[Tutorial] Superior Zoom Hacking with evtMouseScroll, Fully unlocked zoom.

[*M*]

Hi everyone!

I've been getting to know the LoL client for the past few days, and decided to have a crack at improving the current method of zoom hacking I was using as working with fixed values is kind of bothersome and I'd like the camera to be dynamic. As the camera is tied to the scroll wheel that seems a good place to start:

Code:

Address   Hex dump          Command                                  Comments
007FB10A  |.  68 201FAA00   PUSH OFFSET 00AA1F20                     ; ASCII "evtMouseScroll"
007FB10F  |.  8D4C24 14     LEA ECX,[ESP+14]
007FB113  |.  FF15 C4849D00 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_
007FB119  |.  68 60127F00   PUSH 007F1260                            ; /Arg2 = League_of_Legends.7F1260, Entry point
007FB11E  |.  8D5424 14     LEA EDX,[ESP+14]                         ; |
007FB122  |.  52            PUSH EDX                                 ; |Arg1
007FB123  |.  C74424 58 1F0 MOV DWORD PTR SS:[ESP+58],1F             ; |
007FB12B  |.  E8 B08CCCFF   CALL 004C3DE0                            ; League_of_Legends.004C3DE0

After a string search with ollydbg I found the evtMouseScroll reference, which if followed (PUSH 007F1260) Leads us directly to the camera/scroll code, Joy!

The Code segment at 007F1260 is rather long but the bit that concerns us is at the bottom:

Code:

Backup    Hex dump          Command                                  Comments
007F12CC   76 19            JBE SHORT 007F12E7                       ; Check Min Zoom Value
007F12CE   F30F1005 E0FFB60 MOVSS XMM0,DWORD PTR DS:[0B6FFE0]        ; FLOAT 1000.000
007F12D6   F30F1105 9437B70 MOVSS DWORD PTR DS:[0B73794],XMM0        ; FLOAT 2080.000
007F12DE   B0 01            MOV AL,1
007F12E0   5F               POP EDI
007F12E1   5E               POP ESI
007F12E2   5B               POP EBX
007F12E3   59               POP ECX
007F12E4   C2 0400          RETN 4
007F12E7   F30F100D 9437B70 MOVSS XMM1,DWORD PTR DS:[0B73794]        ; FLOAT 2080.000
007F12EF   F30F1005 E4FFB60 MOVSS XMM0,DWORD PTR DS:[0B6FFE4]        ; FLOAT 2250.000
007F12F7   0F2FC8           COMISS XMM1,XMM0
007F12FA   76 08            JBE SHORT 007F1304                       ; Check Max Zoom Value
007F12FC   F30F1105 9437B70 MOVSS DWORD PTR DS:[0B73794],XMM0        ; FLOAT 2080.000

After some testing with the values I was able to determine how the client checks for the maximum and minimum possible zoom, and disable them.
As above the Conditional jump for minimum zoom is at 007F12CC and you can see it comparing the current zoom level (2080) against minimum (1000)
The same goes for the Conditional jump at 007F12FA, which as you can see checks the current value (2080) against max (2250).

By patching these jumps as follows, these checks are ignored and allows free zooming of the client in both directions:

Code:

Address   Hex dump          Command                                  Comments
007F12CC     /75 19         JNE SHORT 007F12E7                       ; Check Min Zoom Value
007F12CE     |F30F1005 E0FF MOVSS XMM0,DWORD PTR DS:[0B6FFE0]        ; FLOAT 1000.000
007F12D6  |. |F30F1105 9437 MOVSS DWORD PTR DS:[0B73794],XMM0        ; FLOAT 2680.000
007F12DE  |. |B0 01         MOV AL,1
007F12E0  |. |5F            POP EDI
007F12E1  |. |5E            POP ESI
007F12E2  |. |5B            POP EBX
007F12E3  |. |59            POP ECX
007F12E4  |. |C2 0400       RETN 4
007F12E7     F30F100D 9437 MOVSS XMM1,DWORD PTR DS:[0B73794]        ; FLOAT 2680.000
007F12EF  |.  F30F1005 E4FF MOVSS XMM0,DWORD PTR DS:[0B6FFE4]        ; FLOAT 2250.000
007F12F7  |.  0F2FC8        COMISS XMM1,XMM0
007F12FA      75 08         JNE SHORT 007F1304                       ; Check Max Zoom Value
007F12FC      F30F1105 9437 MOVSS DWORD PTR DS:[0B73794],XMM0        ; FLOAT 2680.000

This also lets you zoom negatively under the map to look up and the game world, not my cup of tea but which funnily enough gives you some upskirt views of the characters if you're into that sort of thing haha!

So to summarize this is a 2byte patch
The byte at 007F12CC is changed from 76 to 75 (JBE>JNE)
The byte at 007F12FA is changed from 76 to 75 (JBE>JNE)

To make this safer you might also want to read my post on patching your client to make safe screenshots in this thread: https://www.mpgh.net/forum/258-league...wn-offset.html

[toyboz]

i find out this is pretty useless crack shit cause if you played this game more than 2 weeks you suppose get used to normal zoom stuff and i played this game 2 years and i got no problems with this zoom stuff trust me its pretty dump waste time on shit like this cause you dont need this so much as you think you do try out and you will find out you wasted +1h of ur life for shit like that and now all you say is thanks for telling this information out

[*M*]

i find out this is pretty useless crack shit cause if you played this game more than 2 weeks you suppose get used to normal zoom stuff and i played this game 2 years and i got no problems with this zoom stuff trust me its pretty dump waste time on shit like this cause you dont need this so much as you think you do try out and you will find out you wasted +1h of ur life for shit like that and now all you say is thanks for telling this information out

1. This is Multiplayer Game Hacking is it not?, stick to the official League forums if you have a problem with it.
2. This is educational for me and potentially others, learning this stuff is helpful in any game/software.
3. Grammar.

[donthurt]

i find out this is pretty useless crack shit cause if you played this game more than 2 weeks you suppose get used to normal zoom stuff and i played this game 2 years and i got no problems with this zoom stuff trust me its pretty dump waste time on shit like this cause you dont need this so much as you think you do try out and you will find out you wasted +1h of ur life for shit like that and now all you say is thanks for telling this information out

Derp fag....

[obsta]

i find out this is pretty useless crack shit cause if you played this game more than 2 weeks you suppose get used to normal zoom stuff and i played this game 2 years and i got no problems with this zoom stuff trust me its pretty dump waste time on shit like this cause you dont need this so much as you think you do try out and you will find out you wasted +1h of ur life for shit like that and now all you say is thanks for telling this information out

That punctuation.

[toyboz]

you dont need be mad for i say. i just mean that this zoom hack leads u banned.

[Moonboner]

What file do you open, and with what program?