DISCLAIMER: This is for information and learning purposes only, I do not endorse or recommend using this information to make any unofficial tools which can result in bans (or worse).
Back when League of Legends' client was still written in Adobe AIR, I reverse engineered it, located the functions responsible for encrypting and decrypting the RTMPS messages within Adobe AIR.dll, and wrote a hook to capture and dump the messages.
Best Answer Feretorix, 16 September 2015 - 03:25. You're injecting the wrong DLL, try injecting 'new.dll' instead. Also make sure you DO NOT start the Loader while injecting the dll on your own, since the loader will also attempt to inject another copy of it. Kayn All League of Legends scripting platforms has been updated for patch 11.9.
I never ended up doing anything with this code other than walking through it in my book, but the process was quite fun. League of Legends has since released a new client, and I decided pull it apart again.
League Of Legends Dll Script Injector
Initial Probe
In order to understand what I was dealing with, I opted to first take a look at the process tree with Process Explorer:
Looking at this tree, the separate renderer processes reminded me of Google Chrome. Checking the command line confirmed that this was not a coincidence:
Many of the switches here, such as --type=gpu-process and --no-sandbox, are indicative of Google Chrome (you'll see them on Chrome if you check, hehe). With this information, I realized they must be using the Chrome Embedded Framework (CEF).
This tells me that the client is really just a host for a website.
Intercepting CEF
I decided that my next step should be investigating the boundary between the client's code and the CEF library. There are quite a few ways to go about this, and the best method really depends on the scope of the investigation. In order to figure out what I was dealing with, I fired up Dependency Walker and took a look at the exports from libcef.dll. The list was quite long, but it looked something like this:
Because of the laundry list of functions, I decided that writing my own hook was, for now, out of the question. Instead, I opted to use API Monitor.
Custom API Monitor Definitions
API Monitor has a feature called External DLL:
Using this feature, I was able to intercept all function calls within libcef.dll. This allowed me to understand which functions were being called with what frequency, which is awesome. One drawback, though, is that the feature is not capable of decoding parameter and return values, which meant I couldn't really do much.
I'm a big fan of API Monitor, however, and my frequent use of the tool has given me some insight into how its designed. Inside of the tool's root folder, there is a folder called API. This folder contains multiple nested folders with many .xml files inside. These files contain the definitions for the types, enumerations, and functions for the tool to intercept.
I set out to write my own set of definitions for every function which External DLL was able to intercept. Adding my own definitions was very easy, since the markup is quite intuitive and new .xml files are automatically picked up when the tool restarts.
After reading some existing definitions, I got the hang of it. The definitions I wrote are too bulky for this blog, so I've put them on github.
Monitoring API Calls
With my custom definitions in hand, I fired up League, attached API Monitor, and spent a few minutes trying to click every button I could find. Afterwards, I started sorting through the intercepted API calls. The amount of verbosity enabled by my custom definitions made this extremely easy, and I quickly focused in on a function called cef_parse_url:
There were some other interesting functions called, but they didn't give me even a small fraction as much information as that single function.
Ripping the API
With literally hundreds of calls parsing URLs, I started sorting through the logs. Most URLs were in the format https://riot:<session password>@127.0.0.1:<random port>/<path>, where <session password> and <random port> are unique across client restarts and <path> specified an API to call. Nearly every URL could be cleanly hit from a browser. Luckily, the listener is bound only to localhost, so computers on the same network are unable to hit it (that's some good extra security, on top of the need for a session token).
This painted a very clear picture: the client is hosting a local webserver with both a backend API and a set of frontend webpages, and this is all rendered by CEF.
Backend API Calls
I managed to intercept dozens of API calls to the web backend. Each one responds with a blob of JSON, and their paths are pretty descriptive. There are calls for active sessions details:
Player profile:
Match history:
Summoner metadata:
Notifications:
Summoner inventory:
Generating replays:
Friends and conversations:
Loot:
Assets (there's also a query for every single .png, .wbem, font, and sound):
And configuration:
Interestingly enough, it seems like Riot is also collecting telemetry to understand how their players spend time in the client:
Injecting UI
One end-game for information like this might be into inject custom UI elements or extensions into the client. The fact that it is web-based means that modification and customization should be extremely familiar to anybody who's worked on a website.
I've not gone this far, but I have some pretty solid theories of good entry points for code injection. First, there's a file called index.html exposed by the backend. It is a visually blank page, but it has some interesting headers:
I haven't taken the time to intercept /fe/plugin-runner/index.html yet (the API requires some special request headers and I haven't wired up a proxy as of now), but I'd wager that it hosts some Javascript with access to the entire DOM. Moreover, I'd wager that any script running in the context of index.html may have access to the entire DOM, meaning Javascript injection into either of these files should give one unfettered access to the UI.
If that's doesn't work, I have another theory. When returning to the home screen, the client decodes this URL:
League Of Legends Dll Script Injector 2019
If you hit this page in a browser, you see the home screen for the client. The port in this URL matches the port being used by the local API, which leads me to believe that it is allowed to talk to the backend. Moreover, there are buttons on this page which can navigate to other pages within the client, leading me to believe it has at least some access to the DOM. Thus, injecting code into this page might also work.
That's All, Folks!
Thanks for reading! Feel free to give me feedback or share your own analysis in the comments!
Hope you enjoyed this DLL file for the injector don't forget to like comment and subscribe for more content
------------------------------------------------------------------
Add me on roblox: DanielDaddycool
------------------------------------------------------------------
DLL_Xploit Download:
------------------------------------------------------------------
Music: Alex Skrindo - Jumbo [NCS Release]
-------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
ff , unff , unsmoke , fire , unfire , unsp , particles , unparticles , sound , nosound , explode , kill , god , sgod , ungod , heal , ws , jp , btools , time , fogend , fogstart , goto , bring
---------------------------------------------------------------------------
Tags ignore:
---------------------------------------------------------------------------
Viper_Rising
DLL_Rising
roblox exploit 2016
roblox exploit 2013
roblox exploit 2012
roblox exploit 2015
Venom_verbhaxx
v3rmillion
rc7
extreme injector
roblox animation exploit
Verbhaxx
vermillion
roblox dll exploit
roblox new exploit
cheat engine
roblox hacks
roblox exploit scripts
roblox script exploit
roblox hack
SpareReborn
roblox scripts
roblox exploit download
ViperVenom_Aspect
roblox admin exploit
Viper Nexus
Viper_JJSploit
viper_super
DLL_JJSploit
VV_SpareReborn
DLL_Stats
DLL_Xploit
GPU: GeForce GTX 980
CPU: Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
Memory: 32 GB RAM (31.93 GB RAM usable)
Current resolution: 1920 x 1080, 60Hz
Operating system: Microsoft Windows 10 Home
16/01/2017
Roblox New Exploit DLL - DLL_Xploit - Btools , God Mode 2017 Unpatched
How to install:
- Download, extract and run .exe file,
(If your antivirus blocking file, pause it or disable it for some time.)
- Choose destination folder
How to Use:
Open destination folder and locate file notes.txt, open it and read step by step.
Enjoy!
League Of Legends Dll Script Injectors
Don't forget to read instructions after installation.
Enjoy Roblox New Exploit DLL - DLL_Xploit - Btools , God Mode 2017 Unpatched.
All files are uploaded by users like you, we can't guarantee that Roblox New Exploit DLL - DLL_Xploit - Btools , God Mode 2017 Unpatched are up to date.
We are not responsible for any illegal actions you do with theses files. Download and use Roblox New Exploit DLL - DLL_Xploit - Btools , God Mode 2017 Unpatched on your own responsibility.
Download now