PMA 402. Hacking Minesweeper with Ollydbg (15 pts + 30 extra)

What You Need

A Windows machine, real or virtual. It works on a Windows Server 2008 virtual machine and on a Windows 2016 cloud machine.

Purpose

To hack MineSweeper at the binary level. This gives you practice using the Ollydbg debugger, Procdump, and Python.

Downloading OllyDbg

If you don't already have it, download OllyDbg 1.10 here:

https://www.slavasoft.com/hashcalc/

Right-click the file and click Extract, "Extract All...".

Double-click the red icon to launch it.

Testing Python

Python should have been installed along with OllyDbg.

To see if you have python, open a Command Prompt and execute this command:

python
You should see a "Python 2.7" message, as shown below.

If you don't have Python 2.7 installed, click Start and type CMD

Right-click "Command Prompt" and click "Run as Administrator".

If a User Account Control box pops up, click Yes.

In the Administrator Command Prompt and execute these commands:

cd c:\Windows
mklink /H python.exe c:\python27\python.exe
Try to open Python again. It should work. If it does not, follow these instructions:

https://samsclass.info/124/proj14/python2.7-win.htm

Getting Minesweeper

Download the minesweeper program from the link below.

minesam.exe.zip

Right-click the zipped file and click "Extract All...", Extract.

Double-click the minesam.exe file to launch Minesweeper.

The game launches. Click Game, Beginner to see the small gameboard shown below. as shown below.

Click a cell. Some of the cells appear empty, and others are revealed with numbers in them, as shown below.

Viewing the Game in OllyDbg

Close Minesweeper.

Launch OllyDbg. Click File, Open and open minesam.exe.

The program loads and pauses, as shown below.

From the OllyDbg menu bar, click View, Memory.

The memory segments are shown, as shown below.

Right-click the minesam.data line and click Dump, as shown below.

In the Dump window, scroll down to show memory near 01005340.

This area contains only zeroes, as shown below.

From the OllyDbg menu bar, click View, CPU.

From the OllyDbg menu bar, click Debug, Run.

If the lower-right corner of OllyDbg still shows a "Paused" message, click Debug, Run again.

A Minesweeper window opens, but does not come to the front. Click its button on the taskbar to bring it to the front, as shown below.

In Minesweeper, click a cell to change the display.

From the OllyDbg menu bar, click Window,Dump.

Compare the Minesweeper gameboard with the Dump window. You can see that the gameboard is stored in RAM, using an "A" for "1", and a "B" for "2", as shown below.

If we can read the RAM, we can cheat at the game.

Notice the highlighted region in the image above. If we can find this sequence of bytes in RAM, we can find the gameboard in a memory dump.

Getting Procdump

In a Web browser, go to

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

Download Procdump.zip, and put it in your Downloads folder.

Click Start, Computer. Navigate to your Download folder.

Right-click Procdump.zip and click "Extract All...", Extract.

Creating a Python Script

We can automate the process with Python. In the Command Prompt window you used to run procdump, execute this command:
notepad cheat.py
A box pops up, saying "Do you want to create a ne file...?". Click Yes.

Paste in this code, as shown below.

import os

# Dump memory

cmd = "del mine.dmp"
os.system(cmd)
cmd = "procdump -ma minesam.exe mine"
os.system(cmd)

# Find gameboard

mark ='\x00\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x0F'

line_length = 32
board_size = 500 # characters in whole board

with open("mine.dmp", "rb") as f:
  data= f.read()

start = data.find(mark)
if start <0:
  print "Gameboard not found"

# Print gameboard

for i in range(0, board_size, line_length):
  line = ''
  for j in range(line_length):
    g = data[start+i+j]
    if g == '\x10':
      c = "-"
    elif g == '\x0f':
      c = " "
    elif g == '\x8f':
      c = "*"
    elif g == '\x00':
      c = " "
    else:
      c = chr( ord(g) - 16 )
    line += c
  print line

In the Notepad window, click File, Save.

In the Command Prompt window, execute this command:

python cheat.py
The program shows the location of the mines. With this information, you should easily be able to click all the squares without mines, as shown below.


Flag PMA 402.1: Beginner Level (15 pts)

When you win the game, a secret word will appear, which is covered by a green box in the image below.


Flag PMA 402.2: Intermediate Level (15 pts extra)

In Minesweeper, click Game, Intermediate.

Create a cheating tool that works for this level and win the game, as shown below.


Flag PMA 402.3: Expert Level (15 pts extra)

In Minesweeper, click Game, Expert.

Find the secret word for the Expert level.

Hint: use a totally different technique; don't play the game.


Sources

Game Hacking: WinXP Minesweeper
_MINIDUMP_TYPE Enumeration

Posted 9-18-18
Revised for Win 2016 9-11-19