How I fixed Star Wars Battlefront II mods

Paul Drage
7 min readMay 27, 2021

--

Photo by Carol Kennedy on Unsplash

There’s this PC game called Star Wars Battlefront II which was recently given away on Epic games for free! For over a year now I've been turning my hand at modding games and this was to be the next target; but things weren’t easy this time around. Join me on the journey of hacking away at Windows and Origin to get this to work seamlessly.

Modding is simply modifying a game to change or tweak aesthetics, audio or game play mechanics and balance.

Modding the game

Two weeks ago I set about creating my now signature mod; ‘Moving on up’ and bringing it to the light-sabre-swinging game. I had discovered the Frosty Editor and within a couple of hours the barebones of my mod was ready. Time to try it out!

Disaster struck when the game simply would not replace the audio files I had expected to hear; I then spent a further couple of hours before discovering a post on Reddit mentioning that a recent EA Games update had broken all mods.

Introducing the challenge

EA Games who publishes and maintains the Origin games client is the games client to launch Battlefront II .

If you recall, Epic Games who own and run a service and piece of software of the same name are the vendor who I now own a license with to run this game.

If I were to imagine up the conversation that happened between Epic Games and EA Games Origin developer teams it might’ve gone something like this:

Hey Origin team, Epic games here, we’re selling/distributing Battlefront II — how can we get users to launch the game from Epic games client ?

Origin team: We’ll write you a ‘linker’ tool which you can call from Epic Games client, we’ll validate the user owns a license and if they do, we’ll pass back to Origin to launch the game! easy!

Ouch.

Fixing mods the easy way

By this point the problem is largely well understood, but in summary it seems that the Origin team who’ve written a piece of software known as ‘EALink.exe’ has missed a crucial command line argument off of their implementation.

EALink.exe properties

What this means is that there is no way to pass in a ‘-datapath’ argument: it means mods will not load.

EALink application is at file version 10.5.99.47918, the executable tells me the Copyright is Copyright © 2012 and that the Language is English (Canada).

The current solution floating the web is to create a .cmd file with the contents:

"C:\Program Files (x86)\Origin\EALink.exe" "link2ea://launchgame/MtMassive?AUTH_PASSWORD=0&AUTH_TYPE=exchangecode&epicusername=&epicuserid=&epiclocale=en&theme=sws&platform=epic&Hotfix=go& -datapath %%22E:\OriginGames\STAR WARS Battlefront II\ModData%%22"

launch_battlefront.cmd

Where {E:\OriginGames} is the path to your install of SWBF2 and where {C:\Program Files..\Origin\EALink.exe} is the path to EALink.

This .cmd file is really quite simple, it starts the EALink.exe process and then passes across an argument which contains a URI Scheme of link2ea://
The crucial element being `-datapath %%22E:\OriginGames…` which will tell EALink to pass that along to our game executable `starwarsbattlefrontii.exe`.

Fixing mods the hard way

If you’re still reading, things are about to take a turn.

I hang out on a discord channel where Moving On Up was conceived and has been well-received, there’s this one guy who really enjoys the game (SWBF II) and we thought it would be a great prank to install the mod without him knowing! How?

Enter ‘shadow tech’
Shadow.tech is a virtual gaming PC in the cloud — We’ve been sharing an instance for about a year now and with permission from the owner of this cloud gaming machine I logged on and set about installing the mod using Frosty mod manager.

Great! All we need to do now is setup a desktop .lnk icon/shortcut and set the Icon file to the one from starwarsbattlefrontii.exe! easy! When our friend logs on he’ll be greeted with a modified game and be totally shocked.

Users don’t do what you would expect.

I’ve often joked with colleagues and friends about QA (‘Quality Assurance’) and that there is ‘no accounting for the user’. Our friend was no different, we booted the game and had a couple of coop rounds — but he didn’t chuckle, he didn’t even remark about the mod. I was disappointed — I had spent many hours on this.

After he logged off late one night, we jumped onto the shadow machine and concluded he must just not be using the icon.

Using a small amount of social engineering we recommended to him to use the desktop icon in future ‘because it launches quicker’.

We tried and failed. He simply wouldn’t use the desktop icon.

This was serious — He wouldn’t use the icon, and I wasn’t happy with the fact that a .cmd window would spawn — even by setting it to start minimised it just wasn’t the finish I wanted.

Time to code something!

Solutions

Given the modding community had already settled on a .cmd file being the answer it seemed we knew what needed to be done — to pass some args from Origin to EALink.

I hacked around with the link2ea:// URL protocol — sure enough creating a .NET C# app I was able to call this local URL protocol and launch EALink — but I needed the secrets which are dynamically injected.

  1. First part of the solution: replace registry key value for key:
HKEY_CLASSES_ROOT\link2ea\shell\open\command

Replace the value with whatever application you’d like to run, in my case it’s my own software. So I pointed the (Default) value to:

"C:\Program Files (x86)\Origin\BattlefrontIIMOU.exe" "%1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9"

When you launch the game from Origin or Epic link2ea will fire and sure enough this .NET application starts.

2. Part 2 of the solution — firing the original EALink

We need to pass args from Origin to EALink because they contain secrets such as a username and password — these are seemingly passed in plain text locally. I was able to find these by using sysinternals process monitor application which allows you to see whatever args were used to start a process.

The simplest way, I thought, would be to act like a pass through — so that is just what I did, using some simple string manipulation and a little more registry tweaking we’re able to do just this pass through.

https://github.com/TakesTheBiscuit/SWBF2-Mod-Loader/blob/main/Form1.cs#L52this.cmd = this.cmd.Replace("link2ea", "\"originallink2ea");

Here we are doing simple string replace operations on the arguements (args) that are passed in by Origin.

Making a new registry key at ‘originallink2ea’ with the genuine EALink.exe allows us to act as if we were never in the middle of the relationship between Epic, Origin, EALink and starwarsbattlefrontii.exe (see how complex their solution is?)

Ship it!

We booted the game the next day and once again I was met with no surprise, no shock and no sense of gratitude, this wasn’t right.

Once more, late at night after our friend had long gone we did a post mortem on the Shadow tech box and found that the registry key had rolled back to it’s original value.

Turns out every time origin.exe starts up it replaces registry values with known good ones — seems like they thought of this!

Final step to success! a battle with Origin

3. Part 3 — let’s replace the registry value of link2ea:// each time Origin starts

For this I knocked up a little ‘process watcher’ which, when it see’s a process running will replace the link2ea:// command (Default) value with whatever we specify in the config file.

https://github.com/TakesTheBiscuit/EALink-Registry-Changer/blob/main/Form1.cs#L50Process[] localByName = Process.GetProcessesByName("origin");...Microsoft.Win32.Registry.ClassesRoot.OpenSubKey(@"link2ea\shell\open\command", true);                       key.SetValue("", this.registryValue);

This solution is very crude, but we’re able to fight Origin in a race condition to edit the registry before a user launches the game — there’s a config option to vary the ‘back off’ — we’re pretty certain 10 seconds is adequate. Whilst running I observed this process consuming around 9 MB memory.

4. Pulling it all together

We wanted to make this as seamless as possible, so we created a basic windows scheduled task for ‘When I log on’ which runs EALink-Registry-Changer.exe with elevated permissions (we need those to tweak the registry). Observationally it seems to beat Origin.exe to start despite it just being a scheduled task.

Outcomes and reflection

At the time of writing my friend has not yet experienced the outcome — but we’ve run many tests now, and upon logging in the scheduled task files the process watcher, which in turn re-writes the registry when Origin starts.

When you launch the game from Origin or Epic, or indeed a desktop shortcut the BattlefrontIIMOU.exe process is started, it hands off to originallink2ea:// with the secret arguments. This then fires EALink.exe and the game receives the credentials it needs to in turn fire 2 more processes: starwarsbattlefrontii.exe and ActivationUI.exe.

Was this worth it? Probably not, did I learn anything? I’ve learnt a lot about how Windows handles processes and the URI/URL protocol which allows you to map any arbitrary program to a URL. I also learned that EA and Epic have created a fairly complex solution to what should be quite a simple problem.

--

--

Paul Drage
Paul Drage

Written by Paul Drage

0 Followers

I write software and build applications that help business.

No responses yet