Scribd
Upload
195 views10 pages

Lab 16b Hacking Minesweeper With Ollydbg

This document provides instructions for hacking the Windows Minesweeper game at the binary level using OllyDbg, Procdump, Python, and HxD. It describes downloading necessary tools, debugging Minesweeper with OllyDbg, using Procdump to dump process memory, finding the stored gameboard in memory dumps with HxD and Python scripts, and creating automated tools to reveal the board and win the game at beginner, intermediate, and expert levels.

Uploaded by

1.Huỳnh Ngọc Thiên An
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
195 views10 pages

Lab 16b Hacking Minesweeper With Ollydbg

This document provides instructions for hacking the Windows Minesweeper game at the binary level using OllyDbg, Procdump, Python, and HxD. It describes downloading necessary tools, debugging Minesweeper with OllyDbg, using Procdump to dump process memory, finding the stored gameboard in memory dumps with HxD and Python scripts, and creating automated tools to reveal the board and win the game at beginner, intermediate, and expert levels.

Uploaded by

1.Huỳnh Ngọc Thiên An
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Proj 11.

Hacking Minesweeper with Ollydbg (15 pts + 30 pts


extra What You Need
A Windows machine, real or virtual. I used a Windows Server 2008 virtual machine.

Purpose
To hack MineSweeper at the binary level. This gives you practice using the Ollydbg debugger, Procdump, and

Python. Getting Python

The Windows Server 2008 machine we have been using already has Python installed.

To see if you have it, open a Command Prompt and execute this command:

python

You should see a "Python 2.7" message, as shown below.

If you don't have Python 2.7 installed, follow these instructions:

https://samsclass.info/124/proj14/python2.7-win.htm

Getting Minesweeper
Download the minesweeper program from the link below.

minesam.exe.zip

Right-click the zipped file and click "Extract All...", Extract.

Double-click the minesam.exe file to launch Minesweeper.

The game launches. Click Game, Beginner to see the small gameboard shown below. as shown below.

Click a cell. Some of the cells appear empty, and others are revealed with numbers in them, as shown below.
Viewing the Game in OllyDbg
Close Minesweeper.

Launch OllyDbg. Click File, Open and open

minesam.exe. The program loads and pauses, as shown

below.

From the OllyDbg menu bar, click View, Memory.

The memory segments are shown, as shown below. Right-click the

minesam .data line and click Dump, as shown below.

In the Dump window, scroll down to show memory near 01005340.


This area contains only zeroes, as shown below.

From the OllyDbg menu bar, click View, CPU.

From the OllyDbg menu bar, click Debug, Run.

A Minesweeper window opens, but does not come to the front. Click its button on the taskbar to bring it to the front, as shown below.
Viewing the Stored Gameboard
From the OllyDbg menu bar, click Window, Dump.

The memory after 01005340 now contains data, as shown below.

Click the Minesweeper button on the taskbar to bring it to the front. Click a cell to change the display.

Comare the Minesweeper gameboard with the Dump window. You can see that the gameboard is stored in RAM, using an "A" for "1", and a "B" for "2",
as
shown below.

If we can read the RAM, we can cheat at the game.

Notice the green-highlighted region in the image above. If we can find this sequence of bytes in RAM, we can find the gameboard in a memory dump.

Getting Procdump

In a Web browser, go to
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Download Procdump.zip, and put it in your Downloads folder.
Click Start, Computer. Navigate to your Download folder.
Right-click Procdump.zip and click "Extract All...", Extract.

Capturing Process Memory


Close Minesweeper. Close OllyDbg. Double-click minesam.exe to run Minesweeper again.
Open a Command Prompt and execute these commands:
cd C:\Users\Administrator\Downloads\Procdump
procdump -ma minesam.exe mine
A box pops up, titled ProcDump License Agreement. Click Agree.
Procdump makes a dump file, as shown below.
Viewing the Memory with HxD
The Windows Server 2008 machine we have been using already has HxD installed.
If you don't have it, get it here:
https://mh-nexus.de/en/hxd/
Open HxD. From the HxD menu bar, click File, Open.
Navigate to your Downloads folder. Open the Procdump folder and double-click the mine.dmp file.
From the HxD menu bar, click Search, Find.
In the "Find" field, select a Datatype of Hex-values.
In the "Search for" field, enter this text, as shown below.
0a 00 00 00 09 00 00 00 09

In the "Find" box, click OK.


The string is found, but it may not be the correct hit. The first one doesn't have the gameboard after it, as shown below.
From the HxD menu bar, click Search, "Find again".

This time it finds the gameboard data, as shown below.


Creating a Python Script
We can automate the process with Python. In a Command Prompt window, execute these commands:
cd C:\Users\Administrator\Downloads\Procdump
notepad cheat.py
A box pops up, saying "Do you want to create a ne file...?". Click Yes.
Paste in this code, as shown below.
import os

# Dump memory
cmd = "del mine.dmp"
os.system(cmd)
cmd = "procdump -ma minesam.exe mine"
os.system(cmd)

# Find gameboard

mark ='\x0A\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x10\x10\x10\x10'

nread = 20
boardfound = 0
gameboard = []

with open("mine.dmp", "rb") as f:


line = f.read(20)

while (boardfound == 0):


c = f.read(1)
if c == "":
print "File ended, but gameboard not found!"
exit()
line = line[1:] + c
nread += 1
if nread % 0x100000 == 0:
print "Looking at byte", hex(nread), nread
if line == mark:
print "Gameboard found at ", hex(nread)
boardfound = 1
for i in range(4):
gameboard.append('\x10')
for i in range(500):
gameboard.append(f.read(1))

# Print Gameboard

l = len(gameboard)
m = 32 # items per line

for i in range(0, l-m, m):


line = ""
for j in range(m):
g = gameboard[i+j]
# print i, j, ord(g)
if g == '\x10':
c = "-"
elif g == '\x0f':
c=""
elif g == '\x8f':
c = "*"
elif g == '\x00':
c=""
else:
c = chr( ord(g) - 16 )
line += c
print line
In the Notepad window, click File, Save.

In the Command Prompt window, execute this command:

python cheat.py

The program shows the location of the mines. With this information, you should easily be able to click all the squares without mines, as shown below.

When you win the game, a secret word will appear, which is covered by a green box in the image below.
11.1 Beginner Level: Recording Your Score (15
pts) Use the form below to record your score in Canvas.
Name or Email:

Secret Word: CCSF Student

Non-CCSF Student

11.2 Intermediate Level (15 pts extra)


In Minesweeper, click Game, Intermediate.

Create a cheating tool that works for this level and win the game, as shown below.

Hint: Search for 10 10 10 10 to find the gameboard.

Use the form below to record your score in Canvas.


Name or Email: Secret Word:

CCSF Student

Non-CCSF Student

11.3 Expert Level (15 pts extra)


In Minesweeper, click Game, Expert.

Find the secret word for the Expert level.

Hint: use a totally different technique; don't play the game.

Use the form below to record your score in Canvas.


Name or Email:

Secret Word: CCSF Student

Non-CCSF Student

Sources
Game Hacking: WinXP Minesweeper
_MINIDUMP_TYPE Enumeration

Posted 9-18-18

You might also like