League Of Legends Packets

Erco21 · **Posted:** 31 May 2010 12:07

Hi!

I recently started to play League of legends, and i find it pretty fun game, but it's full of bugs...

So i was curious what would i find in packets when connecting, playing, casting spells and things
so i ran wireshark along with LoL, and after few minutes i got something:

Standard query packet:

Code:

0000  00 21 04 8f e6 b9 00 24  2c 21 c1 c8 08 00 45 00   .!.....$ ,!....E.
0010  00 44 54 7a 00 00 80 11  5a 1a c0 a8 05 c3 c0 a8   .DTz.... Z.......
0020  05 01 ea e0 00 35 00 30  a4 65 45 90 01 00 00 01   .....5.0 .eE.....
0030  00 00 00 00 00 00 04 62  65 74 61 03 6c 6f 6c 09   .......b eta.lol.
0040  72 69 6f 74 67 61 6d 65  73 03 63 6f 6d 00 00 01   riotgame s.com...
0050  00 01                                              ..  

Data that is being sent from my computer:

Code:

00:00:00:00:06:01:ff:01:22:00:fb:60:c5
00:00:00:80:00:5c:d8:85:ff:00:fa
00:00:00:00:00:49:04:00:00:00:77:00:20:e4:1d:c3:b4:74:5c:10:82:c7:04:60:7b:3f:a9:a6:b4:59:8d:9c:e4:de:57:33:c8:5c:d4:08:7b:06:27:dd:ed

Data recieved from server:

Code:

29:00:00:00:80:00:4e:ad:85:ff:00:f6
29:00:00:00:00:00:01:ff:00:00:01:1e:3b:67

in this case server ip was
66.151.54.163
but it most likely changes every game

so, from what i could see is that packet data starts with 29:00:00:00 (hex) regardlessly if it's being sent or recieved, and lenght of data in packet depends on happenings in the game, for instance:

29:00:00:00:00:00:49:04:00:00:00:77:00:20:e4:1d:c3:b4:74:5c:10:82:c7:04:60:7b:3f:a9:a6:b4:59:8d:9c:e4:de:57:33:c8:5c
contains the standard starting data 29:00:00:00, and from here i guess that something holds the coordinates that my character is at in time of packet being sent, and rest holds the data of spells being cast, buffs/debuffs on me and other things

now, i want to know is this possible to exploit somehow?
also, if someone has a code snippet or function for c++ or c which is able to send packets (let's say that i want to send query packet. how would i do it?)

also, i was reseraching much the game client, and i succesfully modified the zoom values, but i cant find the pointer for name adress (nor for health...). my plan was to get max health of character, current helat of character, calculate if it's low (something like below 20%...) and print that along my name of character so i can see that easier
i also have some research data on that, but i wont post it in this thread.

aluigi · **Posted:** 31 May 2010 17:15

for the packets most depends if it's or not a tcp connection and/or if you can hook the process.

if you can hook the process there are practically no limitations because you can use the same socket for sending/receiving packets and data through udp/tcp/any sockets (for example what I do with proxocket).
and obviously you can modify and monitor them.

while if you work from outside you can only send udp packets through raw socket or after having temporary bound the port used by the client.
you can't do this with tcp connections

Erco21 · **Posted:** 31 May 2010 19:22

connection is udp, so i suppose that i could hook it, then i can practically send a packet that could, let's say teleport me (and that's if the packets actually hold the character's location/coords)?

anyways, how would i query the server from a standalone application (c++/c), i.e. send packet i stated in first post, and recieve the response?

Sethioz · **Posted:** 31 May 2010 22:15

erco you should look other tools made by Luigi and learn from the source code. Take any fake players tool and see the source. There you should find out how to send packet and recieve. however if you want to send packets, then i would use something else, like commview's packet generator and then capture the response.

Erco21 · **Posted:** 31 May 2010 22:51

well, i want to write program in cpp, which would send the query packet, and then get the response (would do this mainly to learn how to send and recieve them, as most of things in programming i know is about memory patching, editing and thingslike that)
i found some examples on tcp packet sending, but i think il be able to send udp when i look better into it

aluigi · **Posted:** 01 Jun 2010 15:04

stripped example taken from one of my PoC compatible with both Windows and Linux.
the function that sends the packet and receives the reply is send_recv:

Code:

/*
  by Luigi Auriemma
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC  1
    #define stristr strcasestr
    #define stricmp strcasecmp
#endif

typedef unsigned char   u8;
typedef unsigned short  u16;
typedef unsigned int    u32;



#define PORT        1234
#define BUFFSZ      1500



int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err);
int udp_sock(void);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd,
            len;
    u16     port    = PORT;
    u8      buff[BUFFSZ],
            *host;

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%d)]\n"
            "\n", argv[0], port);
        exit(1);
    }

    host = argv[1];
    if(argc > 2) port = atoi(argv[2]);

    peer.sin_addr.s_addr  = resolv(host);
    peer.sin_port         = htons(port);
    peer.sin_family       = AF_INET;

    printf("- target   %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));

    sd = udp_sock();

    len = send_recv(sd, "mypacket", 8, buff, BUFFSZ, &peer, 1);
    printf("- received data: %s\n", buff);

    close(sd);
    return(0);
}



int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err) {
    int     retry,
            len;

    if(in && !out) {
        //fputc('.', stdout);
        if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
          < 0) goto quit;
        return(0);
    }
    if(in) {
        for(retry = 2; retry; retry--) {
            //fputc('.', stdout);
            if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
              < 0) goto quit;
            if(!timeout(sd, 1)) break;
        }
        if(!retry) goto quit2;
    } else {
        if(timeout(sd, 3) < 0) goto quit2;
    }
    //fputc('.', stdout);
    len = recvfrom(sd, out, outsz, 0, NULL, NULL);
    if(len < 0) goto quit;
    return(len);
quit:
    if(err) std_err();
    return(-1);
quit2:
    if(err) {
        printf("\nError: socket timeout, no reply received\n\n");
        exit(1);
    }
    return(-1);
}



int udp_sock(void) {
    struct  linger  ling = {1,1};
    int     sd;

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();
    setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));
    return(sd);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    if(select(sock + 1, &fd_read, NULL, NULL, &tout)
      <= 0) return(-1);
    return(0);
}



u32 resolv(char *host) {
    struct  hostent *hp;
    u32     host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u32 *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif

Erco21 · **Posted:** 09 Jun 2010 15:11

Thanks for code, i modified it a bit, and it works just fine, but the problem is that when i send the packets, game just laggs, and reconnects me/crashes
i guess that i cant send packets that are way off sync with server...