Intro

I’d like to get started by talking about who i am and what my intentions are. My name is drof, i’m an independant, self taught reverse engineer who has specialized in low level security. I also do game hacking as a hobby, however i do not aim to commercialize any of my work in this field. I enjoy it for the challenge it gives me, and nothing else.

How it began

My journey in R5Reloaded has started a couple years ago, in 2022 to be precise. Below you can see my first ever uploaded video related to R5Reloaded, showing my training software Rfiver in it’s initial development version. You can see from the UI that this is an ancient build of my trainer. None the less it can be used to visualize my progress pretty well:

It only had a basic set of features as you can see, i mean look at the menu yourself. You can see some basic aimbot and ESP settings. Nothing fancy, but definitely a good start. Because i have already worked on cheats for retail apex before R5Reloaded was even released, i had some valuable, foundational knowledge of how things worked under the hood in apex legends to assist me during my development of Rfiver.

I should mention that this is not my first experience with games based on source engine, in fact i have been developing cheats for various other games running this engine in past years, for example counter strike and team fortress. Aforementioned experience has easened my development work in R5Reloaded by a lot.

During that time, i was nothing more than a simple cheater using aimbot and walls. Of course i tried to play as legit as possible while still having fun, because getting banned was a bummer. Because R5Reloaded is a niche game, your opponents are mostly above average in terms of skill. It makes sense if you think about it, because who would go as far as downloading a mod and doing 1v1s all day, if not all those dedicated sweats right? I don’t mean it as an insult here, but rather to show how committed certain individuals are.

During my time in R5Reloaded, i was never satisfied with just playing the game. I always did some research on it whenever i had time, and during one of those sessions, i discovered an insane exploit which i will talk about in next paragraph.

Discovery of an exploit

What i have discovered had potential to wreck havoc over all of R5Reloaded and it’s community. My discovery has exposed that R5Reloaded developers have made a careless mistake when making an old build of apex legends work with their own dedicated server implementation: They entirely stripped respawn’s authentication code, which is supposed to prevent people from sending bogus credentials. If you check out retail apex disassembly, you can see it properly authenticates with an origin token of the connecting client, in order to verify it’s identity.

I was unsure on whether this would work or not, so i started off by locating where the R5Reloaded game client sends their identity to the game server. After finding the corresponding routine, i have gone a step further and hooked this function. It sends a display name which other players will see, and a so called nucleus-ID. R5Reloaded uses these for their ban list, combined with the client’s public IP address.

Since these fields were writable and accessible in an easy manner, i simply copied over some bogus credentials to it’s buffer. Next i attempted to join a server, because i wanted to see if it would accept a blatantly faked identity. And to my surprise, server has accepted it and let me join with an entirely faked name and nucleus-ID combination. From this we can conclude that R5Reloaded game servers blindly accept any identifiers the client sends to them.

I have been using this to my advantage, and was able to generate a new identity within one click in my cheat UI. This has caused some visible confusion on their moderators side, because when they banned me, i would be back in the game within seconds. A simple change of IP using VPN, and a click in my cheat UI to generate an arbitrary name and nucleus-ID combination was enough.

An attempted fix

Sometime during start of 2023, R5Reloaded developers have attempted a half ass fix by checking if a client’s nucleus-ID would be in an expected format. Not surprising but yes, apparently this ID is only partly unique. A part of it may be non-unique, although still dynamic. An Nucleus-ID as a whole is still unique, just a part of it might be used for checking.

Impersonation: theory

Because of aforementioned fix, i could not use abitrarily generated identities anymore, at least not when it comes to Nucleus-ID. It also seems like it was checked whether name matches up with given Nucleus-ID, not sure about it though.

This has given me a new idea. Why don’t i just take someone else’s name:nucleus-id combination, and impersonate him? I was unsure on this as well, but i didn’t want to give up yet. To my luck, any player could execute a command named status in their R5Reloaded client console, and receive a list of every player in the server, with their name, nucleus-id and other information. This would be a Jackpot if it were to work out!

Impersonation: practice

You probably already know that it worked out, otherwise i wouldn’t write this post! By impersonating other players instead of relying on arbitrarily generated identities, i have effectively managed to bypass their recent measure. I have caused some decent havoc on their servers with this, see below for game play. I am impersonating Hideouts in this clip:

To my surprise you could also get other people BANNED, yeah you heard it right! I made a nice UI for doing this efficiently. Because it takes too much time to do it manually:

Luckily their API for checking an account status is public. I believe it has to be this way for community hosted servers to be able to use their global ban list. It automatically checks all accounts in your last match, and saves them to a file. Then it queries their status on R5Reloaded’s REST API. If you see an account in good standing, you can click “Impersonate” button, and it will use their identifier combination to impersonate them.

You can also check if your IP is banned using their API, i made a nice window in my cheat for quickly checking it in certain intervals. It works like above, just querying status using your IP.

Here are some other screenshots of conversations displaying people i’ve been impersonating got banned:

An actual fix

R5Reloaded developers have published a server update on October 21, 2023. I haven’t been able to take a look at it immediately, but judging from what a mod has said, it probably was their fix to my exploit. It’s been 1,5 years of me abusing it, so you could argue it’s finally about time they are coming with a fix. I sent this to a former friend and expressed my suspicions:

Once i got time to review this server build, i realized that they purposely have delayed a push of an update to their SDK on R5Reloaded’s public GitHub repository. This was likely to make it harder for people like me to know what exactly is going on. Although this might seem like a red flag, they have now catched up and uploaded their implementation properly onto their public GitHub repository. At the time of this happening though, i had to rely on manual analysis to see if this update had anything to do with identity spoofing:

So at this point i realized they have implemented some form of origin token verification. I’ve performed some dynamic analysis on above functions, and could see a token being submitted. After further analysis of said fix, i’ve concluded that it’s not worth attempting a bypass here. It would simply be too time consuming to find cracks in their implementation, and i was personally already bored from R5Reloaded.

They are now grabbing your origin token on the client and submitting it to corresponding game server you’re trying to connect to. It then validates your token against your identity using an API provided by origin/EA. Overall it’s a pretty decent fix implementation i must say, as they went an extra mile to ensure your token corresponds to identity your client has sent.

From here it was a GGs from me, as my time invested was no longer justified. At that time, player counts were also on an all time low for R5Reloaded, and they still are mostly. Although it does seem to go uphill nowadays, i wish them best of luck with their project in future.

Hostile Behavior

Now i’ve only had experience with a handful of staff members in the R5Reloaded team, i will list both positive and negative encounters here. Some guy called Ugnius has tried to ban me a couple times ingame, and always was shocked when i came back within seconds. The guy was annoyed, but still acted professional. Overall i was surprised by how calm this guy was, although he did lose his mind a couple times here and there. But this guy never went hostile, just questioned why i was doing what i did, and searching for answers.

I cannot say this for some other guys like ReGlitched (some irrelevant scripter on their team), Amos (main developer of R5Reloaded), or wanderer (some troll hacker who apparently is friends with R5Reloaded team). Let me explain below.

Amos: I haven’t had a direct interaction with this person, but he proceeded to label my “tools” as malware in R5Reloaded discord without having any evidence. Now i understand he might have tried to keep people away from using my trainer RFiver, which was publicly available at that time for anyone to use. But straight out lying to achieve his goal is weird, at the very least.

Wanderer: This guy has randomly added me on discord, and we first started talking about some generic cheating stuff. Turns out he is affiliated with R5Reloaded in some way, as he proceeded to express his concerns about me cheating in it. I know it’s a volunteer project, you don’t have to tell me bro. But they still have responsibilities for the safety of their player base. It doesn’t protect them from criticism. And let’s be honest here, taking 1,5 years to fix something as critical as this, is just not acceptable. And yes, even for a volunteer project. They have never even made a PSA or something like that to inform their players of an exploit going on, not until people started getting banned.

And the cherry on top is: Wanderer is a titanfall cheater. He uses a similar exploit in a titanfall mod named Northstar, but according to him, cheating in R5Reloaded is not justified. Cheating on Northstar on the other hand is, because apparently their developers are pedophiles. Yes, you heard it right. This bro literally made accusations without any proof whatsoever, about a development team of another mod. And he JUSTIFIES him cheating in it this way. Bro, i cannot believe he is real.

ReGlitched: Now this bro is a special needs case i believe. He basically tries to get his hands on Rfiver and collect intelligence on us for reporting back to his colleagues over on R5Reloaded Staff team. We end up in a voice call, and he ends up making the dumbest argument possible:

“I think i’ve seen this menu somewhere. Ah, looks like ImGui. I think your cheat is pasted!” ~ReGlitched

Bro, you cannot tell me this is fucking real. R5Reloaded themselves use ImGui, lmfao. He is basically mocking his own colleagues, hahaha. We couldn’t stop fucking laughing after he has left the call, because it almost sounded too funny to be real. But it was!

Additionally, this guy has messaged his moderator friends over at Apex Legends’ retail discord, and somehow got me banned. He mentioned this during the call, and said something like “look at apex discord icon on your discord now”. I should clarify that i was barely active on that server, i pretty much only used it for a couple LFG requests here and there. It’s comical that this guy gets a power trip over banning me from a discord server.

It just shows how corrupt R5Reloaded staff team is, they cooperate with apex cheat developers, cheaters in other mods (titanfall/NorthStar), have a double standard on which game it’s okay to cheat in and which it’s not, accuse developers they don’t even know of being pedophile, abusing their friend’s power to get innocent people banned from discords they have no official affiliation with, and so on…

Conclusion

My goal is not to send hate towards anyone. I just want to shed light on possible corruption in these communities. Always be cautious on who you interact with and who you trust with your personal data. I am not saying R5Reloaded is unsafe, but there is always a possibility.

They haven’t taken responsibility on the impersonation incident, not a single PSA. And now after the apex hack, they also try to spread propaganda that it has nothing to do with R5Reloaded. It may not have anything to do with it, but it just may as well have.

R5Reloaded is a paradise for retail apex cheat developers who want to get more insights in how the game works internally. Even if you can bypass EAC anti-debug on retail, you will never be able to run a server yourself for example, or get access to certain information this way.

With R5Reloaded, you have access to both client and server. This allows you to accelerate your reverse engineering sessions, and make progress in a faster manner.

Thanks for reading!