Minesweeper game I believe that many people have played since childhood, in that era when there were not many computer games, minesweeper became one of the most popular games to play, but on one occasion, I came into contact with an unusual minesweeping process, so that later I also had this impulse, also to do it once. Improve reverse and coding skills by dynamically debugging, reverse and C to write a minesweeping aid.
Dynamic debugging (analysis)
First of all, the dynamic debugging (analysis) of the minesweeper is carried out:
Open the OD (ollydebug tool), drag and drop the minesweeper into the OD, and F9 runs; ctrl+G enter the expression to follow, enter rand, click [OK], jump to the function call, F2 set the breakpoint, this time to find a breakthrough through the API rand function. Click any position in the minefield of the minesweeper window (the position where 2 appears in the picture), and then click Restore ([Smiley] button-), as shown below:
At this point, the OD will break down at the breakpoint at the rand just set, as shown below:
By finding the random function rand, the following stack backtrace is carried out and returned to the parent function to find the push (push into the stack) parameter, that is, the random generation function (rand) is a randomly generated height, width, and thunder number. Click K (call stack), the K call stack window pops up, view the stack window information, find the return address, double-click the return address in the K call stack window to return to the previous layer, this process is called stack traceback. Carefully observe the stack information 010036D2 (return address) in the figure below.
Step F8, observe the register, data window and stack window changes, dword ptr ss:[esp+0x4] or dword ptr ds:[XXX] data window tracking value (000DFC44 value is 09), as shown below:
After returning to the upper function, analyze the instructions in this and know that the width (09) generated by random rand just now, as shown in the figure below, pay attention to the address 010036C7.
First start analyzing EAX from the results returned by this function, and after a single step, you can see that a number 09 is pressed into the stack (address 010036D2), as shown below:
Through the above analysis, it can be basically guessed that the rand generation of the surrounding random function is high and the thunder number. You can try to change the minesweeping settings (custom minefield), as shown below, to accurately locate the rand function and parameters, click [OK], and then click the [Restore (smiley-)] button.
Observe the OD as shown below:
Finding push 0C (000DFC84 value is 0C), it can be determined that this rand function push 0C is the height of the minefield. At the same time, a general minefield pattern can also be clearly seen in the memory area, and through the above methods, it can be roughly guessed that 0x80 is a mine. Or analyze together with IDA, through static analysis, you can see the program logic more intuitively. The following data are obtained: base address, thunder number and other information, as shown in the following figure:
The above code probably means that the variables of global width 0x09, high 0x0C, and thunder number 0x0A are set first, and the width and height are randomly generated by judging the two-layer loop. Map base address: 0x01005340. By analyzing the figure below, we know that no mine is 0x0F, there is a mine is 0x8F, and the wall is 0x10.
Through the wide and high address, the minesweeping area and the number of mines can be printed, and the side wall and mine can be more intuitively distinguished.
Let's start thinking about how to mark the thunder, by assuming that WinProc (through the stack backtrace to the message callback function) sees the GetDC function, roughly guess that Bitblt will be used, enter the expression to follow in the OD ctrl+g, enter "BitBlt", press F2 to set a breakpoint, click any position in the minesweeper area, and the OD will be broken in the BitBlt position.
There is also a BitBlt function in BitBlt, and the initial judgment is that it is drawn in a double-buffered way,
BitBlt(hDestDC,//destination DC XDest, // destination x coordinates YDest, // destination y coordinates 10, // 10, // height and width of redrawn area hSrcDC, // source DC 0, 0, SRCCOPY);// Specify the operation mode to calculate the coordinates of the mine (click on the square of the first minesweeper to view the coordinates), you need to pay attention to the side wall, as shown below:
Subtract the value of the side wall:
-0x04=0x0C(12)-0x10(16)
0x27=0x37(55)-0x10(16)
The coordinate formula is obtained: x(XDest:12)=1*0x10(16)-0x04(4),y(YDest:55)=1*0x10(16)+0x27(39).
Code writing
Through the above general analysis, the code can be written,
achievement
Enter 3landmine location to get landmine (10 walls, 8Flandmine, 0F no mine)
Enter 2 automatic mine clearance, mark mines and open maps
Through this small project, first of all, a reverse thinking of the software is strengthened, such as: see this kind of panel, probably guess that it is implemented with an array, secondly, the layout of the ray is randomly generated, and then through dynamic debugging you can understand the implementation method (an implementation idea of the developer), you can find the key base address, several states (no mine, there is lightning, wall), the final coding stage can understand the operation of memory, several important APIs, FindWindow to get the handle, OpenProcess opens handles, ReadProcessMemory reads memory information, PostMessage asynchronous message mode, and CloseHandle closes handles. Some of the analysis is wrong or not in place, please also shoot bricks. Multi-reverse, analyzing code has a lot of help, not only to broaden their programming and testing thinking and level, but also to find, develop and exploit vulnerabilities in the program or patch the program. I hope that the friends will cheer and encourage each other on this road with heavy responsibilities and a long way.