# R5AC: Apex Legends anti-cheat Analysis (S25)
An analysis of respawn entertainment's R5AC for Apex Legends Season 25.
# Introduction
Learn about how respawn improved client-side cheat detection in Apex Legends.
# Specification
R5AC is the name of an in-house cheat detection software. It seems to be made by a team at respawn entertainment, although there is no public information about it anywhere on the internet.
### Where is it?
It is located in the main game executable, r5apex\_dx12.exe. Sometimes you will encounter entire functions that will be related to it, other times it'll be some inlined code in some important game/engine functions. It uses a basic xor transform on it's c-strings, which makes it so that it will only be decrypted on the stack. However, it's quite easy to statically analyze a runtime dump of Apex Legends, and figure out a way to:
1. Find all instances of encrypted R5AC C-String's, preferably automated.
2. Figure out the following parameters for this transformation:
- Location of the encrypted data.
- Location of the encryption key.
- Length of the encrypted data.
3. In case of this cheat detection software, the length of an encrypted C-String's encoded data equals it's encryption key's size. This might be done to prevent repeating keys during the XOR transform, which can weaken the overall effectiveness of encryption.
void __fastcall R5AC::TrySendViolationOrQueue(
const __m128i *id_str,
__int64 a2,
__int64 extraData,
const __m128i *extraDataLen)
{
--*(_DWORD *)(v4 + 68);
v5 = gpNetChan;
if ( gpNetChan && (unsigned int)MEMORY[0x7FFE8D2B5550](id_str, 0i64) == dword_594427C )
{
v28 = 0;
v9 = id_str;
>
do
{
v10 = v9->m128i_i8[0];
v9->m128i_i8[pszBuffer - (char *)id_str] = v9->m128i_i8[0];
v9 = (const __m128i *)((char *)v9 + 1);
}
while ( v10 );
>
idStrLength = -1i64;
do
++idStrLength;
while ( id_str->m128i_i8[idStrLength] );
v12 = &pszBuffer[idStrLength + 1];
if ( extraDataLen )
{
idx = -1i64;
do
++idx;
while ( extraDataLen->m128i_i8[idx] );
R5::AllocAndCopyStruWithHdr(
&mem,
extraDataLen,
idx,
(__int64 (__fastcall **)(_QWORD, unsigned __int64, __int64))off_1AA6728);
extraDataPtr = mem;
}
else
{
extraDataPtr = 0i64;
mem = 0i64;
}
*(_DWORD *)v12 = 1;
v12[4] = 0;
*(_QWORD *)(v12 + 5) = extraData;
sse_memcpy((__m128i *)(v12 + 13), extraDataPtr, (unsigned int)(extraDataPtr[-1].m128i_i32[3] + 1));
v15 = (_DWORD)v12 - ((unsigned int)&v27 + 880) + 14 + extraDataPtr[-1].m128i_i32[3];
someKey = 0x42A1110F96B5E116i64;
v16 = 0;
if ( v15 != 2 )
{
v17 = pszBuffer;
do
{
++v17;
v18 = v16++ & 7;
*(v17 - 1) ^= *((_BYTE *)&someKey + v18);
}
while ( v16 < v15 - 2 );
}
v26 = v15;
*(_QWORD *)&v21 = vft::CLC_AntiCheatMsg;
v22 = 0;
v25 = &v28;
v24 = 0i64;
v23 = 1;
C_NetChan::SendNetMsg(v5, &v21, 0, 0);
C_NetChan::SendDatagram(v5, 0i64);
sse_memset((__int64)&v28, 0, 0x400ui64);
*(_QWORD *)&v21 = &off_173A878;
if ( _InterlockedExchangeAdd(&extraDataPtr[-1].m128i_i32[2], 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(__int64))(extraDataPtr[-1].m128i_i64[0] + 8))(extraDataPtr[-1].m128i_i64[0]);
}
else
{
R5AC::PushViolation(id_str, 0, extraData, (__int64)extraDataLen);
}
}
In more recent builds, R5AC has started verifying that the backing segment of the VMTP's linear address are having a plausible characteristics. it must contain IMAGE\_SCN\_CNT\_INITIALIZED\_DATA/IMAGE\_SCN\_MEM\_READ
---
**Conclusion:**
`VTP_GetFilesystemInterface` is an anti-tamper routine that validates the location of the filesystem VMTP and ensures it points to legitimate code within the game’s module. Any deviation triggers a violation report, preventing injected or modified interfaces from being used.
Here is an example of how this detection might look like.
> // Everytime sub\_1DCDD1 is called, the check (VTP\_GetFilesystemInterface) is executed.
>
> char \_\_fastcall sub\_1DCDD1()
> {
> FilesystemInterface = (\_\_int64 \*)R5::VTP\_GetFilesystemInterface();
> \*((\_QWORD \*)v2 + 16) = FilesystemInterface;
> gpFileSystemInterface\[0\] = FilesystemInterface;
> return 1;
> }
>
> void \*\*R5::VTP\_GetFilesystemInterface()
> {
> \_LIST\_ENTRY\* lpK32GetMappedFileName = nullptr;
> void\* VmtTablePtr = R5::FilesystemInterfaceVMTP;
> void\* VmtTablePtr2 = R5::FilesystemInterfaceVMTP;
> \_\_int64 ImageBaseAddress = (\_\_int64)NtCurrentTeb()->ProcessEnvironmentBlock->ImageBaseAddress;
>
> // Plaintext strings (replacing encrypted runtime decoding)
> const char ModuleNameStr\[\] = "KERNEL32.DLL";
> const char ExportFuncStr\[\] = "K32GetMappedFileName";
> const char InterfaceStr\[\] = "VTP\_GetFilesystemInterface";
>
> if (\*(WORD\*)ImageBaseAddress == 0x5A4D) // Check for 'MZ' PE signature
> {
> \_IMAGE\_NT\_HEADERS64\* lpNTH = (\_IMAGE\_NT\_HEADERS64\*)(ImageBaseAddress + \*(int\*)(ImageBaseAddress + 0x3C));
> if (lpNTH->OptionalHeader.Magic == 0x20B) // PE32+
> {
> unsigned int NumberOfSections = lpNTH->FileHeader.NumberOfSections;
> char\* lpFirstSectionContentStart = (char\*)&lpNTH->OptionalHeader + lpNTH->FileHeader.SizeOfOptionalHeader;
>
> if (NumberOfSections && lpFirstSectionContentStart)
> {
> \_IMAGE\_SECTION\_HEADER\* dwTableRVA = (\_IMAGE\_SECTION\_HEADER\*)((char\*)R5::FilesystemInterfaceVMTP - ImageBaseAddress);
> \_DWORD\* sectionHeaders = (\_DWORD\*)(lpFirstSectionContentStart + 8);
> unsigned int nSectionIdx = 0;
>
> while (true)
> {
> \_IMAGE\_SECTION\_HEADER\* dwSegmentRVA = (\_IMAGE\_SECTION\_HEADER\*)(unsigned int)sectionHeaders\[1\];
> if (dwSegmentRVA <= dwTableRVA &&
> (unsigned int)((\_DWORD)dwSegmentRVA + \*sectionHeaders) > (unsigned \_\_int64)dwTableRVA)
> {
> break; // Found containing section
> }
>
> ++nSectionIdx;
> sectionHeaders += 10;
>
> if (nSectionIdx >= NumberOfSections)
> {
> // Outside module section — use default
> VmtTablePtr = VmtTablePtr2;
> goto ON\_DETECTED\_OUTSIDE\_INGAME\_SECTION;
> }
> }
> }
> }
> }
>
> ON\_DETECTED\_OUTSIDE\_INGAME\_SECTION:
>
> char lpMappedFileName\[272\] = {0};
> wchar\_t NeedleForSomeModule\[264\] = {0};
> mbstowcs\_s(nullptr, NeedleForSomeModule, ModuleNameStr, sizeof(ModuleNameStr));
>
> // Search loaded modules
> \_LIST\_ENTRY\* p\_InMemoryOrderModuleList = &NtCurrentTeb()->ProcessEnvironmentBlock->Ldr->InMemoryOrderModuleList;
> \_LIST\_ENTRY\* Flink = p\_InMemoryOrderModuleList->Flink;
>
> if (Flink != p\_InMemoryOrderModuleList)
> {
> while (\_wcsicmp(NeedleForSomeModule, (\_WCHAR\*)Flink\[5\].Flink) != 0)
> {
> Flink = Flink->Flink;
> if (Flink == p\_InMemoryOrderModuleList)
> goto ON\_DETECTED;
> }
>
> \_LIST\_ENTRY\* lpModuleBase = Flink\[2\].Flink;
> if (lpModuleBase)
> {
> LABEL\_22:
> if (LOWORD(lpModuleBase->Flink) == 0x5A4D) // 'MZ'
> {
> \_\_int64 lpExportDirectory = (\_\_int64)lpModuleBase + SHIDWORD(lpModuleBase\[3\].Blink);
> if (\*(WORD\*)(lpExportDirectory + 24) == 0x20B) // PE32+
> {
> unsigned int\* v27 = (unsigned int\*)(lpExportDirectory + 0x88);
> if (!v27)
> v27 = nullptr;
>
> if (v27)
> {
> unsigned int nExportEnumIdx = 0;
> \_DWORD\* v29 = (\_DWORD\*)((char\*)lpModuleBase + \*v27);
> \_\_int64 AddressOfFunctions = (\_\_int64)lpModuleBase + (unsigned int)v29\[7\];
> \_\_int64 AddressOfNames = (\_\_int64)lpModuleBase + (unsigned int)v29\[8\];
> unsigned int NumberOfExports = v29\[6\];
> \_\_int64 AddressOfNameOrdinals = (\_\_int64)lpModuleBase + (unsigned int)v29\[9\];
>
> while (nExportEnumIdx < NumberOfExports)
> {
> char\* lpExportRecordMaybe = (char\*)lpModuleBase + \*(unsigned int\*)(AddressOfNames + 4i64 \* nExportEnumIdx);
> if (strcmp(lpExportRecordMaybe, ExportFuncStr) == 0)
> {
> unsigned int dwFunctionRVA = \*(\_DWORD\*)(AddressOfFunctions
> \+ 4i64 \* \*(unsigned \_\_int16\*)(AddressOfNameOrdinals + 2i64 \* nExportEnumIdx));
>
> lpK32GetMappedFileName = (\_LIST\_ENTRY\*)((char\*)lpModuleBase + dwFunctionRVA);
> break;
> }
> ++nExportEnumIdx;
> }
> }
> }
> }
> }
> }
>
> ON\_DETECTED:
>
> // Get the module file name of where this VMTP is residing in.
> if (lpK32GetMappedFileName)
> ((void(\_\_fastcall\*)(\_\_int64, void\*, char\*, \_\_int64))lpK32GetMappedFileName)(
> -1,
> VmtTablePtr2,
> lpMappedFileName,
> sizeof(lpMappedFileName)
> );
>
> // Report violation if needed
> R5AC::PushViolation(nullptr, 2, (\_\_int64)VmtTablePtr2, (\_\_int64)lpMappedFileName);
>
> return &R5::FilesystemInterfaceVMTP;
> }
# Control Flow Analysis
R5AC is planting control flow enumeration helpers into important game mode.
Just because a module is signed, doesn't mean that R5AC will give it a pass.
It follows a strict whitelist which at the time of this writing, consisted of the following ranges.
| r5apex\_dx12.exe | (+1000 → +13d2000) ; '.text' |
| KERNEL32.DLL | (+1000 → +7f4bb) ; '.text' |
| ntdll.dll | (+1000 → +119f1e) ; '.text' |
| ntdll.dll | +11a000 → +11a592) ; 'PAGE' |
| ntdll.dll | (+11b000 → +11b1f9) ; 'RT' |
| steamnetworkingsockets.dll | (+1000 → +2f63a8) ; '.text |
| steam\_api64.dll | (+1000 → +243de) ; '.text' |
| EOSSDK-Win64-Shipping.dll | (+1000 → +d8117c) ; '.text |
Their whitelist is using a relatively primitive structure for describing what they deem a whitelisted memory range:
> struct WHITELISTED\_REGION
>
> {
>
> u64 Begin;
>
> u64 End;
>
> };
In more recent builds of **Apex Legends**, this list is now more complex to interpret and seems to have switched to using some computed hash of whitelisted module bases, and checking for that instead. R5AC only uses RtlCaptureStackBackTrace for examining control flow.
In 2026, R5AC has switched to manual stack tracing via RtlCaptureContext + RtlLookupFunctionEntry + RtlVirtualUnwind.
An example of this instance of detection can be found in C\_ViewRender::GetMostRecentClipTransform.
> \_\_int64 C\_ViewRender::GetMostRecentClipTransform(\_\_int64 a1, char frameIndex)
> {
> v152 = frameIndex; // Prime RNG (seems unrelated to stack walker)
> R5AC::Prime = 214013 \* R5AC::Prime + 2531011; // Early exit: check stack walker enablement
> if (!R5AC::IsStackWalkerEnabled)
> return \*(\_QWORD \*)(a1 + 8i64 \* v152 + 1155920); \_\_int64 stackFrames\[2\] = { 0 };
> \_\_int128 stackData\[2\] = { 0 }; unsigned short numFrames = R5AC::Imp::RtlCaptureSBT(1, 5, stackData);
> if (!numFrames)
> return \*(\_QWORD \*)(a1 + 8i64 \* v152 + 1155920); // Compute simple hash of the captured stack
> int hashA = 5381, hashB = 0;
> char\* p = reinterpret\_cast<char\*>(stackData);
> for (size\_t i = 0; i < 8 \* numFrames; ++i)
> {
> unsigned char val = \*p++;
> hashA = val + 33 \* hashA;
> hashB = val + 65599 \* hashB;
> }
> int stackHash = hashA ^ hashB; // Lock to check hash
> MEMORY\[0x7FFE8D571760\](&R5AC::SoemLock, 0);
> char hasChanged = R5AC::HashmapHasChangedData((\_\_int64)&R5::HashedCodeExecutionFrames, &stackHash);
> MEMORY\[0x7FFE8D571920\](&R5AC::SoemLock); if (hasChanged != -1)
> {
> // If hash is known, return cached transform
> return \*(\_QWORD \*)(a1 + 8i64 \* v152 + 1155920);
> } // Iterate captured frames
> for (unsigned int i = 0; i < numFrames; ++i)
> {
> \_\_int64 frameAddr = \*reinterpret\_cast<\_\_int64\*>(stackData + i);
> if (!frameAddr)
> break; // Check if frame is in whitelisted regions
> bool inWhitelist = false;
> for (int j = 0; j < R5AC::WhitelistedSectionCount; ++j)
> {
> \_WHITELISTED\_SEGMENT\_\* region = &R5AC::WhitelistedSections\[j\];
> if (frameAddr >= region->Begin && frameAddr <= region->End)
> {
> inWhitelist = true;
> break;
> }
> } if (inWhitelist)
> continue; // If not whitelisted, fetch mapped module and push violation
> char moduleName\[272\] = { 0 };
> ((void(\_\_fastcall\*)(\_\_int64, \_\_int64\*, char\*, \_\_int64))0)(-1, frameAddr, moduleName, 260); if (moduleName\[0\])
> {
> R5AC::PushViolation(nullptr, 1, frameAddr, reinterpret\_cast<\_\_int64>(moduleName));
> return \*(\_QWORD \*)(a1 + 8i64 \* v152 + 1155920);
> }
> } // If no violations, store new hash
> MEMORY\[0x7FFE8D5790A0\](&R5AC::SoemLock, R5AC::WhitelistedSectionCount, numFrames, R5AC::WhitelistedSections);
> sub\_2345E0(&R5::HashedCodeExecutionFrames, &stackHash);
> MEMORY\[0x7FFE8D562C70\](&R5AC::SoemLock); return \*(\_QWORD \*)(a1 + 8i64 \* v152 + 1155920);
> }
## A little fun Fact
Some cheat developers have actually been using the aforementioned functionality against apex. See, because the API respawn uses for stack walking is resolved into an unchecked pointer in .data, anyone can just swap it out and fake the back trace buffer, or even cheaper: pretend like nothing on the stack was unwindable. As if that wasn't enough, respawn also have decided to making calls by referencing it's value across the game's entire code base.
What makes this much worse is the fact that this vulnerable pointer is referenced by numerous critical game functions. It's literally a backdoor so handy that you don't even need to hook CreateMove anymore, for example. You can just swap this pointer, check if caller (return address) is **C\_Input::CreateMove**, and and that's it!
> unsigned short __fastcall hk_capture_stack_back_trace(unsigned long frames_to_skip, unsigned long frames_to_capture, void **trace, void *trace_hash)
{
auto retaddr = BASE_OF(_ReturnAddress()) - gctx->game_base;
g.r5ac_stack_walk_last_call = retaddr;
>
if(g.conf.anon_mode)
{
*reinterpret_cast<uptr*>(gctx->game_base + gctx->offsets.string_dict_user_names) = 0;
}
>
if (retaddr == gctx->offsets.ret_addrs.create_move)
{
g.inputs.cmove.tick_begin();
>
features::on_anonymizer();
if (is_valid_session())
{
auto me = local_player();
if (me.is_alive())
{
if (g.conf.rcs_strength > 0)
{
float rcs_strength = (static_cast<float>(g.conf.rcs_strength) / 1000.f);
g.conf.rcs_internal_mouse_scale = rcs_strength;
}
>
if (g.conf.aim_assist_strength > 0)
{
float aa_strength = (static_cast<float>(g.conf.aim_assist_strength) / 100.f);
g.conf.aim_assist_internal_mouse_scale = (gfloats.one - aa_strength);
}
>
features::on_movement(me);
features::on_trigger(me);
}
}
>
g.inputs.cmove.tick_end();
}
>
return 0; /* no traces are available */
}
> bool disarm\_stack\_walker()
> {
> size\_t num\_handled = 0;
> uint64\_t needle = gctx->winapis.capture\_stack\_back\_trace;
> if (needle)
> {
> uintptr\_t offset = 0;
> auto data = (u8\*)gctx->game\_data\_base;
> auto end = (u8\*)(gctx->game\_data\_base + gctx->game\_data\_len);
>
> while (true)
> {
> auto result = stl::search(data + offset, end, (uint8\_t \*)&needle, sizeof(uintptr\_t));
> if (result != 0)
> {
> #if LOGGING\_IS\_ENABLED == 1
> LMsg(256, "\[R5AC\] disarming stack walk at index %i and pointer %p", num\_handled, result);
> #endif
> \*reinterpret\_cast<void \*\*>(result) = hk\_capture\_stack\_back\_trace;
> ++num\_handled;
> offset = result - (uintptr\_t)data + 1;
> }
> else
> {
> break; // No more occurrences found
> }
> }
> }
>
> g.r5ac\_num\_stack\_walks\_disarmed = num\_handled;
>
> return (num\_handled > 0);
> }
Above code was tested on retail apex legends, on both windows and linux. Since the flaw is in R5AC itself, platform mostly does not matter.
# Hardware ID
# Does R5AC have hardware fingerprinting capabilities?
Not directly, but Apex Legends itself additionally uses **Theia** for a second form of machine fingerprinting. It doesn't replace EAC's mechanisms for the same thing, but rather seems to work alongside it. As an additional vector, so to speak.
The game will build a string that seems to resemble a hardware ID. I haven't reconstructed it fully yet, which is why this page is to be considered work in progress.
I've seen routines in both apex legends itself, but also theia's runtime which seem to be responsible for doing stuff with hardware identification. It seems like theia's runtime is doing all the heavy lifting, as i was able to trace a lot of NtDeviceIoControlFile calls from some suspicious region in apex legends. Of course it was the theia runtime. It led me to multiple giant functions which used various IOCTL codes and addressed different devices. Name of the devices were encrypted using some inline transformation in the code. But it seems fairly trivial to decrypt.
When i'll have some free time again, i will verify which codes are actually really queried in a live system.