top of page

INTRODUCTION

This particular engine uses a modified implementation of the Recast & Detour navigation library. Along with the team behind the project Northstar (a cool mod for the game Titanfall 2), we successfully reverse-engineered the navmeshes for Titanfall 2. Once it reached the point where custom navmeshes worked on the Titanfall 2 engine, I decided to fork the project and reverse engineer Apex Legends to get custom navmeshes working there as well! I also decided to take it a step further by integrating the library into the engine SDK.

​

The reverse engineering/modification work took roughly 2 months, this includes the time that was taken to learn/understand the Recast & Detour navigation library and integrating it into the engine SDK.

​

There was a big challenge though. Unlike Titanfall 2, Apex Legends did not ship any navmeshes as this game is multiplayer only, and their servers are hosted remotely. The file formats had diverged, so Titanfall 2 navmeshes couldn't be used as samples. I had to rely on the assembler of the game and some dummy files I created myself to manually piece the changes together.

​

Another challenge was that the code behind the AI logic was heavily inline and optimized by the compiler, unlike Titanfall 2. This was because the executable of Apex Legends was monolithic and compiled by a much

more recent compiler.

  • In this context, "monolithic" means that libraries such as 'server.dll', 'client.dll', 'engine.dll', etc... are compiled into a single executable as static libraries, which also eliminates all the overlap.

​

​

Below some images of the product in action:

navmesh_edit_3.png

Navmesh being rendered in game while being edited in the modified Recast editor in the background.

navmesh_edit_ain_rebuild.png

AI Network being rebuild and rendered after navmesh edit and hot swap.

REVERSE ENGINEERING

The above assembly is a simple navmesh tile iterator, it returns the pointer to a tile at a specific world space coordinate. To start, the most upper block takes an x-y coordinate, and a layer. It computes the hash by multiplying the constants with the coordinates and subtracts them from each other. The formula is '0x8DA6B343 * x - 0x27E9C7BF * y'. The logical AND result 'and r11, rax' yields the array index.

​

In the last instruction on the most upper block, we can see the operation 'mov rcx, [rax+r11*8]'. With this operation, we know that rax is a pointer to the tile array and r11 is the index that is yielded by the logical AND operation. We simply multiply r11 with 8, because the size of a 64bit pointer is 8 bytes.

​

The simplified formula: tilePointer(rcx) = tileArray(rax)[index(r11)];, where the square bracket operator multiplies the index by the size of the type, in this case a pointer to the tile structures.

The above assembly is a part of the earlier assembly, which comes after the first block. Looking at this closer, we can see some interesting operations. In the earlier assembly, we know that rcx is the pointer to the tile. However, if we look into this assembly, we can see 'mov rax, [rcx+8]'. There is only one way to figure out what rcx+8 is...

The image above shows address the pointer stored in rax is pointing at. the address rax+8 is highlighted in the red box, which is a pointer value. A little side note here: I highlighted the whole tile structure in light grey, we can see a similar pattern repeating each 0x80 bytes, these are tiles allocated next to each other on the heap. This is quite useful, as we now know the exact size of the tile structure. In case we are not that lucky, we could just find out what allocated the tile data on the heap and determine the size from there.

​

When we dereference the pointer at rax+8, which is operation [rax+8] we find something very interesting:

meshtile_header.png

The 4 bytes highlighted in the red box is the tile header magic, the 'DNAV' magic followed by the version:

The above defines the constant that is highlighted in the red box in the above image, which is 'DNAV' ('VAND' in little endian). The next 4 bytes in the memory view has 0x10 as value, which is 16 in decimal. This is the version of the navmesh tile. (These constants are from the Recast & Detour navigation library).

​

Now that we know this, we can determine that:

  • 0x0 in the header is the magic, set to 'DNAV' (32bit integer)

  • 0x4 in the header is the tile version, set to '16' (32bit integer)

  • 0x8 ???

  • 0xC ???

To answer the rest, we should look back at the assembly I showed earlier:

Here we see a few interesting compare (cmp) operations, followed by conditional jumps.

A cool thing here, is that we compare structure members with the parameters we passed to the function (the coordinates and layers). The edx register contains the x coord, the r8d register contains the y coord, and the r9d register contains the layer, (I determined this by manually analyzing the stack registers).

​

Consider the following:

  • cmp [rax+8], edx     ; (rax = tile ptr, edx = x coord)

  • cmp [rax+0ch], r8d ; (rax = tile ptr, r8d = y coord)

  • cmp [rax+10h], r9d ; (rax = tile ptr, r9d = layer)

​

We are comparing tile(rax)+8 with x(edx), this means that rax+8 is our x coord, rax+0Ch is our y coord, etc...

This is how we start mapping out unknown structure members, which is the key to reverse engineering!

So we learned that all this function does, is create a hash of the tile, look it up, compare the x-y, layer, and if they all match, return the pointer to the tile that is at this world space coordinate, else it returns nullptr.

​

Here is the same assembly of the entire function, but fully reverse engineered! I documented most instructions:

This was the easiest and smallest function I reversed for the navmesh implementation. Some are 100+ times larger! For the larger ones, I tend to use hardware break points in which I set a breakpoint at a specific memory address in the heap, and catch any read/write operations to this address in the debugger:

In the image above (click to enlarge), I set an hardware read/write breakpoint at the address in the lower red box, and the debugger catches a read that is performed at this address by the very instruction that is highlighted by the upper red box (the program is paused, and the instruction pointer (RIP) is pointing at the instruction that accessed this address).

​

This is very useful, as we can directly see what is using it, how it is being used/how the value is computed, the size of the type, etc... We got populated stack registers as well, which helps us reversing stuff related to it.

​

This process is repeated for all other compiled functions. Due to the size of the Recast & Detour navigation library, and the complexity of the implementation, it took me roughly 2 months to reverse engineer it to the point the navmeshes actually worked, and also without crashing the engine a single time after 50K+ downloads!

recast_crowd_accel_option.png

MODIFICATIONS

Due to the immense scale difference between the default implementation of Recast & Detour, and this particular engine, a lot had to be updated and re-tuned, such as the slope that gets drawn representing the computed navigation path. Another thing that had to be updated, was the max acceleration and max for the Detour Crowds, they were hardcoded and not tuned for the immense scale of the levels in Apex Legends.

​

To solve this problem, I created 2 new ImGui sliders shown in the image above (highlighted by the red box on the left panel), and fine-tuned them myself before I found the perfect values, which then have been defaulted. The user could adjust these values at any time, even when the Detour Crowds are running and traversing.

recast_workspace_new_2.png

I also changed the way the files are saved and reloaded. In the above image, you can see the game running with the navmesh editor behind. We can make changes to the navmesh, hit the 'build' button, hot swap it in the engine and directly start testing it in the engine itself. We don't have to move the nav files around by hand!

​

The game engine had to be modified in order for the navmesh hot swap to work. This is the hot swap logic:

Below follows the logic for obtaining the navmesh pointer for hull from the global array stored in the engine:

Followed by the console command and its callback:

The command is successfully executed when one or more navmeshes were hot swapped.

Each failure is logged to the console as a warning message:

If all navmeshes failed to hot swap, an error message is emitted to indicate the failure. This could occur when the workspace is incorrectly set, or a modification to the editor was made inducing a malfunction:

navmesh_hotswap_failure.png

Complications:

  • Hot swapping the navmesh creates dangling navmesh tile and detail vert pointers in the AI query cache. Currently I solved this problem by destroying all entities of class NPC at the start of the next frame pre hot swap and recreate them to their exact origins/angles post host swap. The hot swapping feature had been added very recently to the SDK, in the future I will create a proper solution for clearing the query cache.

  • Hot swapping must be performed in the main thread at the start of the next frame after the command had been submitted by the user, the actual operation is super-fast (server does not hitch, even on larger levels).

I also added some logic to determine whether or not an AI node graph is out of date. There were still 4 bytes left over in the AI Network header, I decided to use this to store the CRC of the large navmesh (used to generate the AI Network). Each time a level is loaded, the engine loads the AI node graph file, and we check if the file is still up to date. If the large navmesh hashes to aything but the value stored in the AI Network header, we warn the user in the console that the AI node graph should be rebuild, which is as simple as running 'BuildAINFile'.

  • Out-of-date AI node graphs tend to work most of the time.

  • The warning helps determining the root cause of AI related script bugs (AI node graph too old).

SDK INTEGRATION

I integrated the entire navmesh system into the SDK solution, the systems compile nicely with the rest of the project. Our SDK code base is fairly large, it currently contains 18 projects spread over 42 directories! When we add new libraries or projects, we add them to the solution in a structured manner:

  • All thirdparty libraries are located in a specific folder dedicated to them.

  • All thirdparty code licenses are included in a formatted license file, easily readable and accessible by the user of the SDK.

  • The project filters are structured in a way that makes sense to the programmer, or anyone studying and looking through the SDK code base.

  • The solution's build order is adjusted to make sure all dependencies are compiled before we compile the target project. We make use of precompiled headers as much as possible to reduce compile time.

  • We modify the thirdparty libraries if we see fit for improvements, such as implementing SIMD if this deems beneficial to the end user.

CONTRIBUTIONS

Once I managed to get the custom navmeshes working for the game, I decided to fix nearly every defect that was initially introduced to the library from the XZY->XYZ coordinates changes. There were many things left to be changed from ZXY to XYZ. They weren't necessary for working navmeshes though.

​

However, nearly all debug draw and testing features were broken. 

Most of the fixes were just adjusting the vertex indices and orders:

I committed these fixes to Northstar's branch as well, which was highly appreciated by anyone using the navmesh tool to create navmeshes for Northstar. They could now create convex volumes again (blocking/creating area's), and also test the navmesh's AI behavior within the editor itself using Detour Crowds.

bottom of page