# Introduction

Learn about how respawn improved client-side cheat detection in Apex Legends.

# Specification

<div class="flex max-w-full flex-col grow" id="bkmrk-"><div class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&]:mt-1" data-message-author-role="assistant" data-message-id="e43f85e3-db50-490f-b1d0-de48c64d6fdc" data-message-model-slug="gpt-5-2" dir="auto">  
</div></div><span style="color: rgb(255, 255, 255);">R5AC is the name of an in-house cheat detection software. It seems to be made by a team at respawn entertainment, although there is no public information about it anywhere on the internet.</span>

### <span style="color: rgb(255, 255, 255);">Where is it?</span>

<span style="color: rgb(255, 255, 255);">It is located in the main game executable, r5apex\_dx12.exe. Sometimes you will encounter entire functions that will be related to it, other times it'll be some inlined code in some important game/engine functions. It uses a basic xor transform on it's c-strings, which makes it so that it will only be decrypted on the stack. However, it's quite easy to statically analyze a runtime dump of Apex Legends, and figure out a way to:</span>

<div class="flex max-w-full flex-col grow" id="bkmrk-find-all-instances-o"><div class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&]:mt-1" data-message-author-role="assistant" data-message-id="e43f85e3-db50-490f-b1d0-de48c64d6fdc" data-message-model-slug="gpt-5-2" dir="auto"><div class="flex w-full flex-col gap-1 empty:hidden first:pt-[1px]"><div class="markdown prose dark:prose-invert w-full wrap-break-word dark markdown-new-styling">1. <span style="color: rgb(255, 255, 255);">Find all instances of encrypted R5AC C-String's, preferably automated.</span>
2. <span style="color: rgb(255, 255, 255);">Figure out the following parameters for this transformation:</span>
    
    
    - <span style="color: rgb(255, 255, 255);">Location of the encrypted data.</span>
    - <span style="color: rgb(255, 255, 255);">Location of the encryption key.</span>
    - <span style="color: rgb(255, 255, 255);">Length of the encrypted data.</span>
3. <span style="color: rgb(255, 255, 255);">In case of this cheat detection software, the length of an encrypted C-String's encoded data equals it's encryption key's size. This might be done to prevent repeating keys during the XOR transform, which can weaken the overall effectiveness of encryption.</span>

</div></div></div></div>### <span style="color: #ffffff;">What are it's capabilities?</span>

<span style="color: #ffffff;">Generally speaking, this specific solution seems to focus on the game process and it's local process context. It mostly features detections for internal cheats. These detections range from heurstics all the way down to very specific, concrete signals.</span>

# Obfuscation: Constant (C-String)

R5AC uses a simple XOR algorithm where the decryption key length and encrypted content length are identical.

## Referenced &amp; encoded C-Strings Analysis

### DLL Related

> 0x20ea35 KERNEL32.dll  
> 0x3a3e51 ntdll.dll  
> 0x54ee61 ADVAPI32.dll  
> 0x542551 steamnetworkingsockets.dll  
> 0x542691 steam\_api64.dll  
> 0x2f1cc2 EOSSDK-Win64-Shipping.dll  
> 0x54ee31 EasyAntiCheat\_EOS  
> 0x3a3e81 wine\_get\_version

### **API Related**

> **0x20ea60 K32GetMappedFileNameA  
> 0x20ee00 VirtualQuery  
> 0x20f160 GetLastError  
> 0x7df831 VirtualProtect  
> 0x54ee91 OpenSCManagerA  
> 0x54eec1 OpenServiceA  
> 0x54eef1 QueryServiceStatusEx  
> 0x54ef21 CloseServiceHandle  
> 0x543471 WideCharToMultiByte  
> 0x541fc0 RtlCaptureStackBackTrace**

### **Control Flow Analysis / Game Functions**

> **0x20e9f0 CS\_CEngineClient::Engine\_SetViewAngles  
> 0x26c540 CS\_CNetChan::SetTimeout  
> 0x26dfe0 CS\_CNetChan::SendReliableMessages  
> 0x270511 CS\_CNetChan::SendDatagram  
> 0x2744c1 CS\_CNetChan::SendNetMsg  
> 0x275210 CS\_CNetChan::SendData  
> 0x3ae540 CS\_Playlist\_GetPlaylistVar  
> 0x7cf601 CS\_C\_BaseEntity::CalcAbsoluteVelocity  
> 0x878620 CS\_CViewRender::GetMostRecentClipTransform  
> 0x951be1 CS\_CInput::Input\_CreateMove  
> 0x952811 VTP\_CInput::Input\_CreateMove  
> 0x59ebd0 CS\_CCommandBuffer::AddText  
> 0x69b830 CS\_UTIL\_TraceRay\_Client  
> 0xa58200 CS\_C\_BaseEntity::GetEntityNameAsCStr  
> 0xabe800 CS\_C\_MoveData::MoveData\_Init  
> 0xcc4e10 CS\_Pak\_RequireSignedPaks  
> 0xcc8c51 CS\_Pak\_ValidateSignatureForCurrentReadingFile  
> 0xcd89a1 CS\_WrappedFileSystem\_Open**

### **Virtual Method Table Analysis**

> **0x22ee01 VTP\_GetEngineTraceClient  
> 0x22f271 VTP\_GetEngineTraceClientDecals  
> 0x479351 VTP\_GetFilesystemInterface  
> 0x817371 VTP\_C\_Player::Spawn  
> 0x865491 VTP\_GetEntityList  
> 0x9f13b1 VTP\_GetViewRenderInstance**

### Miscellaneous

> 0x20f0f0 BA:0x%llX AB:0x%llX RS:0x%llX AP:0x%lX PR:0x%lX TY:0x%lX  
> 0x5427e0 Callstack Init Failed  
> 0x543821 os\_version  
> 0x543a12 gpu\_vendor  
> 0x543c91 render\_device\_driver\_version  
> 0x543e81 cpu\_brand  
> 0x544042 windows\_install\_date  
> 0x544205 is\_wine  
> 0x544231 0  
> 0x544260 1  
> 0x544780 language  
> 0x544a40 HWID\_%02X-%02X  
> 0x544ab0 %02X  
> 0x544db1 HWID\_%02X-FAILURE  
> 0x54a0b1 %u:%u:%X:%llX:%llX:%llX  
> 0x54fa91 Startup  
> 0x7dfb91 remove permissions