Jump to content
Tuts 4 You

MineSweeper

blank

By blank
in CrackMe

 Share
Go to solution Solved by kao,

Recommended Posts

blank

blank

Posted
Posted (edited)

Language: .NET
Platform: Windows x32/x64
OS Version: Tested on Windows 10, with .NET 4.6.2
Packer / Protector: WinterStorm 0.1 (Personal Project)

Description:

Here is a project I've been working on for the last 6 months. It's a follow-up to my previous DynamicMethod attempts. This time I also included some simple JIT hooking.  Everything here was written by myself, except a helper class for loading dlls from memory. I hope you'll find it entertaining. I can't wait to hear your thoughts. 

This is (arguably) the best iteration of the popular game, MineSweeper. Unfortunately, it's a demo, and it only allows for 5 moves. In order to keep playing you have to purchase the full version (contact me for a price 🙂) or to try and patch it. There are 3 checks for the number of moves, that prevent the player from finishing the game.

GOALS:

  1. Find and remove the first move counter
  2. Find and remove the second check
  3. Find and remove the third check, making the game playable to the end.
  4. BONUS (if you are really bored): There is a secret 'cheat code' that, when used, gives the player a substantial advantage. Find the secret code to master the game.

After achieving one, some, or all of the goals, post the patched file and the steps you took.

PS: Sorry if the game is a bit slow. Sometimes you have to give it a second between moves.

EDIT: If it doesn't run, make sure you have the C runtime library installed too. (specifically, it asks for ucrtbased.dll)

EDIT 2: After Eddy's advice, I recompiled the native parts and tried to get rid of most of the useless dependencies. Please download the second version.

Screenshot :

2019-04-22_233520.png.79ace8bc6498c71421c2028eda01841b.png

 

minesweeper2.exe

Edited by blank
removed useless dependencies
NeoNCoding

NeoNCoding

Posted
Posted

image.png.7935a391fae329ee799efe05b7f4a4f6.png
then it will crash

blank

blank

Posted
  • Author
Posted (edited)
4 hours ago, NeoNCoding said:

then it will crash

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Edited by blank
  • Like 1
0X7C9

0X7C9

Posted
Posted
6 hours ago, blank said:

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Blank , you need recompile native part under VC 2008 runtime ;) Without depencies to new Windows CRT Runtime. 

blank

blank

Posted
  • Author
Posted
1 hour ago, Eddy^CZ said:

Blank , you need recompile native part under VC 2008 runtime ;) Without depencies to new Windows CRT Runtime. 

Thanks for the advice, I uploaded the new version.

  • Solution
kao

kao

Posted
  • Solution
Posted

It builds a lot on your previous crackmes. So, most of the answers are already there.

1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those;

2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field;

3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help:

spacer.png
 
4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints.

5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways.

 

So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen.

Spoiler

spacer.png


Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field:

Spoiler

spacer.png

 

minesweeper-solution-kao.zip

  • Like 2
blank

blank

Posted
  • Author
Posted

@kao Thank you, your work is fantastic, as usual 🙂. Now that I checked it, indeed the success screen doesn't show up. I initialized a bool with the wrong value... 🙁 . Anyway, I get how you were able to retrieve the original IL code. However, I can't understand how you put the patched code back. If I alter the string that holds the code, the program doesn't work anymore. Could you please give us some clues on how to do it?

Thanks again for taking the time to look into this, and for the detailed explanation!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...