[Patched] Battleye Heartbeat bypass ( designed only for WR)

[MRx86™]

Its been patched with latest module ...
Be version x86
Run game with out any protection, and heartbeat was emulated, so server wasnt able to kick you out.
no idea if this can be replicate for others games! i didnt test in others game's
i think its were a very older BE Version

Code:

class cBeClient
{
public:
	DWORD dwBEMapHeartBeat; //0x0000 
	DWORD dwIntrusiveCall; //0x0004  / * 1/7 error list, 3 s_ok*/
	__int8 RetCode; //0x0008 
	char _0x0009[55];

}; cBeClient* pBeClient = NULL;



static DWORD dwBattleyeESP = 0;
DWORD dwBattleyeJump = 0x661214;
__declspec (naked) void BattleyeHook(void)
{
	__asm cmp dword ptr[esp+0x4], 0
	__asm mov dwBattleyeESP, esp

        /* this must be ouside in a thread */
        /* Attempt to execute it here crash
        /* XOR SKIP EACH 3 BYTE */
        /*
	if (dwBattleyeESP)
	{
		pBeClient = (cBeClient*)dwBattleyeESP;
		if (pBeClient)
		{

                        // Latest xor Encryption Key 0xD7
			pBeClient->dwBEMapHeartBeat = (DWORD) xorencode ( GenRandomString(32).c_str(), 0xD7 ) ;
			pBeClient->dwIntrusiveCall = 3;
			pBeClient->RetCode = 1;
		}
	}
        */


	__asm jmp[dwBattleyeJump]
}


		DetourCreate((BYTE*)0x66120F, (BYTE*)BattleyeHook);

decrypted

Code:

Heartbeat packet  31330 = Hex 0x7A62

[Structure Packet 57e4cbcc] Packet ID 31330 error code 264 vº¿Ãpå!n˜7nvíúNžt<*逥ù�aå°ð2š;KÌÕ;jÕÚ¡(¼÷m0hQêN3fµã@y
S¥ëu˜ëè“’ëìÊO£Ô}¦êá�£Äpæ—ƒ¢{“Eˆ+8�f‡¸Û¢ÆC÷í�ÀMŒgD‰ŽÓx:Ûî*ëLöñü£T¢�öáHOðÿ¼NF>l¤‘O^.g-å©R¢6,ÀXÓôO…´ŒÏ“¢^Xóºå™ƒÞK:ôN4CgVÀzF�¤
[Structure Packet 57e4cbcc] Packet ID 31330 264 vº¿Ãpå!n˜7nvíúNžt<逥ù�aå°ð2š;KÌÕ;jÕÚ¡(¼÷m0hQêN3fµã@y
S¥ëu˜ëè“’ëìÊO£Ô}¦êá�£Äpæ—ƒ¢{“Eˆ+8�f‡¸Û¢ÆC÷í�ÀMŒgD‰ŽÓx:ÛîëLöñü£T¢�öáHOðÿ¼NF>l¤‘O^.g-å©R¢6,ÀXÓôO…´ŒÏ“¢^Xóºå™ƒÞK:ôN4CgVÀzF�¤
[Structure Packet 57e4cbcc] Packet ID 31330 264 vº¿Ãpå!n˜7nvíúNžt<*逥ù�aå°ð2š;KÌÕ;jÕÚ¡(¼÷m0hQêN3fµã@y
S¥ëu˜ëè“’ëìÊO£Ô}¦êá�£Äpæ—ƒ¢{“Eˆ+8�f‡¸Û¢ÆC÷í�ÀMŒgD‰ŽÓx:Ûî*ëLöñü£T¢�öáHOðÿ¼NF>l¤‘O^.g-å©R¢6,ÀXÓôO…´ŒÏ“¢^Xóºå™ƒÞK:ôN4CgVÀzF�¤
[Structure Packet 57e4cbcc] Packet ID 31330 264 vº¿Ãpå!n˜7nvíúNžt<逥ù�aå°ð2š;KÌÕ;jÕÚ¡(¼÷m0hQêN3fµã@y
S¥ëu˜ëè“’ëìÊO£Ô}¦êá�£Äpæ—ƒ¢{“Eˆ+8�f‡¸Û¢ÆC÷í�ÀMŒgD‰ŽÓx:ÛîëLöñü£T¢�öáHOðÿ¼NF>l¤‘O^.g-å©R¢6,ÀXÓôO…´ŒÏ“¢^Xóºå™ƒÞK:ôN4CgVÀzF�¤
[Structure Packet 57e4cbcc] Packet ID 31330 264 vº¿Ãpå!n˜`7nvíúNžt<逥ù�aå°ð2š;KÌÕ;jÕÚ¡(¼÷m0hQêN3fµã@y
S¥ëu˜ëè“’ëìÊO£Ô}¦êá�£Äpæ—ƒ¢{“Eˆ+8�f‡¸Û¢ÆC÷í�ÀMŒgD‰ŽÓx:ÛîëLöñü£T¢�öáHOðÿ¼NF>l¤‘O^.g-å©R¢6,ÀXÓôO…´ŒÏ“¢^Xóºå™ƒÞK:ôN4CgVÀzF�¤

Quote:

00661206 A1 C470B300 mov eax, dword ptr [B370C4]
0066120B 85C0 test eax, eax
0066120D 74 20 je short 0066122F
0066120F 837C24 04 00 cmp dword ptr [esp+4], 0
00661214 74 19 je short 0066122F
00661216 837C24 08 00 cmp dword ptr [esp+8], 0
0066121B 76 12 jbe short 0066122F
0066121D FF7424 08 push dword ptr [esp+8]
00661221 05 FCEA0600 add eax, 6EAFC
00661226 FF7424 08 push dword ptr [esp+8]
0066122A E8 51A4E7FF call 004DB680
0066122F C3 retn


004DB680 53 push ebx
004DB681 56 push esi
004DB682 57 push edi
004DB683 8B78 04 mov edi, dword ptr [eax+4]
004DB686 6A DE push -22
004DB688 6A 00 push 0
004DB68A 68 00600000 push 6000
004DB68F 68 627A0000 push 7A62
004DB694 8D9F 54900200 lea ebx, dword ptr [edi+29054]
004DB69A 8DB7 64F40200 lea esi, dword ptr [edi+2F464]
004DB6A0 53 push ebx
004DB6A1 8BCE mov ecx, esi
004DB6A3 E8 18D43700 call 00858AC0
004DB6A8 6A 01 push 1
004DB6AA FF7424 18 push dword ptr [esp+18]
004DB6AE 8BCE mov ecx, esi
004DB6B0 FF7424 18 push dword ptr [esp+18]
004DB6B4 53 push ebx
004DB6B5 E8 56DE3700 call 00859510
004DB6BA 6A 00 push 0
004DB6BC 53 push ebx
004DB6BD 8BCE mov ecx, esi
004DB6BF E8 3CDF3700 call 00859600
004DB6C4 807E 20 00 cmp byte ptr [esi+20], 0
004DB6C8 74 07 je short 004DB6D1
004DB6CA 8B76 1C mov esi, dword ptr [esi+1C]
004DB6CD F7DE neg esi
004DB6CF EB 03 jmp short 004DB6D4
004DB6D1 8B76 10 mov esi, dword ptr [esi+10]
004DB6D4 56 push esi
004DB6D5 53 push ebx
004DB6D6 8BCF mov ecx, edi
004DB6D8 E8 29AE0100 call 004F6506
004DB6DD 5F pop edi
004DB6DE 84C0 test al, al
004DB6E0 5E pop esi
004DB6E1 0F95C0 setne al
004DB6E4 5B pop ebx
004DB6E5 C2 0800 retn 8