Basic AIR Client hacking
Note: This tutorial was not written by me, it was written by Socks form Skillhackers.info
Prologue: Before we begin
For this howto we will be using the following applications:
- cws2fws - You can use any number of flash decompressors, I've uploaded the one I'll be using here.
- HxD - A hex editor. Really, any hex editor will work.
- Sothink SWF Decompiler - Self explanitory.
Code :
02 NOOP 24 Push byte 26 Push true 27 Push false
I will not be posting patched versions of LolClient.swf. Doing so is a copyright violation.
Part 1: Decompressing the client
This will cover the use of the cws2fws that I linked to above, if you are using another decompressor you can skip this step. To make this easy, we won't be adding the exe to the path, just using it directly.
Your Flash decompiler will include a decompressor of its own so that it can open the file. However, we want a decompressed version of the file so that we can edit it easily with a hex editor.
Download the exe and copy it into your air directory (default on windows is C:\Riot Games\League of Legends\air). Open the command line (windows+R type cmd and hit enter). Execute the following commands (changing paths where necessary), your output should match the screenshot below. I personally do not follow the AIR versioning scheme when decompressing these, instead using the patch date.
Code :
cd "C:\Riot Games\League of Legends\air" cws2fws.exe LolClient.swf LolClient.20110412.swf
Part 2: Using bytecode to enable the developer window
Copy your LolClient.20110412.swf to LolClient.20110412.developer.swf. This is the file we will be using for this part. Open Sothink and using the panel on the left, navigate to your air directory. Click on your developer swf and then expand the file on the right.
Select the actionscript tab at the top and search for "developer" (no quotes). Use the "Search All AS" button. This process will take a while, however, Sothink does a good job of caching the file in memory so subsequent searches will be pretty quick. We're looking for the developer flag that is set in the RiotApplication class, so scroll through the results and look for where that is set to false. You should be able to find this line in the function initDefaults.
At the top of the window, select Raw Data. This will allow us to see the hex and the bytecode side by side. Normally you're going to need to search for the function name you were looking for and actually dig into the code. Since I'm helping you out and we can see from our results above that we want the second "developer" in the class, hit "Search Current AS" twice .
The "_as3_pushfalse" above our search result is what we want to change, turning it into a true (and so yes: this whole part we're doing all this work to change a single bit :p). Open HxD and use it to open our developer swf. We're going to search for the hex we want and then edit the 27 into a 26 (_as3_pushfalse into _as3_pushtrue). In this case, we're going to search for the variable reference before the one we want in addition to ours (initialIndexedPublicChatRoomNames) banking on the fact that these two variables will never be set in the same order again. For this specific client the chunk of code we're searching for looks like:
Code :
//61 e9 3c _as3_setproperty initialIndexedPublicChatRoomNames //d0 _as3_getlocal <0> //27 _as3_pushfalse //61 99 3e _as3_setproperty developer
Backup your original LolClient.swf (I named mine LolClient.orig.swf) and copy LolClient.20110412.developer.swf into its place. Launch the client normally. You are now running in developer mode which includes access to the developer window.
Part 3: Unlocking all Summoner Spells
By now you've played with the developer window and decided that besides that tantalizing "enable draft cheats" checkbox, there's nothing of value there. Now its time to do something worthwhile: Give ourselves Flash at summoner level 1. We've all been in situations where we create level 1 accounts and end up in a 5v5 all smurf game. None of them have Flash, ignite, clarity, etc - but you can, allowing you to keep an advantage despite playing against other skilled players.
This is a real simple hack to do, all we're doing is patching the required summoner level in the air client. Create an new copy of the air client (I called mine lolclient.20110412.summoner.swf) and open it with Sothink. This time instead of searching for developer, search for Clairvoyance (the capital C is important). Again use the "Search All AS" button. However, this time all the results will be relevant.
The SpellFactory.createSpell arguments are as follows:
Code :
SpellFactory.createSpell(spellId:int, name:String, displayName:String, description:String, minLevel:int, gameModes:Array) : Spell
Once again, click "Raw Data" at the top. Scroll down a bit until you see the summoner spell you want. In this case the raw data we're interested in looks like:
Code :
//24 01 _as3_pushbyte 1 //2c 96 8d 02 _as3_pushstring "SummonerBoost" //2c 97 8d 02 _as3_pushstring "Cleanse" //2c 98 8d 02" _as3_pushstring "Removes all ..." //24 02 _as3_pushbyte 2 //2c 93 d8 01 _as3_pushstring "CLASSIC" //2c a0 d8 01 _as3_pushstring "TUTORIAL" //2c 9f d8 01 _as3_pushstring "ODIN"//56 03 _as3_newarray [array size:3]
We are looking to change the _as3_pushbyte 2 into an _as3_pushbyte 1. The opcode for _as3_pushbyte is 24 and it takes a single byte argument with the value. Open HxD and open the summoner swf file. Because these are essentially pointers to strings that only appear one place in the entire file, we can simply search for the two strings above the level (the displayName and the description). Change the argument byte from 02 to 01 and you've modified Cleanse's minimum level.
You can test whether or not your modification was successful without entering a game by looking at the spells tab of your profile.
Hopefully this whole thing wasn't too hard to follow and helps some of you looking into the AIR client. Happy Hacking!
It would be pretty useful for low level gamers. What I need now is Riot Points hack :P