If you are like me and intereseted in Web Technologies and League of Legends you may like the new League Client (LCU from here on).

The new client is based on the Chromium Embedded Framework (CEF) as explained in the https://engineering.riotgames.com/news/architecture-league-client-update Engineering Post about the Client Update.

While reading this post I got interested in the CEF and how to integrate this with native platform code (c++ microservices in this case) so i though about a way to look into the code of the client.

I may notice at this point, that I did everything with the goal to learn more about the used architecture and not to abuse the system or cheat in anyway.

With a little help of google i quickly found the remote-debugging-port flag which i also reported to Riot to remove (they did now in Patch 7.4) because I thought it could be abused by third party programs.

Today I thought about getting into the client some more and realized that they removed my old entry point. So I spun up IDA Pro and looked trough the text entries and found the “use-http” string. From my last time I had access to the internals of the client I guessed that this could be a launch parameter and will switch the internal communication to unencrypted websockets.

So I restarted the client with the launch flag and spun up Wireshark (with PnCap for loopback sniffing) and found the http communication I was looking for. Luckily the Backend WebService of the LCU is using HTTP Basic auth so I could just take the auth header and had access to the backend service.

Captured HTTP Request to the LCU backend

I knew that I now can attach myself to the Event System of the LCU and get all kind of changes via a simple NodeJS WebSockets application (or webapp, or what ever you want that supports websockets). But why stop here, I did look through the strings of the LCU executable some more and found the interesting string “/v1/api-docs” and some strings related to Swagger.

Downloading and running the SwaggerUI from GitHub and launching Chrome in the insecure mode, Swagger gave me a nice overview about the backend API of the LCU when giving it the url “http://<auth>:localhost:<port>/v1/api-docs”

SwaggerUI representation of the LCU API Docs

Searching through this docs you’ll find the “/Help” path that contains a list of all WebSocket Events that will be emitted by the Backend Server. For just a simple overview what events are send by the server you can register yourself for the “OnJsonApiEvent” with the Sample Code below.

You’ll notice that this events will enable you to create stuff like an LCS like Stream Overlay for Pick/Ban Phase and some other fun stuff.

After the removal of the “remote-debugging-port” flag “use-http” is currently the only way to access the client that I know off. I did search the LCU executable for references to the used private key (issued and self singed by riot) but did not find anything. With this private key this method to access the backend of the LCU would still work because the https packages containing the needed basic auth header could be decrypted.

I’ll see if I find anything interesting or useful inside this, and would love to see the c++ side but for now this is all I got.

Thanks to Guy Kisel for his blog post on automated tests that made me get the idea to search for what I searched.