2007-12-13

Using WinDBG to Cheat at MineSweeper

Ran across this rather unique notion the other day. It works!

eb poi(@$peb+0x8)+0x36fa c6 00 8a
My interpretation is that this "enters byte values" "c6 00 8a" into the address starting at offset 0x36fa from the value pointed to by offset 8 into the PEB. Whatever that ultimately does!

»

3 comments:

Anonymous said...

It makes all the tiles that are mines show as the mine picture, even though they aren't clicked - which makes it rather easy to win!

«/\/\Ø|ö±ò\/»®© said...

Yes - I was aware that it was a "cheat", of course. The "Whatever that ultimately does!" was geared more towards the "how" of the hack - what is the significance of writing that byte sequence to that precise location.

Psychlo said...

I don't know much about Process Enviroment Block but I'm pretty sure that PEB+8 points to the ImageBase of the loaded application...
The value c6008a is a instruction...

mov byte ptr ds:[eax],8A

if you load winmine in a debugger and look at ImageBase + 0x36fa you are going to find this instruction:

010036F3 |. 8D8430 405300>lea eax,dword ptr ds:[eax+esi+1005340]
010036FA |. 8008 80 or byte ptr ds:[eax],80
010036FD |. FF0D 30530001 dec dword ptr ds:[1005330]

Look:
010036FA |. 8008 80 or byte ptr ds:[eax],80

I don't know for sure because I didn't search any further but this is probably something about the position of the mines...

check out the entire loop:

010036C7 |> /FF35 34530001 push dword ptr ds:[1005334]
010036CD |. |E8 6E020000 call winmine.01003940
010036D2 |. |FF35 38530001 push dword ptr ds:[1005338]
010036D8 |. |8BF0 mov esi,eax
010036DA |. |46 inc esi
010036DB |. |E8 60020000 call winmine.01003940
010036E0 |. |40 inc eax
010036E1 |. |8BC8 mov ecx,eax
010036E3 |. |C1E1 05 shl ecx,5
010036E6 |. |F68431 405300>test byte ptr ds:[ecx+esi+1005340],80
010036EE |.^ 75 D7 jnz short winmine.010036C7
010036F0 |. |C1E0 05 shl eax,5
010036F3 |. |8D8430 405300>lea eax,dword ptr ds:[eax+esi+1005340]
010036FA |8008 80 or byte ptr ds:[eax],80
010036FD |. |FF0D 30530001 dec dword ptr ds:[1005330]
01003703 |.^\75 C2 jnz short winmine.010036C7