League of Legends (LOL!)

Ciaossu,

Well, i’ve been playing this game for quite some time now, and i’m really enjoying it. But o well the hacker in me always comes snooping around. So here are some facts (some better proven then others)

Facts:

  • Uses blowfish ECB for send/recv
  • Uses WSARecvFrom & WSASendTo
  • The key for that game session is given to the game client thought command line by the launcher process
  • The key is base64 encoded
  • Still not sure what they do with the (packetLenght-headerSize) % 8, i’m thinking of some custom simpel xoring, but no idea yet for that part.

I’m currently trying to derive what the different headers for the recv packets means, its quit a hassle but i think i’m starting to see the pattern. You have 2 different types, a multi packet header (32 bytes) and a solo packet header (14 bytes)

Well while i’m making this, i’m upping my IntPe9 packet editor, and its getting awesome. Currently it works through:

  • Boost IPC (message que)
  • Qt GUI client
  • Skeleton hooking system for a per target app

Well i keep you informed about progress on these 2 projects.

~Intline9

Advertisements

Tags: , , , , , , ,

13 Responses to “League of Legends (LOL!)”

  1. Steve Says:

    Hey there,

    I am trying to create a gold hack for LoL. I believe it could be done if I could decrypt the packets I am reading with wireshark. You say it is blowfish encryption. How can I go about reading the key given to the game client as you say?

    Would really appreciate any help. Thanks.

  2. intline9 Says:

    Cant be done… as simple as that, gold is server sided. Perhaps its possible to buy more then 2 items from the same gold but not sure.

    On the command line to the process (See OutputDebugString, DebugView (google)) you see a base64 encoded string decoded that and feed it to blowfish ecb mode

  3. coder8 Says:

    Any tips on getting the key? I am working on a site to keep track of stats during a game and build a quantitative assessment of performance. Happy to share what I build for parsing and logging the packets.

  4. Nathan Hartzell Says:

    Not sure if you’re still banging at this, but I’ve gotten a fair amount done with breaking things out into messages and decoding them. Of course, I wish I had seen this page a week earlier, since I spent a week banging my head at the encryption trying to figure out what it is, then saw this page the day after I figured it out myself :(. Anyway, let me know.

    coder8, as for your question, you have to do something to be watching the process list and grab the key from the command line used to start the game, or after the game go into the r3dlog and grab it from there.

  5. rullaaja Says:

    Do you still have this PE laying around? Would be interested to know where you left of with this protocol debug.

    • intline9 Says:

      Yes, been working on a wireshark dissector (as i’m more intressted in recreating the protocol and document it then exploit any flaws (yet))

      However the problem is, wireshark has zero support for session key data. So i’ve been hacking through wireshark to find some way to integrate it.

      So i’ve lost motivation, i want to continue, but there is so much in life what i want to and wat i want to know that it has not enough prio.

      If you want i can give you write access to google code project for dissector and perhaps through your commits i get more motivation.

      Mail me, or reply here. (intline9 atty gmail dotty com)

  6. Orestis Says:

    Hello, I’ve create a program in Java which sniffs all the packets sent from League of Legends. Now the only problem is that I’m not sure how to decrypt it. I’ve found a session ID key using DebugViewer but I’m not sure what to do with it. I’ve tried using it as a key of the blowfish decryption but with no luck. I would greatly appreciate it if you could give me some hints or point me to the right direction.

    Thank you very much,
    Orestis

  7. Orestis Says:

    Thank you for the reply. I thought the problem was caused because I was using a different OS. I’m getting a “The application was unable to start correctly (0xc000007b).” Since the problem is not my OS, I found out that this error is caused by an incompatible .dll. I believe I will be able to fix it. Thanks again, I appreciate your help. Keep up the good work : )

  8. intline9 Says:

    I would love to have a directory list and a screenshot + info about you OS + bit (32/64)

    Could you make a ticket with that and even more info please?
    https://github.com/Intline9/IntPe9/issues?state=open

    • Orestis Says:

      I sent you an email. I managed to fix it. The error was fixed by installing window’s updates (Windows 7 64 bit). To be more specific, it was fixed right after installing Microsoft .Net Framework 3.5.1. The only problem now is that no packet is getting captured no matter which process I select. I have yet to figure out why. I have WinPcap 4.1.2 installed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: