Most URLs were in the format where and are unique across client restarts and specified an API to call. With literally hundreds of calls parsing URLs, I started sorting through the logs. There were some other interesting functions called, but they didn't give me even a small fraction as much information as that single function. The amount of verbosity enabled by my custom definitions made this extremely easy, and I quickly focused in on a function called cef_parse_url: Afterwards, I started sorting through the intercepted API calls. With my custom definitions in hand, I fired up League, attached API Monitor, and spent a few minutes trying to click every button I could find. The definitions I wrote are too bulky for this blog, so I've put them on github.
xml files are automatically picked up when the tool restarts.Īfter reading some existing definitions, I got the hang of it. Adding my own definitions was very easy, since the markup is quite intuitive and new. I set out to write my own set of definitions for every function which External DLL was able to intercept. These files contain the definitions for the types, enumerations, and functions for the tool to intercept. This folder contains multiple nested folders with many. Inside of the tool's root folder, there is a folder called API. I'm a big fan of API Monitor, however, and my frequent use of the tool has given me some insight into how its designed. One drawback, though, is that the feature is not capable of decoding parameter and return values, which meant I couldn't really do much. This allowed me to understand which functions were being called with what frequency, which is awesome. Using this feature, I was able to intercept all function calls within libcef.dll. Custom API Monitor DefinitionsĪPI Monitor has a feature called External DLL: The list was quite long, but it looked something like this:īecause of the laundry list of functions, I decided that writing my own hook was, for now, out of the question. In order to figure out what I was dealing with, I fired up Dependency Walker and took a look at the exports from libcef.dll. There are quite a few ways to go about this, and the best method really depends on the scope of the investigation.
LEAGUE OF LEGENDS MAC CLIENT FREEZES EVERY FEW SECONDS CODE
I decided that my next step should be investigating the boundary between the client's code and the CEF library. This tells me that the client is really just a host for a website. With this information, I realized they must be using the Chrome Embedded Framework (CEF).
Many of the switches here, such as -type=gpu-process and -no-sandbox, are indicative of Google Chrome (you'll see them on Chrome if you check, hehe). Checking the command line confirmed that this was not a coincidence: LeagueClientUxRender.exe -type=gpu-process -channel="64546861\341657564" -no-sandbox -lang=en-US -log-file="C:\Riot Games\League of Legends\RADS\projects\league_client\releases\0.0.0.93\deploy\debug.log" -supports-dual-gpus=false -gpu-driver-bug-workarounds=3,11,25,54 -gpu-vendor-id=0x1002 -gpu-device-id=0圆7b0 -gpu-driver-vendor="Advanced Micro Devices, Inc." -gpu-driver-version=22.19.662.4 -lang=en-US -log-file="C:\Riot Games\League of Legends\RADS\projects\league_client\releases\0.0.0.93\deploy\debug.log" /prefetch:2 -app-name=LeagueClient -ux-name=LeagueClientUx -ux-helper-name=LeagueClientUxHelper -log-dir="LeagueClient Logs" -bugsplat-name=league_client_riotgames_com -project=LeagueClient -app-port=59757 -bugsplat-platform-id=NA1 -app-log-file-path="C:/Riot Games/League of Legends/Logs/LeagueClient Logs/T16-42-39_10160_LeagueClient.log" -primary-ux-log-file-path="C:/Riot Games/League of Legends/Logs/LeagueClient Logs/T16-51-32_6440_LeagueClientUx.log" Looking at this tree, the separate renderer processes reminded me of Google Chrome. In order to understand what I was dealing with, I opted to first take a look at the process tree with Process Explorer: League of Legends has since released a new client, and I decided pull it apart again. I never ended up doing anything with this code other than walking through it in my book, but the process was quite fun. DISCLAIMER: This is for information and learning purposes only, I do not endorse or recommend using this information to make any unofficial tools which can result in bans (or worse).īack when League of Legends' client was still written in Adobe AIR, I reverse engineered it, located the functions responsible for encrypting and decrypting the RTMPS messages within Adobe AIR.dll, and wrote a hook to capture and dump the messages.
0 kommentar(er)
