Hi everyone!
I've been getting to know the LoL client for the past few days, and decided to have a crack at improving the current method of zoom hacking I was using as working with fixed values is kind of bothersome and I'd like the camera to be dynamic. As the camera is tied to the scroll wheel that seems a good place to start:
Code:
Address Hex dump Command Comments
007FB10A |. 68 201FAA00 PUSH OFFSET 00AA1F20 ; ASCII "evtMouseScroll"
007FB10F |. 8D4C24 14 LEA ECX,[ESP+14]
007FB113 |. FF15 C4849D00 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_
007FB119 |. 68 60127F00 PUSH 007F1260 ; /Arg2 = League_of_Legends.7F1260, Entry point
007FB11E |. 8D5424 14 LEA EDX,[ESP+14] ; |
007FB122 |. 52 PUSH EDX ; |Arg1
007FB123 |. C74424 58 1F0 MOV DWORD PTR SS:[ESP+58],1F ; |
007FB12B |. E8 B08CCCFF CALL 004C3DE0 ; League_of_Legends.004C3DE0
After a string search with ollydbg I found the evtMouseScroll reference, which if followed (PUSH 007F1260) Leads us directly to the camera/scroll code, Joy!
The Code segment at 007F1260 is rather long but the bit that concerns us is at the bottom:
Code:
Backup Hex dump Command Comments
007F12CC 76 19 JBE SHORT 007F12E7 ; Check Min Zoom Value
007F12CE F30F1005 E0FFB60 MOVSS XMM0,DWORD PTR DS:[0B6FFE0] ; FLOAT 1000.000
007F12D6 F30F1105 9437B70 MOVSS DWORD PTR DS:[0B73794],XMM0 ; FLOAT 2080.000
007F12DE B0 01 MOV AL,1
007F12E0 5F POP EDI
007F12E1 5E POP ESI
007F12E2 5B POP EBX
007F12E3 59 POP ECX
007F12E4 C2 0400 RETN 4
007F12E7 F30F100D 9437B70 MOVSS XMM1,DWORD PTR DS:[0B73794] ; FLOAT 2080.000
007F12EF F30F1005 E4FFB60 MOVSS XMM0,DWORD PTR DS:[0B6FFE4] ; FLOAT 2250.000
007F12F7 0F2FC8 COMISS XMM1,XMM0
007F12FA 76 08 JBE SHORT 007F1304 ; Check Max Zoom Value
007F12FC F30F1105 9437B70 MOVSS DWORD PTR DS:[0B73794],XMM0 ; FLOAT 2080.000
After some testing with the values I was able to determine how the client checks for the maximum and minimum possible zoom, and disable them.
As above the Conditional jump for minimum zoom is at 007F12CC and you can see it comparing the current zoom level (2080) against minimum (1000)
The same goes for the Conditional jump at 007F12FA, which as you can see checks the current value (2080) against max (2250).
By patching these jumps as follows, these checks are ignored and allows free zooming of the client in both directions:
Code:
Address Hex dump Command Comments
007F12CC /75 19 JNE SHORT 007F12E7 ; Check Min Zoom Value
007F12CE |F30F1005 E0FF MOVSS XMM0,DWORD PTR DS:[0B6FFE0] ; FLOAT 1000.000
007F12D6 |. |F30F1105 9437 MOVSS DWORD PTR DS:[0B73794],XMM0 ; FLOAT 2680.000
007F12DE |. |B0 01 MOV AL,1
007F12E0 |. |5F POP EDI
007F12E1 |. |5E POP ESI
007F12E2 |. |5B POP EBX
007F12E3 |. |59 POP ECX
007F12E4 |. |C2 0400 RETN 4
007F12E7 F30F100D 9437 MOVSS XMM1,DWORD PTR DS:[0B73794] ; FLOAT 2680.000
007F12EF |. F30F1005 E4FF MOVSS XMM0,DWORD PTR DS:[0B6FFE4] ; FLOAT 2250.000
007F12F7 |. 0F2FC8 COMISS XMM1,XMM0
007F12FA 75 08 JNE SHORT 007F1304 ; Check Max Zoom Value
007F12FC F30F1105 9437 MOVSS DWORD PTR DS:[0B73794],XMM0 ; FLOAT 2680.000
This also lets you zoom negatively under the map to look up and the game world, not my cup of tea but which funnily enough gives you some upskirt views of the characters if you're into that sort of thing haha!
So to summarize this is a 2byte patch
The byte at 007F12CC is changed from 76 to 75 (JBE>JNE)
The byte at 007F12FA is changed from 76 to 75 (JBE>JNE)
To make this safer you might also want to read my post on patching your client to make safe screenshots in this thread: https://www.mpgh.net/forum/258-league...wn-offset.html