handle-hijacking-user-mode-multi-ac-bypass-eac-tested.html

[SergioPrinci]

Well, my PC broke, so I need to change It with something new, I don't have this problem anymore, but now I know how EA works and I will NEVER buy games from their official store. Thanks anyway for all the support, if you need some type of manuale help just ask me, I will be happy to help!

[mirh]

So.. I have been trying to very dumbly find some software to make progress (since pin is certainly unsuited for this) Injection with Xenos on normal programs seems to work, provided you tell it to use the right pinvm.dll and injection_hook EDIT: turns out xenos isn't actually doing a thing (either pin.exe has some active functionality, or perhaps its injection happens too late)

The problem with the game then is that EAC driver protects its memory, in addition to the plain "taking care of starting it". People on unknowncheats seem to mention this could be also worked around with some userspace hack (at least in the past), but of course the most simple and straightforward solution is having a kernel driver yourself. Something that Xenos supports too. The problem is, windows x64 will only accept to load signed drivers. That can be fixed by running into test signing mode, but then EAC will refuse to run in its turn. So.. either you get a certificate from GlobalSign (which is still in the realm of possibilities) or you use one of the various vulnerabilities of windows kernel to achieve the same effect. Not sure much how I could advance from here, without coding knowledge.

[mirh]

Well, well, well ladies and gentlemen: I could get in-game. 60 freaking smooth FPS nonetheless. You get logged out every minute or so, since EAC is disabled.. but hey it is some damn something? Which also serve to make the point, if it still wasn't clear, of how trivial this whole issue even is.

You just need to edit on line 43 of file __Installer\installerdata.xml like so:

      <filePath>[HKEY_LOCAL_MACHINE\SOFTWARE\Respawn\Apex\Install Dir]pin-2.14-71313-msvc11-windows\intel64\bin\pin.exe</filePath>
      <parameters>-follow-execv -t64 ..\..\..\instruction_hook64.dll -t ..\..\..\instruction_hook32.dll -- ..\..\..\r5apex.exe</parameters>

Of course, this assuming you have extracted all the relevant files into the game root folder.

[mirh]

Ok so, new month, new findings. After checking one the first build and noticing that crashed hardly without warnings (I can reach the login screen with the aforementioned fix otherwise), I supposed they must have introduced the pretty message box in one of the first patches. Nothing wrong or crazy you'll say.. if I also didn't happen to notice that in the disassembly of the newest executable I couldn't spot any actual popcnt. EDIT: this is because the .exe is packed

Armed with patience, a theory started to haunt my dreams. I tried to force the popcnt flag in vmware

featureCompat.enable = FALSE
cpuid.1.ecx = "----:----:1---:----:----:----:----:----"

... And it turns out that well, no shit, the game is actually still using that instruction somewhere (addresses 0x14014FE05, 0x14014FE10 and 0x14006B63D to be precise.. but hell if I was a reverse engineer). So respawn isn't totally dumb.

Long story short then, I see only few solutions if "touching runtime" cannot be a thing with EAC:

• continue to nag developers of course, for they could patch out this joke (the best of course)
• find somebody good with RE to patch the exe like in quantum break (unclear how stable this would reveal with time and anticheat)
• get the exception trapped and emulated: basically flawless, but...
  • ... on "native linux" where it is a cakewalk, there's still no clear way to play Apex, since for the time being EAC is preventing the game from working with wine
  • (and on windows not only you'd have the same driver signing problems above, but you'd also have to fight against a clusterfuck)
  • and then you would also need virtualization in both cases! Because if you can't hook the program, that's the only way to spoof cpuid. Problem is (unless you have one of the few lucky chipsets with VT-d, aka gpu passthrough), there's no guest virtual machine gpu in the world that can get the dx11 feature level required by the game.
  • I see the Xen hypervisor has some kind of specific plumbing, but I'm not sure what could be done about it.
• try to make popcnt_emulator standalone (i.e. no pin tool needed anymore).. and hope at least dll hijacking can still be a thing? EAC has to whitelist each individual file

[alainazpe]

Hello Mirh.

First of all, thank you for all the pacience and perseverance you're having with popcnt and Apex.

I hope EA is trying to resolve the popcnt problem, we will know it as time goes by.

And also, thanks for having us informed about all the research you've done.

[mirh]

I fear this was the last straw for me that I had in mind to try. At least until they get EAC to work in linux, I really don't see anything the "common illiterate man" could do. Other than nagging EA.

Though at least now you can fucking tell in the face of "you have old cpu" people that you can get perfect (also, infuriating!) in-game results

[alainazpe]

My PC has a Xeon with VT support, how could the game be able to run?

[mirh]

You get linux, patch your kernel to simulate popcnt, then install QEMU and use VFIO to pass your gpu (should work even if you just have one) to the windows guest. Not sure how much in topic this still is though.

[alainazpe]

Nevermind... My CPU supports VT-d, my P45 chipset doesn't...

You get linux, patch your kernel to simulate popcnt, then install QEMU and use VFIO to pass your gpu (should work even if you just have one) to the windows guest. Not sure how much in topic this still is though.

[mirh]

So, just a casual update. I checked the new Steam's origin-free Apex executable, and after unpacking if from steam drm.. the disassembly showed 220 popcnt instances. Which may be as well the same function replicated over and over again, but anyway if it hadn't been clear before, it means that developers are hardly going to ever give a damn. Also, of course EAC has hardcoded checksum checks and I cannot stress enough how impossible it is to legitly even just glance at it.

So, long story short, only some kind of higher level virtualization seems possible (because only that allows you to spoof CPUID).. but I'm afraid situation is worse than I had thought. When a VT-x guest triggers an exception, that becomes a vm exit event for the hypervisor to handle, whatever you do with the host kernel is meaningless. This means that someone should write code that does it, with the only project that I know open and ready enough to make this reasonable being KVM (or at most Xen).

Alternatively.. perhaps you you could tinker with the guest kernel, but as already said, it would be a basically revolutionary project on Windows. While on linux OPEMU may even be as good as you want (in fact, it might even be enough to handle SSSE3 for amd cpus) but it's still a long time before EAC will work on wine.

Considerations about GPUs are thus, eventually, the lesser of problems.

p.s. legend has that on AMD cpus, some old VMware product supported 64-bit binary translation (making guest code effectively run just like any other application). I couldn't ascertain its existence, let alone its performance, but with this said I think I'm done for good with speculation.

[mirh]

R5 Reloaded doesn't run EAC, which means now you have free real estate with either this tool, or the linux stuff I mentioned above.