Durpin(ddebug)'s LoL Skin Changer (with SOURCE)

[ddebug]

Hey everyone,

P.S. I am durpin. Different alias on different forum.

I made a League of Legends skin changer a while back and I want to release it to the community. I decided to include a copy of the source code for any inquiring minds/aspiring programmers. This was coded in C++. It requires AsmJit (asmjit - Complete x86/x64 JIT Assembler for C++ Language. - Google Project Hosting) in order to compile.

This works as of October 8, 2012. I don't plan on updating it in the future, but... you all have the source so it shouldn't be too hard to find the new offsets when the new patch comes out.

To use, simply open up a command line window and follow this syntax:
"PATH OF LSC.EXE (AKA WHERE YOU DOWNLOADED AND SAVED THE FILE)" "YOUR SUMMONER NAME IN QUOTES" SKINID

Example:
"C:\Users\root\Desktop\LSC.exe" "Dyrus" 2

The program will launch and wait for a copy of "League of Legends.exe" to be running. As soon as champion select is over and the game loads, LSC will patch in-game memory. This will allow you to play your selected champion with that skin ID. To find the desired skin ID you want to use, please refer to: League of Legends Wiki - Champions, Items, Strategies, and many more!

For example, if I wanted to play with the limited edition All-Star Akali skin, I would retrieve the skin ID from the following page:
Akali/SkinsTrivia - League of Legends Wiki - Champions, Items, Strategies, and many more!

One can see that this is skin "4" out of 7. You need to subtract 1 from this skin ID (since indices in game start from 0). Therefore, the skin ID is "3". I would then run LSC with the following command:

"C:\Users\root\Desktop\LSC.exe" "My Summoner Name" 3

Compiled release: Filebeam - Beam up that File Scottie! (Password: durpin)
Source code: [C++] LSC Source Code - Pastebin.com

Enjoy!

EDIT: New offsets for patch as of 10/14/2012:

#define PATCH_OFFSET 0x008EEC00
#define PATCH_RETURN_TO 0x008EEC07

[hp94]

What does a.jnz(lbl_Skip); do?

[ddebug]

What does a.jnz(lbl_Skip); do?

Jump if zero flag is not set to memory address referenced by lbl_Skip.
Zero flag is set if eax is 0 (test(eax, eax) sets the zero flag if eax equals 0 [means strings have matched]).


The purpose of it is to set a skin for the summoner's name (given via command line) and not for other players.

[swankboss]

Is this only view able to yourself or can other players see it?

[ddebug]

Is this only view able to yourself or can other players see it?

Yes.

Only you.

[mamaorha]

is this correct?
no idea what u did with the things in //
and still no clue how to find new offsets after patch


Quote:

uint PATCH_OFFSET = 0x008EEC00;
int PATCH_RETURN_TO = 0x008EEC07;
int _STRICMP = 0x9ED918;
int ORIGINAL = 0x9B8FB0;

BlackMagic magic = new BlackMagic();

string name = "test";
int nTargetPlayer = name.Length + 1;
int skinId = 1;

Find("League of Legends (tm) Client", "League of Legends");

magic.Open(GamePID);

ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
Byte[] bytes = encoding.GetBytes(name);

uint lpAddress = magic.AllocateMemory(sizeof(Byte) * nTargetPlayer);

magic.WriteBytes(lpAddress, bytes);

magic.Asm.AddLine("mov eax, [" + (int)lpAddress + "]");
magic.Asm.AddLine("push eax");
magic.Asm.AddLine("push esi");
magic.Asm.AddLine("mov eax, [" + _STRICMP + "]");
magic.Asm.AddLine("call dword[eax]");// magic.Asm.AddLine("call(dword_ptr(eax)");
magic.Asm.AddLine("test eax, eax");
//a.jnz(lbl_Skip);
magic.Asm.AddLine("mov edx, [" + skinId + "]");// magic.Asm.AddLine("mov(edx, atoi(" + skinId + ")");
//a.bind(lbl_Skip);
magic.Asm.AddLine("pop eax");
magic.Asm.AddLine("pop eax");
magic.Asm.AddLine("push -1");
magic.Asm.AddLine("push " + ORIGINAL);
magic.Asm.AddLine("mov eax, [" + PATCH_RETURN_TO + "]");
magic.Asm.AddLine("jmp eax");

lpAddress = magic.AllocateMemory(magic.Asm.GetMemorySize());
magic.Asm.Inject(lpAddress);

BlackMagic magic2 = new BlackMagic();
magic2.Asm.AddLine("mov eax, [" + (int)lpAddress + "]");
magic2.Asm.AddLine("jmp eax ");

magic2.Open(GamePID);
magic2.Asm.Inject(PATCH_OFFSET);

[ddebug]

is this correct?
no idea what u did with the things in //
and still no clue how to find new offsets after patch

I don't think so.

You do stuff like this:

Code:

magic.Asm.AddLine("mov eax, [" + (int)lpAddress + "]");

eax will then have the value of whatever is at lpAddress (if address is valid).

This is incorrect, since the memory region shouldn't be dereferenced.
eax should just contain the value of lpAddress.

Something like this is correct:

Code:

magic.Asm.AddLine("mov eax, " + (int)lpAddress);

Why didn't you follow my code if you were going to convert it? I do it correctly in my code:

Code:

a.mov(eax, (int)lpMemory);

The only time you should use [] is when I do the dword_ptr call to eax for stricmp.

Also, you commented out the label stuff. I don't really remember how to do labels in BlackMagic since I haven't used it in years (does it even support it?). Luckily, you don't need to use labels to get a basic version working. This will change all skins to the specified ID. But be aware, the skin ID must be valid for all champions [e.g. if you try to change skin IDs to 4, but there is a player playing a champion that only has 2 skins, it will bugsplat the game. So it is good to use 1 since all champions at least have 2 skins].

Finally, getting the offsets isn't done through Cheat Engine or any other generic memory scanner. You should get IDA or OllyDbg. Go to the offset in memory (that I supplied). Look at the values at that offset so you can make an offset finder for future patches.

[mamaorha]

when i tried use blackmagic as u did the code just crashed (error in syntax) i think they changed the syntax abit.
about the label, as i said i didnt rly know what to do with that (i cant even see when u gave the label value - all i see is 'new label').

about the new address, there was a patch so i cant see what u did and look for the same

btw is this better?

uint PATCH_OFFSET = 0x008EEC00;
int PATCH_RETURN_TO = 0x008EEC07;
int _STRICMP = 0x9ED918;
int ORIGINAL = 0x9B8FB0;

BlackMagic magic = new BlackMagic();

string name = "test";
int nTargetPlayer = name.Length + 1;
int skinId = 1;

Find("League of Legends (tm) Client", "League of Legends");

magic.Open(GamePID);

ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
Byte[] bytes = encoding.GetBytes(name);

uint lpAddress = magic.AllocateMemory(sizeof(Byte) * nTargetPlayer);

magic.WriteBytes(lpAddress, bytes);
magic.Asm.AddLine("mov eax, " + (int)lpAddress);
magic.Asm.AddLine("push eax");// a.push(eax);
magic.Asm.AddLine("push esi");//a.push(esi);
magic.Asm.AddLine("mov eax, " + (int)_STRICMP);//a.mov(eax, (int)_STRICMP);
magic.Asm.AddLine("call dword[eax]");// magic.Asm.AddLine("call(dword_ptr(eax)");
magic.Asm.AddLine("test eax, eax");// a.test(eax, eax);
//a.jnz(lbl_Skip);
magic.Asm.AddLine("mov edx, " + skinId);// magic.Asm.AddLine("mov(edx, atoi(" + skinId + ")");
//a.bind(lbl_Skip);
magic.Asm.AddLine("pop eax");//a.pop(eax);
magic.Asm.AddLine("pop eax");//a.pop(eax);
magic.Asm.AddLine("push -1");//a.push(-1);
magic.Asm.AddLine("push " + ORIGINAL);//a.push(0x9B8EC3);
magic.Asm.AddLine("mov eax, " + (int)PATCH_RETURN_TO);//a.mov(eax, (int)PATCH_RETURN_TO);
magic.Asm.AddLine("jmp eax");//a.jmp(eax);


lpAddress = magic.AllocateMemory(magic.Asm.GetMemorySize());
magic.Asm.Inject(lpAddress);

BlackMagic magic2 = new BlackMagic();
magic2.Asm.AddLine("mov eax, " + (int)lpAddress);// b.mov(eax, (int)lpMemory);
magic2.Asm.AddLine("jmp eax");//b.jmp(eax);

magic2.Open(GamePID);
magic2.Asm.Inject(PATCH_OFFSET);

what is the lbl_Skip represent? (what its value) if its the summoner name it would be easy to just use
a.jnz(name);

or is it just
Label lbl_Skip = new Label();

[Malfunctions]

very cool little tool kinda a pain in the ass but once working its pretty nice

[mamaorha]

can somebody explain how to get the new offsets?

[cyberblade3]

Is this still working? What is the patch offset for over 4.9?