jonker1337
Phishing Simulation Expert
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
200 XP
Seems like the API was COMPLETELY redone seems like it uses RSO with the RS256 Algo Auth Bearer now ;-;
riiip - p.s. I tried everything to get it going, found tons of interesting stuff but couldnt mix anything together to get a result.
Incase it helps anyone, here's useful shit I found out
A token? Unsure what its used for exactly, was found inside the yaml file in the game dir
https://auth.riotgames.com/token <- some kind of token system? Found inside the token after decryption
acs.leagueoflegends.com (Marked as "acs_server")
Chat Server port: 5223
clubs.leagueoflegends.com
na.prod.leagueconnect.api.riotgames.com (marked as "registration_server" with port 443)
chat.euw1.lol.riotgames.com
euw.api.pvp.net
las1dev7pl4.las1.tf.riotgames.com (Apparently DEV Server 7)
las1sb25ch1.las1.tf.riotgames.com (Sandbox25?)
las1rr3ch1.las1qa.tf.riotgames.com (RIOT3?)
Some interesting domains, found in configuration.json inside League Friends.apk
inside the same config.json, theres a property called "verify_ssl_certs": "1" seems like a really stupid boolean, you can probably set it to 0 and then fiddler it, but at the same time doesnt help since it uses captcha
Main interesting bit:
seems to be the new auth server link but ofc uses RSO/RS256 so pretty hard to get into
it requires a Auth Bearer to be present and properly formatted so that sucks and also seems to process it per request meaning we cant do whats done on stuff like HBONOW etc.
EDIT: Other than that it seems to follow the old post data layout just with a Auth Bearer - I cant confirm that though but thats what it seems like, so thats a good thing, means all we need to do is work out a way for the tokens and should be working then.
really insecure "looking" signup? page
Another strange Token related url marked as "entitlement"
Hopefully this will help ppl especially ppl who are google searching hoping to find some useful shit
Edit: Also heads up, if you spot links to do with "ddragon" ignore them, all they seem to be are Stat storing shit and possibly crash reporter, its full name is "DataDragon" so it makes sense
riiip - p.s. I tried everything to get it going, found tons of interesting stuff but couldnt mix anything together to get a result.
Incase it helps anyone, here's useful shit I found out
A token? Unsure what its used for exactly, was found inside the yaml file in the game dir
https://auth.riotgames.com/token <- some kind of token system? Found inside the token after decryption
acs.leagueoflegends.com (Marked as "acs_server")
Chat Server port: 5223
clubs.leagueoflegends.com
na.prod.leagueconnect.api.riotgames.com (marked as "registration_server" with port 443)
chat.euw1.lol.riotgames.com
euw.api.pvp.net
las1dev7pl4.las1.tf.riotgames.com (Apparently DEV Server 7)
las1sb25ch1.las1.tf.riotgames.com (Sandbox25?)
las1rr3ch1.las1qa.tf.riotgames.com (RIOT3?)
Some interesting domains, found in configuration.json inside League Friends.apk
inside the same config.json, theres a property called "verify_ssl_certs": "1" seems like a really stupid boolean, you can probably set it to 0 and then fiddler it, but at the same time doesnt help since it uses captcha
Main interesting bit:
Loading…
lqak.euw1.lol.riotgames.com
it requires a Auth Bearer to be present and properly formatted so that sucks and also seems to process it per request meaning we cant do whats done on stuff like HBONOW etc.
EDIT: Other than that it seems to follow the old post data layout just with a Auth Bearer - I cant confirm that though but thats what it seems like, so thats a good thing, means all we need to do is work out a way for the tokens and should be working then.
Loading…
signup.leagueoflegends.co.kr
Another strange Token related url marked as "entitlement"
Loading…
entitlements.auth.riotgames.com
Edit: Also heads up, if you spot links to do with "ddragon" ignore them, all they seem to be are Stat storing shit and possibly crash reporter, its full name is "DataDragon" so it makes sense