- The injector of dlls still works? I like more this in c but I cant sure if the dll injectors still work im now seach again the pointer address of zoom for use kernel32.dll You can make your dll and use it internally, but it greatly increases the risks compared to the external solution.
- Download a good Dll injector and goto your cheat engine folder and drag the 'vehdebug-i386.dll' into your dll injector open settings in cheat engine and goto Debugger Options and use the VEH Debugger also make sure in scan settings the option MEMMAPPED:Memory is activated too, to get all the values from League now if you have some address you.
- Welcome to MPGH - MultiPlayer Game Hacking, the world's leader in Game Hacks, Game Cheats, Trainers, Combat Arms Hacks & Cheats, Crossfire Hacks & Cheats, WarRock Hacks & Cheats, SoldierFront Hacks & Cheats, Project Blackout Hacks & Cheats, Operation 7 Hacks & Cheats, Blackshot Hacks & Cheats, A.V.A. Hacks & Cheats, Call of Duty Hacks & Cheats, Gunz Hacks & Cheats, Quake LIVE Hacks & Cheats.
- Download Auto DLL Injector for free. An automatic DLL injector. A configurable DLL Injector that can inject specific processes upon start up or be injected manually on your own time.
DISCLAIMER: This is for information and learning purposes only, I do not endorse or recommend using this information to make any unofficial tools which can result in bans (or worse).
Back when League of Legends' client was still written in Adobe AIR, I reverse engineered it, located the functions responsible for encrypting and decrypting the RTMPS messages within Adobe AIR.dll
, and wrote a hook to capture and dump the messages.
I never ended up doing anything with this code other than walking through it in my book, but the process was quite fun. League of Legends has since released a new client, and I decided pull it apart again.
Initial Probe
In order to understand what I was dealing with, I opted to first take a look at the process tree with Process Explorer:
Looking at this tree, the separate renderer processes reminded me of Google Chrome. Checking the command line confirmed that this was not a coincidence:
Many of the switches here, such as --type=gpu-process
and --no-sandbox
, are indicative of Google Chrome (you'll see them on Chrome if you check, hehe). With this information, I realized they must be using the Chrome Embedded Framework (CEF).
Every Basic Attack in League of Legends is divided in 3 Phases: Phase 1 describes the actual Windup (Picture 1 and 2) Phase 2 describes the Attack Creation, in which the game creates for example the bullet for a ranged champion. (Picture 3 and 4) Phase 3 is the part of the attack animation that you don’t want to have. (Picture 5 and 6) Phase 1 and 3 can be canceled by movements or other orders.
This tells me that the client is really just a host for a website.
Intercepting CEF
I decided that my next step should be investigating the boundary between the client's code and the CEF library. There are quite a few ways to go about this, and the best method really depends on the scope of the investigation. In order to figure out what I was dealing with, I fired up Dependency Walker and took a look at the exports from libcef.dll
. The list was quite long, but it looked something like this:
Because of the laundry list of functions, I decided that writing my own hook was, for now, out of the question. Instead, I opted to use API Monitor.
Custom API Monitor Definitions
API Monitor has a feature called External DLL:
Using this feature, I was able to intercept all function calls within libcef.dll
. This allowed me to understand which functions were being called with what frequency, which is awesome. One drawback, though, is that the feature is not capable of decoding parameter and return values, which meant I couldn't really do much.
I'm a big fan of API Monitor, however, and my frequent use of the tool has given me some insight into how its designed. Inside of the tool's root folder, there is a folder called API
. This folder contains multiple nested folders with many .xml
files inside. These files contain the definitions for the types, enumerations, and functions for the tool to intercept.
I set out to write my own set of definitions for every function which External DLL was able to intercept. Adding my own definitions was very easy, since the markup is quite intuitive and new .xml
files are automatically picked up when the tool restarts.
After reading some existing definitions, I got the hang of it. The definitions I wrote are too bulky for this blog, so I've put them on github.
Monitoring API Calls
With my custom definitions in hand, I fired up League, attached API Monitor, and spent a few minutes trying to click every button I could find. Afterwards, I started sorting through the intercepted API calls. The amount of verbosity enabled by my custom definitions made this extremely easy, and I quickly focused in on a function called cef_parse_url
:
There were some other interesting functions called, but they didn't give me even a small fraction as much information as that single function.
Ripping the API
With literally hundreds of calls parsing URLs, I started sorting through the logs. Most URLs were in the format https://riot:<session password>@127.0.0.1:<random port>/<path>
, where <session password>
and <random port>
are unique across client restarts and <path>
specified an API to call. Nearly every URL could be cleanly hit from a browser. Luckily, the listener is bound only to localhost
, so computers on the same network are unable to hit it (that's some good extra security, on top of the need for a session token).
This painted a very clear picture: the client is hosting a local webserver with both a backend API and a set of frontend webpages, and this is all rendered by CEF.
Backend API Calls
I managed to intercept dozens of API calls to the web backend. Each one responds with a blob of JSON, and their paths are pretty descriptive. There are calls for active sessions details:
Player profile:
Match history:
Summoner metadata:
Notifications:
Summoner inventory:
Generating replays:
Friends and conversations:
Loot:
Assets (there's also a query for every single .png
, .wbem
, font, and sound):
And configuration:
Interestingly enough, it seems like Riot is also collecting telemetry to understand how their players spend time in the client:
League Of Legends Dll Script Injector
Injecting UI
One end-game for information like this might be into inject custom UI elements or extensions into the client. The fact that it is web-based means that modification and customization should be extremely familiar to anybody who's worked on a website.
I've not gone this far, but I have some pretty solid theories of good entry points for code injection. First, there's a file called index.html
exposed by the backend. It is a visually blank page, but it has some interesting headers:
I haven't taken the time to intercept /fe/plugin-runner/index.html
yet (the API requires some special request headers and I haven't wired up a proxy as of now), but I'd wager that it hosts some Javascript with access to the entire DOM. Moreover, I'd wager that any script running in the context of index.html
may have access to the entire DOM, meaning Javascript injection into either of these files should give one unfettered access to the UI.
If that's doesn't work, I have another theory. When returning to the home screen, the client decodes this URL:
If you hit this page in a browser, you see the home screen for the client. The port
in this URL matches the port being used by the local API, which leads me to believe that it is allowed to talk to the backend. Moreover, there are buttons on this page which can navigate to other pages within the client, leading me to believe it has at least some access to the DOM. Thus, injecting code into this page might also work.
That's All, Folks!
Thanks for reading! Feel free to give me feedback or share your own analysis in the comments!
League Of Legends Dll Script Injector 2019
Features
Unlimited Usage
DLL Injector is a free software which you can use without any restrictions. The software has been developed with vc++ and can be run on Windows platforms. It can be used to inject one or more dll files to any process.
Lightweight
The software is lightweight for the system and uses almost no resources. It's very stable and keeps the process alive.
Bypasses some detection methods
It can function as a tool to hack games. It works as a roblox inject tool as well. Our roblox injector does what it's meant to do.