Monthly Archives: January 2015

More LEGO Universe packets found!

It appears that nearly all of the LU packets are located in the .rdata section/segment of legouniverse.exe. I have extracted the section from the executable, and when opened in notepad, it displays what seems to be names of packets, among other data.  Here is some examples of the names:

M S G _ G U I L D _ N A M E _ D E C L I N E D _ Y O U R _ I N V I T A T I O N
P A S S P O R T _ A U T H _ I M _ L O G I N _ Q U E U E D
M S G _ C L I E N T _ T R A N S F E R _ T O _ W O R L D

Of course, they could be function names, but they look promising nevertheless. The .rdata section seems to be a read only version of the .data section, so that would mean it would contain initialized static variables.
In order to extract the sections for yourself, 7-Zip works well. Navigate to legouniverse.exe in 7-Zip, and click the extract button. In the destination folder, you should find the sections.

We may need to disassemble legouniverse.exe to find the variable (packet) values. In an applicable reverse engineering stack exchange question, the following was recommended:

“The best option is to use a disassembler (such as IDA Pro) that can create cross-references from code to data in your .rdata section. This can help you better identify strings, bytes, words, and dwords in the .rdata section.”
— Jason Geffner