Introduction

Learn about how respawn improved client-side cheat detection in Apex Legends.

Specification


R5AC is the name of an in-house cheat detection software. It seems to be made by a team at respawn entertainment, although there is no public information about it anywhere on the internet.

Where is it?

It is located in the main game executable, r5apex_dx12.exe. Sometimes you will encounter entire functions that will be related to it, other times it'll be some inlined code in some important game/engine functions. It uses a basic xor transform on it's c-strings, which makes it so that it will only be decrypted on the stack. However, it's quite easy to statically analyze a runtime dump of Apex Legends, and figure out a way to:

  1. Find all instances of encrypted R5AC C-String's, preferably automated.

  2. Figure out the following parameters for this transformation:

    • Location of the encrypted data.

    • Location of the encryption key.

    • Length of the encrypted data.

  3. In case of this cheat detection software, the length of an encrypted C-String's encoded data equals it's encryption key's size. This might be done to prevent repeating keys during the XOR transform, which can weaken the overall effectiveness of encryption.

 

What are it's capabilities?

Generally speaking, this specific solution seems to focus on the game process and it's local process context. It mostly features detections for internal cheats. These detections range from heurstics all the way down to very specific, concrete signals.

Obfuscation: Constant (C-String)

R5AC uses a simple XOR algorithm where the decryption key length and encrypted content length are identical.

Referenced & encoded C-Strings Analysis

0x20ea35 KERNEL32.dll
0x3a3e51 ntdll.dll
0x54ee61 ADVAPI32.dll
0x542551 steamnetworkingsockets.dll
0x542691 steam_api64.dll
0x2f1cc2 EOSSDK-Win64-Shipping.dll
0x54ee31 EasyAntiCheat_EOS
0x3a3e81 wine_get_version

0x20ea60 K32GetMappedFileNameA
0x20ee00 VirtualQuery
0x20f160 GetLastError
0x7df831 VirtualProtect
0x54ee91 OpenSCManagerA
0x54eec1 OpenServiceA
0x54eef1 QueryServiceStatusEx
0x54ef21 CloseServiceHandle
0x543471 WideCharToMultiByte
0x541fc0 RtlCaptureStackBackTrace

Control Flow Analysis / Game Functions

0x20e9f0 CS_CEngineClient::Engine_SetViewAngles
0x26c540 CS_CNetChan::SetTimeout
0x26dfe0 CS_CNetChan::SendReliableMessages
0x270511 CS_CNetChan::SendDatagram
0x2744c1 CS_CNetChan::SendNetMsg
0x275210 CS_CNetChan::SendData
0x3ae540 CS_Playlist_GetPlaylistVar
0x7cf601 CS_C_BaseEntity::CalcAbsoluteVelocity
0x878620 CS_CViewRender::GetMostRecentClipTransform
0x951be1 CS_CInput::Input_CreateMove
0x952811 VTP_CInput::Input_CreateMove
0x59ebd0 CS_CCommandBuffer::AddText
0x69b830 CS_UTIL_TraceRay_Client
0xa58200 CS_C_BaseEntity::GetEntityNameAsCStr
0xabe800 CS_C_MoveData::MoveData_Init
0xcc4e10 CS_Pak_RequireSignedPaks
0xcc8c51 CS_Pak_ValidateSignatureForCurrentReadingFile
0xcd89a1 CS_WrappedFileSystem_Open

Virtual Method Table Analysis

0x22ee01 VTP_GetEngineTraceClient
0x22f271 VTP_GetEngineTraceClientDecals
0x479351 VTP_GetFilesystemInterface
0x817371 VTP_C_Player::Spawn
0x865491 VTP_GetEntityList
0x9f13b1 VTP_GetViewRenderInstance

 

Miscellaneous

0x20f0f0 BA:0x%llX AB:0x%llX RS:0x%llX AP:0x%lX PR:0x%lX TY:0x%lX
0x5427e0 Callstack Init Failed
0x543821 os_version
0x543a12 gpu_vendor
0x543c91 render_device_driver_version
0x543e81 cpu_brand
0x544042 windows_install_date
0x544205 is_wine
0x544231 0
0x544260 1
0x544780 language
0x544a40 HWID_%02X-%02X
0x544ab0 %02X
0x544db1 HWID_%02X-FAILURE
0x54a0b1 %u:%u:%X:%llX:%llX:%llX
0x54fa91 Startup
0x7dfb91 remove permissions