More LEGO Universe packets found!

It appears that nearly all of the LU packets are located in the .rdata section/segment of legouniverse.exe. I have extracted the section from the executable, and when opened in notepad, it displays what seems to be names of packets, among other data.  Here is some examples of the names:

M S G _ G U I L D _ N A M E _ D E C L I N E D _ Y O U R _ I N V I T A T I O N
P A S S P O R T _ A U T H _ I M _ L O G I N _ Q U E U E D
M S G _ C L I E N T _ T R A N S F E R _ T O _ W O R L D

Of course, they could be function names, but they look promising nevertheless. The .rdata section seems to be a read only version of the .data section, so that would mean it would contain initialized static variables.
In order to extract the sections for yourself, 7-Zip works well. Navigate to legouniverse.exe in 7-Zip, and click the extract button. In the destination folder, you should find the sections.

We may need to disassemble legouniverse.exe to find the variable (packet) values. In an applicable reverse engineering stack exchange question, the following was recommended:

“The best option is to use a disassembler (such as IDA Pro) that can create cross-references from code to data in your .rdata section. This can help you better identify strings, bytes, words, and dwords in the .rdata section.”
— Jason Geffner


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s