- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 447
- Reaction score
- 7
Anyone currently digging into the telemetry Riot is actually siphoning off? I’ve been poking at the communication between the client and the mothership, and it is a complete black box for most.
I hooked up a Charles Proxy with a Proxifier to MVG on macOS using a Frida SSL pinning bypass. It turns out that both the Mac and Windows versions (VGC) communicate with Vanguard servers strictly over HTTPS. They are hitting na.vg.ac.pvp.net/vanguard/v1/gateway on port 8443 with massive POST requests.
The Technical Wall
The headers clearly state application/x-protobuf, so we know it is Google Protobuf. However, standard decoders are coming up empty. Even though IDA Pro shows plenty of references to the Protobuf library in the VGC/MVG binaries, the raw payloads look like garbage without the proper definitions.
Why this matters
Most of the "bypasses" floating around are absolute trash—suspending threads in VGC via Process Hacker or blocking endpoints in the LCU with Fiddler. All that gets you is a delayed "Vanguard Event" or a flagged account.
If we can reverse out these proto definitions, we could:
The Reality Check
Unless you're running a hardened Linux KVM setup, you're basically at Riot's mercy. For a community that claims to reverse everything, it's surprising that no one has dropped a public repo with the .proto structures yet. They are likely using custom field obfuscation or a specific serialization wrapper to prevent easy decoding.
Has anyone actually managed to dump the structures from memory or successfully mapped the gateway fields?
drop your research below
I hooked up a Charles Proxy with a Proxifier to MVG on macOS using a Frida SSL pinning bypass. It turns out that both the Mac and Windows versions (VGC) communicate with Vanguard servers strictly over HTTPS. They are hitting na.vg.ac.pvp.net/vanguard/v1/gateway on port 8443 with massive POST requests.
The Technical Wall
The headers clearly state application/x-protobuf, so we know it is Google Protobuf. However, standard decoders are coming up empty. Even though IDA Pro shows plenty of references to the Protobuf library in the VGC/MVG binaries, the raw payloads look like garbage without the proper definitions.
Code:
RG\001\000\227\257\0230\274!\306\200|350\bR@\322\372\tk\020P\0
04\266\nu4\362\005|264y\276\212\265H\354\233\2042\223\365\355
Z\201\204|322\342\037F\354\273\356\317:\220\265T\240Sd\267Qj\30
5\030a|275|350\034\024:\373nB\316p\202\177\344\201~\273\233\035Why this matters
Most of the "bypasses" floating around are absolute trash—suspending threads in VGC via Process Hacker or blocking endpoints in the LCU with Fiddler. All that gets you is a delayed "Vanguard Event" or a flagged account.
If we can reverse out these proto definitions, we could:
- Analyze exactly what data is being scraped from the host machine.
- Construct a full-blown Vanguard emulator that mimics the heartbeats and integrity checks.
- Play League without having a kernel-level rootkit active.
The Reality Check
Unless you're running a hardened Linux KVM setup, you're basically at Riot's mercy. For a community that claims to reverse everything, it's surprising that no one has dropped a public repo with the .proto structures yet. They are likely using custom field obfuscation or a specific serialization wrapper to prevent easy decoding.
Has anyone actually managed to dump the structures from memory or successfully mapped the gateway fields?
drop your research below
