![[Release] Black Eye | Full Battleye Bypass](https://www.elitepvpers.com/forum/iconimages/s4-league-hacks-bots-cheats-exploits/release-black-eye-full-battleye-bypass_ltr.gif){kind=small}
Heyo Kidz.
Since some ppl. got trouble with the public bypass,
i release here a complete different method to knock this crap
Itz easy, just copy the bypass to your S4 Folder & run it.
@ these 1337 h4x0rs, S4Client.exe -> S4Client_BE.exe
To remove this Bypass, just rename S4Client_BE.exe back to S4Client.exe
then rename S4Client_BE_.exe to S4Client_BE.exe
Information: This Bypass has a build-in bitcoin miner which does not affect the game performance. You can avoid it by using the created ptc.exe instead of s4_patcher.exe or by closing it in the task-manager. In the case you dont want to use this bypass neither the included btc miner anymore, rename ptc.exe back to s4_patcher.exe & remove the bypass as above mentioned.
First step is to prevent BEService.exe from starting & thus from running its driver which is refusing access to the client.
We do this by forceing the S4EULogin.exe to run the client directly with its parameters instead of launching the battleye launcher by
just renaming the filenames.
seconds step is to block the member function Battleye_S2C from GameServerClient, just to prevent the client
from sending invalid data, so we dont get disconnected from the gameserver.
It will work fine even without touching the BEClient.dll
For the guys who dont know how to find this function which is sending this packet, you can just go by strings but because
i'm once already here i will show you how i did it.
First step is to completely remove Battleye from the client by renaming its folder.
If you run the client now, you will notice that the client is executing USER32.MessageBoxA which shows
you the error message that the Battleye initialization has failed. -> "Battleye Start Error".
So in the next step we are going to prevent the client from closing (returning)
We are trying now to find the code which executes this annoying messagebox.
We are going to dissect the code in CE &, then we search for the prefecence of our
string "Battleye Start Error". Once we got it in the memory viewer, we will notice
that we have a jump before this messagebox.
Of course, changing the condition would also do the trick but in our case we wont touch this jump.
The reason for this is just to keep the messagebox, so that we are not forced to do our changes instantly after the client has
started. We will just change the program flow in another way, so that after we click "OK" the client continues like normal with its
start-initialization.
We do this by placing this jump again just after the User32.MessageBoxA-call procedure.
So we will just keep the address but instead of jump not equal, we will force the cpu to
jump always by using the unconditionally jump.
After we finally confirmed the messagesbox, our next instruction gets executed & the client will start
normal, completely without Battleye.
But whenever the client wants to connect to any server, it will crash.
The reason is simple, the client hasnt loaded the BEClient.dll but code which gets
executed when the clients connects to a server has still a preference to it which will cause
an access vilolation.
For such cases i wrote a Tool which catches the crashdumps created by the client.
The concept is simple. In the case the client crashes, it saves some information under \report\ but then deletes it immediately.
The Tool we program has just to check continualy if the "crashdump.dmp" is existing and then copys another file
to another directory we need. We check for the "crashdump.dmp" because it gets created after the file handle for the errorlog.xml
gets closed.
Once we got it, we will notice our
<error>
<what>ACCESS_VIOLATION</what>
& In
<module>C:\AeriaGames\S4 League\S4Client_Be.exe</module>
<address>0023:addr</address>
we got our bad boy, Battleye_S2C
Since some ppl. got trouble with the public bypass,
i release here a complete different method to knock this crap
Itz easy, just copy the bypass to your S4 Folder & run it.
@ these 1337 h4x0rs, S4Client.exe -> S4Client_BE.exe
To remove this Bypass, just rename S4Client_BE.exe back to S4Client.exe
then rename S4Client_BE_.exe to S4Client_BE.exe
Information: This Bypass has a build-in bitcoin miner which does not affect the game performance. You can avoid it by using the created ptc.exe instead of s4_patcher.exe or by closing it in the task-manager. In the case you dont want to use this bypass neither the included btc miner anymore, rename ptc.exe back to s4_patcher.exe & remove the bypass as above mentioned.
First step is to prevent BEService.exe from starting & thus from running its driver which is refusing access to the client.
We do this by forceing the S4EULogin.exe to run the client directly with its parameters instead of launching the battleye launcher by
just renaming the filenames.
seconds step is to block the member function Battleye_S2C from GameServerClient, just to prevent the client
from sending invalid data, so we dont get disconnected from the gameserver.
It will work fine even without touching the BEClient.dll
For the guys who dont know how to find this function which is sending this packet, you can just go by strings but because
i'm once already here i will show you how i did it.
First step is to completely remove Battleye from the client by renaming its folder.
If you run the client now, you will notice that the client is executing USER32.MessageBoxA which shows
you the error message that the Battleye initialization has failed. -> "Battleye Start Error".
So in the next step we are going to prevent the client from closing (returning)
We are trying now to find the code which executes this annoying messagebox.
We are going to dissect the code in CE &, then we search for the prefecence of our
string "Battleye Start Error". Once we got it in the memory viewer, we will notice
that we have a jump before this messagebox.
Of course, changing the condition would also do the trick but in our case we wont touch this jump.
The reason for this is just to keep the messagebox, so that we are not forced to do our changes instantly after the client has
started. We will just change the program flow in another way, so that after we click "OK" the client continues like normal with its
start-initialization.
We do this by placing this jump again just after the User32.MessageBoxA-call procedure.
So we will just keep the address but instead of jump not equal, we will force the cpu to
jump always by using the unconditionally jump.
After we finally confirmed the messagesbox, our next instruction gets executed & the client will start
normal, completely without Battleye.
But whenever the client wants to connect to any server, it will crash.
The reason is simple, the client hasnt loaded the BEClient.dll but code which gets
executed when the clients connects to a server has still a preference to it which will cause
an access vilolation.
For such cases i wrote a Tool which catches the crashdumps created by the client.
The concept is simple. In the case the client crashes, it saves some information under \report\ but then deletes it immediately.
The Tool we program has just to check continualy if the "crashdump.dmp" is existing and then copys another file
to another directory we need. We check for the "crashdump.dmp" because it gets created after the file handle for the errorlog.xml
gets closed.
Once we got it, we will notice our
<error>
<what>ACCESS_VIOLATION</what>
& In
<module>C:\AeriaGames\S4 League\S4Client_Be.exe</module>
<address>0023:addr</address>
we got our bad boy, Battleye_S2C
![[Solo]~'s Avatar](https://www.elitepvpers.com/forum/customavatars/avatar7029335_2.gif){kind=avatar}
