| | | | Minesweeper Reverse Engineering Tutorial | | | |
| | | /Windows Minesweeper/images/vfcrack.jpg)
| | |
| Page 1 of 2
| | Tutorial Description : | In this tutorial i will show you how you can reverse engineer windows minesweeper game
in order to find , analyze and extract the parts of the games memory which holds the grid
information ( bombs , numbers etc... ) . I will also give you the program ( with source )
I made using visual basic 6 to automatically analyze and show you the grid, with the
bombs revealed. |
| | | Who should read this tutorial : | This tutorial is for intermediates in reverse engineering. I will not explain you how to use
the tools or we is happening what is happening, just the basics.
To read ( and understand ) this tutorial is recommended that you have basic knowledge
of a debugger ( OllyDbg used here ) and what is going behind the scenes when programs
run. This is NOT a tutorial for first timers in cracking |
| | | What do you need : | What you will need for this tutorial are the following tools :
- OllyDbg : A great debugger
- TSearch : Search other process memory
Homepage doesn't seem to work so I uploaded it for you. Get it HERE
- Visual basic 6 ( or just runtimes ) - for the program i will give you
- Time , patience , brain
Last one may not really be important since I found everything for you already :o)
|
| | |
| Click Here to download MineRevealer -by VirusFree- for VB6
*** Source Included ***
| | | Click Here to download MineRevealer -by VirusFree- for VB.Net 2005
*** Source Included *** | | |
| | | Windows Minesweeper is a small cool game that comes with windows. ( see screenshot bellow )
The purpose of the game is to find all the mines without clicking on them, the numbers tell you how many mines
are 'touching' to the block that contains the number... really.. it's a nice game |
/Windows Minesweeper/images/winmine.jpg)
| Yep, that's our target.... Just look that evil little smile... that thing is laughing at us...
I bet it's thinking that we can't crack it... better think again :o) | | |
| | Ok now, Lets start with the cracking | | | | There are 2 ways to crack this thing... the hard way , and the smart way... | | | | What is the hard way? | You could load that thing into the debugger and start the execution... looking every command
as it gets executed... and analyzing what it does, why it does it and find what all those bits are
doing.. but even if that seems cool to me ( sick guy, I know..) we will choose the smart way.. | | | | | And what is that smart way? | We will load up the TSearch .. and search the memory for specific values ( nothing is random
here ) that would gives us the memory address we need and we can go and take a look to
what is in that memory ( using OllyDbg ) . Then by doing some test .. then some other tests ...
and some more testing.. we can figure out what is going in that proggies code without
having to look even a single opcode ... |
| | | | and so it begins... | | | First we need to launch the program. ....
Click on the Start Button , then go to to 'Run...' , write "winmine" in the box and click OK |
| Now open the TSearch tool and click on the 'Open Proccess' button, then select the winmine.exe item and click Open
| /Windows Minesweeper/images/tsearchopen.jpg)
| | |
| Now go back to minesweeper and go to the menu and click Game >> Custom, and set the values to
Height : 21
Width : 21
Mines : 10 | /Windows Minesweeper/images/winminecustomset.jpg)
|
| Now some where in that memory the grid is stored, and all the information that is needed for the game to work.
Nevertheless, we don't know where it is in the memory, so we have to look for it.
Here is a tip ( from my experience ).... When programmers write code the variables that deal with each thing are grouped
together ( i am referring to the variables declared statically during software development and not the ones that are dynamically
created during run time.. like malloc and stuff ) ... so if you look a memory about something.. the chances are something else
about what you want to be right next to what you are looking.. so with that in mind we proceed |
| Now we must find the grid location in memory.. but we can't because we don't know anything about the grid..
So we will search for something we know about... The grid sizes,,, which we just set to 21 for both height and width |
| | I will give you some basic explanation on how to use TSearch in case you may not know how... |
| We already have the TSearch targeted at minesweeper, to search for value 21 ( grid size ) click on the little magnifying glass
button which is right bellow the big 'Open Process' button. | | | /Windows Minesweeper/images/tsearchsearch.jpg)
|
| | After search is finished TSearch will show how many result it has found and list them in the list bellow the search button |
| Now go back to the minesweeper program and set the Height of the grid to 13
| /Windows Minesweeper/images/winminegridchange.jpg)
|
| Then go back to TSearch and do a search ( inside the found list we got from the previous search ) for the updated value ( 13 )
| /Windows Minesweeper/images/tsearchinside.jpg)
|
| | | | | This is the end of the first part of the tutorial .. click on the link bellow to go to page 2 | Page 2 >>> |
| Click Here to download MineRevealer -by VirusFree- for VB 6
*** Source Included *** | | | | | Click Here to download MineRevealer -by VirusFree- for VB.Net 2005
*** Source Included *** |
|
| Comments | | | 
| VirusFree - 11/14/2006 2:54:48 AM | |  |
| | | | | | | Post here and comments/suggestions/problems about the tutorial
| | | | | |
|
| | | | | | | | | | |
| LsD293 - 3/22/2007 3:44:57 AM | | |
| | | | | | | Hi, was going through the tutorial for minerevealer
excellent stuff.
Only thing though... Is that I'm running VB.Net
When I converted the original from VB6 to Net
I get an error on the build.
It doesn't like Any's
So I changed them to Objects.
And it'll run, but it doesn't work.
Not sure even if its their types that's the problem either.
I even tried to simplify things, and just focus on the XSize
stripped most code in the reveal mines button and just left
buffer = Space(1)
addr = 16798520 'Where Ysize is
'UPGRADE_WARNING: Couldn't resolve default property of object readlen. Click for more: 'ms-help://MS.VSCC.2003/commoner/redir/redirect.htm?keyword="vbup1037"'
Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)
YSize = Asc(buffer)
and when I display YSize in a label I get zero.
any clues?
------------------------------------------------------------------------
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Object, ByVal lpBuffer As Object, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
'UPGRADE_ISSUE: Declaring a parameter 'As Any' is not supported. Click for more: 'ms-help://MS.VSCC.2003/commoner/redir/redirect.htm?keyword="vbup1016"'
'UPGRADE_ISSUE: Declaring a parameter 'As Any' is not supported. Click for more: 'ms-help://MS.VSCC.2003/commoner/redir/redirect.htm?keyword="vbup1016"'
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Object, ByVal lpBuffer As Object, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
'UPGRADE_ISSUE: Declaring a parameter 'As Any' is not supported. Click for more: 'ms-help://MS.VSCC.2003/commoner/redir/redirect.htm?keyword="vbup1016"'
Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Integer, ByRef lpSource As Object, ByVal dwMessageId As Integer, ByVal dwLanguageId As Integer, ByVal lpBuffer As String, ByVal nSize As Integer, ByRef Arguments As Integer) As Integer
| | | | | |
|
| | | | | | | | | | |
| LsD293 - 3/22/2007 7:14:08 AM | | |
| | | | | | | Ok.... So I tried it out.... And I get this
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
Puts this in the immediate window in the immediate window
in VB. And it does it 5 times the first time I ran it
so I thought maybe it was this
Select Case tmpi
Case Is = &H8Fs ' Bomb
block(bc).Image = imgBomb.Image
Case Is = &H8As ' Shown Bomb
block(bc).Image = imgBomb.Image
Case Is = &HCCs ' Shown Bomb
block(bc).Image = imgBomb.Image
Case Is = &HFs ' Empty
block(bc).Image = imgEmpty.Image
Case Is = &H40s ' Number Empty
block(bc).Image = imgNumEmpty.Image
Case Else ' numbers
block(bc).Image = imgNum.Image
End Select
then I ran it again
and it did like a loop thing, seemed like it was stuck in
a loop. So it seems like maybe it was more in this part
If tmpi = 16 Then
For n = 1 To 1000
addr = addr + 1
buffer = Space(1)
Call ReadProcessMemory(myHandle, addr, buffer,1,readlen)
tmpi = Asc(buffer)
If tmpi = 16 Then Exit For
Next n
End If
it causes the mine revealer to not respond
and just displays the Reading Memory label
arggggg.
Mannnn. A security error??
Looked through the VBCookBook
Cus kinda remember it talking about something like that.
But it just says that if a process is unprivelaged
then it'll throw an untrappable error.
minesweeper.... unprivaleged?? commmmme onnnn
no way jose.
mm mm.... Is there something I need to turn off or something?
| | | | | |
|
| | | | | | |
| LsD293 - 3/22/2007 4:26:31 PM | | |
| | | | | | | Yeah I downloaded the 2005 .Net source you posted
I get this
'
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
A first chance exception of type 'System.Exception' occurred in Microsoft.VisualBasic.dll
'
And Mine Reavealer turns unresponsive
oddly.... It does that above the first time.
run it again, and it puts those "A first blahblahblah " in the immediate
window, like its in a loop.
I am though.... running Visual Basic 2005.Net "Express Edition"
the free version that MS has out on their site
Is yours a different version or Edition?
well..... I had started to just go from scratch before you put the .Net version out there, and tried to use the
process class all by itself, but I dont know how to read the data
with it.
Under its methods it has one for
Handle
BaseAddress
seems like with these two you could use something
like ReadFile or something
I think your .Net example is working, just for some reason my machines saying whoa, security issue.
Think I'll try and bring what you got there for 2005 to 2003 tonight
and see if it isn't an "Edition" issue
| | | | | |
|
| | | | | | | | | | | | | | |
| LsD293 - 3/24/2007 4:59:52 AM | | |
| | | | | | | I have even tried..... cus I thought, maybe it has to do with dynamic allocation or something. So maybe i have to take the base address then add this address, and it'll get to the actual location... buuuuut.
like the first address in olly is
7C901000 + a9358 = 7c9aa358
but that goes beyond the allotted memory
I dont get it.
Is it possible to hide things like this?
| | | | | |
|
| | |
| bheesham - 8/2/2007 10:45:14 PM | | |
| | | | | | | lol.. this is a funny program.... cheating in minesweeper.... with my hack to make your time 001 ill be the rank 1 person in minesweeper!!!! hahahahahaha.... lol...
| | | | | |
|
| | | | | | | | | Post Comment
You need to be a registered user to post a comment
Your Comment :
Your post may only
contain the [url],[img]
[quote] tags and smiles.
Syntax :
[url]address[/url]
[url=address]anchor[/url]
[img]address[/img]
[quote="nick"]text[/quote]
| |
|
|
| | | | |
|
