Mine clearance Analysis

1. Using Meimei, we can obtain the function call relationship during program initialization.
For more information about how to use Meimei, see <0-day software vulnerability analysis technology>. If you do not have Meimei, please email me and I will send you a copy.
(And) is the relationship between program function calls. The _ StartGame function caught my attention and called the Rnd function. We know that random numbers are required to initialize the minefield, therefore, the _ StartGame function is a breakthrough. As long as you know the detailed process of the function, you can crack the game.
First, we can crack the game by knowing the data storage address and format in the game data zone.

2. Analyze the _ StartGame function to obtain the following information:
Game data zone first address: 0X01005360
Game data zone Row Storage address: 0X01005338
Number of game data zone columns storage address: 0X01005334
Each cell information of the game is represented in one byte. The data area uses two-dimensional arrays to describe the information of cells. Each row has a maximum of 30 columns (two columns are the boundary information ), there are up to 30 rows. No matter how many columns A game starts, the data zone always uses 32 bytes of information to represent a row.
 

: The StartGame function calls the rand function to obtain the random row and column positions of mines.

 

: After the program starts, it calls the _ StartGame function to initialize the game data zone.


Iii. Detailed analysis of the _ StartGame Function
The first part obtains the row and column values and saves them to global variables.
Mov eax, dword ptr ds: [10056AC]; get user-defined row and column values
Mov ecx, dword ptr ds: [10056A8]
PUSH EBX
PUSH ESI
PUSH EDI
Xor edi, EDI
Cmp eax, dword ptr ds: [1005334]; comparison with column values in global variables
Mov dword ptr ds: [1005164], EDI
Jnz short winmine.010036A4
Cmp ecx, dword ptr ds: [1005338]; comparison with the row value in the global variable
Jnz short winmine.010036A4
PUSH 4
Jmp short winmine.010036A6
PUSH 6
POP EBX

The second part is to call the rand function to generate a random location of a ray based on the number of rows and columns.
Mov dword ptr ds: [1005334], EAX; Save the current row and column values
Mov dword ptr ds: [1005338], ECX
CALL winmine.01002ED5; CALL the ClearField function to initialize the data zone.
Mov eax, dword ptr ds: [10056A4]; get the number of initial mines
Mov dword ptr ds: [1005160], EDI
Mov dword ptr ds: [1005330], EAX
Push dword ptr ds: [1005334]; use the number of columns as the rand parameter to generate the column location of the thunder
CALL winmine.01003940
Push dword ptr ds: [1005338]
Mov esi, EAX
INC ESI
CALL winmine.01003940; use the number of rows as the rand parameter to generate the row location of the ray.
INC EAX
Mov ecx, EAX
Shl ecx, 5; number of rows multiplied by 32 because a row is expressed in 32 bytes
Test byte ptr ds: [ECX + ESI + 1005340], 80; the highest bit of the BYTE indicates whether it is lei
Jnz short winmine.010036C7; if it is a mine, continue to find the mine location

Which of the following is NOT a mine?
Shl eax, 5
Lea eax, dword ptr ds: [EAX + ESI + 1005340]
Or byte ptr ds: [EAX], 80; returns the highest BYTE position of 1, indicating that this position is lei
Dec dword ptr ds: [1005330]
Jnz short winmine.010036C7

Part 3: dealing with the aftermath is irrelevant to our analysis.
Mov ecx, dword ptr ds: [1005338]
Imul ecx, dword ptr ds: [1005334]
Mov eax, dword ptr ds: [10056A4]
Sub ecx, EAX
PUSH EDI
Mov dword ptr ds: [100579C], EDI
Mov dword ptr ds: [1005330], EAX
Mov dword ptr ds: [1005194], EAX
Mov dword ptr ds: [10057A4], EDI
Mov dword ptr ds: [10057A0], ECX
Mov dword ptr ds: [1005000], 1
CALL winmine.010020.a
Push ebx;/Arg1
CALL winmine.01001950; \ winmine.01001950
POP EDI
POP ESI
POP EBX
RETN

4. cracking the game
At the beginning of the article, I mentioned that as long as we know the storage address and format of the game data zone, we can crack the game. It is the situation where the data zone is in the memory:

 
: Memory usage in the Data Zone
We can see that the 32 bytes starting from the address 0X01005360 store the information of the first row of cells of the game, and so on, the 32 bytes starting from 0X01005380 store the information of the second row of the game cell ...........

Each cell is represented in one byte and its meaning is as follows:
Status of 0F Initialization
10 represents the edge
40 represents no thunder, no number, no mark
4X X indicates X ray around the grid.
8F represents lei
8E indicates the record, and the lower four digits are E.

Now, I believe that you will be able to write a cracked program.

Zhangx Daniel