Jaa


[Windbg Script] Playing with Minesweeper

First, this script is not really about cheating. It does that with Minesweeper, but there are several other possibilities using a bit more bytes that do a better job to fool the application.

However, the point here is to show you how powerful the debugger is or, more precisely, the power you have when you know how to use the debugger.

When working on “just for fun” scripts, I don’t use source code access or symbols. I just use raw disassembled code. I do this to improve my assembly skills; by improving my assembly reading I can identify common patterns and their meanings. Moreover, I can try to figure out the possible source code. It helps me a lot during my daily work. Thus, if you want to improve your assembly skills this is a good and fun approach.

The script presented below is a fun script that I categorize as a “just for fun” script. I won’t tell you what it does: you’ll need to find out by yourself. :)

 

Just load Minesweeper on Windows XP SP 2, attach the debugger to it, run the script, and then create a New Game.

You don't need symbols!

 

It’s fun! I hope you enjoy it.

 

Source code for CHEATING_MINESWEEPER.TXT:

$$

$$ =======================================================================================

$$ Displays all hidden bombs (from Minesweeper :)).

$$

$$ Compatibility: Win32, specific for Windows XP SP2.

$$

$$ Usage: $$>< to run the program.

$$

$$ Roberto Alexis Farah

$$ Blog: https://blogs.msdn.com/debuggingtoolbox/

$$

$$ All my scripts are provided "AS IS" with no warranties, and confer no rights.

$$ =======================================================================================

$$

eb poi(@$peb+0x8)+0x36fa c6 00 8a

$$ =============================================================================

Read me.

Comments

  • Anonymous
    March 27, 2007
    The comment has been removed

  • Anonymous
    April 02, 2007
    This is really cool. It motivates me to go back and start debugging again and learn more about assembly. I am also glad to say that I had the opportunity to work with Roberto at Microsoft and the guy rocks. He even has a binary clock in his cube. That is right. This guy will tell you the time in binary :-) Congrats Farah! Keep doing the great work you always do. João

  • Anonymous
    April 02, 2007
    The comment has been removed

  • Anonymous
    May 24, 2007
    It'd be great if you could give us list of books sitting on your bookshelf.

  • Anonymous
    October 30, 2007
    I get memory access denied on Windows Vista. Is there something you have to do to have this work on Windows Vista?

  • Anonymous
    November 05, 2007
    Hi Chris, sorry for the late answer. Yes, on Vista you need to enable things. Check this out: How to create a user-mode process dump file in Windows Vista http://support.microsoft.com/kb/931673/en-us However, keep in mind this script is not going to work on Minesweeper running in other OS other than Windows XP SP2. This happens because I change the binary code in memory. It's like a surgery. :)

  • Anonymous
    March 08, 2008
    There are circumstances where taking a dump is not possible or simply not convenient; imagine a situation

  • Anonymous
    March 08, 2008
    There are circumstances where taking a dump is not possible or simply not convenient; imagine a situation

  • Anonymous
    June 09, 2008
    Very cool. Try the !peb command to see what $peb is about. poi(@$peb+0x8)is this: ImageBaseAddress:         01000000 eb poi(@$peb+0x8)+0x36fa c6 00 8a Changes this instruction: or      byte ptr [eax],80h to this: mov     byte ptr [eax],8Ah Try: eb poi(@$peb+0x8)+0x36fa c6 00 8d It saves you from doing all the right clicks on the mines.

  • Anonymous
    June 09, 2008
    I meant to say: eb poi(@$peb+0x8)+0x36fa c6 00 8e to mark all mines with flags automatically.

  • Anonymous
    June 09, 2008
    I haven't tested it yet, but it seems to be pretty cool! :) Thanks for posting.

  • Anonymous
    June 10, 2008
    Thanks for the view behind the scenes, I've been playing around with winmine some more. It looks like the playing board is at "winmine!rgBlk+20" if you want to edit the playing board directly.  Just minimize and restore to make it redraw.  You need the symbols for that I think. Bits [3..0] decide the picture: 1-8 - draws 1 - 8 9   - question mark, depressed a   - mine b   - X'ed mine c   - red bkgd mine. (game over one) d   - question mark e   - flag f   - blank tile Then the upper bits modify the tile: 10h  - start or end or no draw 40h  - clicked / cleared tile 80h  - this bit indicates a mine is under that tile. Each row uses 32 bytes, regardless of how wide it is, and starts and ends with 10h.

  • Anonymous
    June 10, 2008
    I must tell you I've never expected this post was going to be so viewed. I just read your comment and I have just one thing to say:  Wow!!! :) For one of my future articles I was planning to reuse Minesweeper, but based on your comment and others above I don't think it's going to have the fun factor anymore. ;-) You guys decoded it!

  • Anonymous
    June 12, 2008
    The comment has been removed

  • Anonymous
    June 13, 2008
    Wow! :) I loved this video! Really! I do agree with you, too, this is a lot of fun! :)

  • Anonymous
    September 03, 2008
    [DT]Playing with Minesweeper http://blogs.msdn.com/debuggingtoolbox/archive/2007/03/28/windbg-script-playing-with-minesweeper.aspx

  • Anonymous
    March 01, 2009
    こんにちわ、d99 です。 さて、 前回の連載エントリ でデバッガ(windbg.exe)の動作確認まで行いました。予告通り、引き続いてメモ帳をデバッグしてみましょう。 - 前提条件 1) Debugging