Jump to content
Tuts 4 You
  • 1
Sign in to follow this  
blank

MineSweeper

Question

blank
Posted (edited)

Language: .NET
Platform: Windows x32/x64
OS Version: Tested on Windows 10, with .NET 4.6.2
Packer / Protector: WinterStorm 0.1 (Personal Project)

Description:

Here is a project I've been working on for the last 6 months. It's a follow-up to my previous DynamicMethod attempts. This time I also included some simple JIT hooking.  Everything here was written by myself, except a helper class for loading dlls from memory. I hope you'll find it entertaining. I can't wait to hear your thoughts. 

This is (arguably) the best iteration of the popular game, MineSweeper. Unfortunately, it's a demo, and it only allows for 5 moves. In order to keep playing you have to purchase the full version (contact me for a price 🙂) or to try and patch it. There are 3 checks for the number of moves, that prevent the player from finishing the game.

GOALS:

  1. Find and remove the first move counter
  2. Find and remove the second check
  3. Find and remove the third check, making the game playable to the end.
  4. BONUS (if you are really bored): There is a secret 'cheat code' that, when used, gives the player a substantial advantage. Find the secret code to master the game.

After achieving one, some, or all of the goals, post the patched file and the steps you took.

PS: Sorry if the game is a bit slow. Sometimes you have to give it a second between moves.

EDIT: If it doesn't run, make sure you have the C runtime library installed too. (specifically, it asks for ucrtbased.dll)

EDIT 2: After Eddy's advice, I recompiled the native parts and tried to get rid of most of the useless dependencies. Please download the second version.

Screenshot :

2019-04-22_233520.png.79ace8bc6498c71421c2028eda01841b.png

 

minesweeper2.exe

Edited by blank
removed useless dependencies (see edit history)

Share this post


Link to post

6 answers to this question

Recommended Posts

  • 2
kao

It builds a lot on your previous crackmes. So, most of the answers are already there.

1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those;

2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field;

3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help:

spacer.png
 
4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints.

5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways.

 

So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen.

Spoiler

spacer.png


Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field:

Spoiler

spacer.png

 

minesweeper-solution-kao.zip

  • Like 2

Share this post


Link to post
  • 0
NeoNCoding

image.png.7935a391fae329ee799efe05b7f4a4f6.png
then it will crash

Share this post


Link to post
  • 0
blank
Posted (edited)
4 hours ago, NeoNCoding said:

then it will crash

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Edited by blank (see edit history)
  • Like 1

Share this post


Link to post
  • 0
0X7C9
6 hours ago, blank said:

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Blank , you need recompile native part under VC 2008 runtime ;) Without depencies to new Windows CRT Runtime. 

Share this post


Link to post
  • 0
blank
1 hour ago, Eddy^CZ said:

Blank , you need recompile native part under VC 2008 runtime ;) Without depencies to new Windows CRT Runtime. 

Thanks for the advice, I uploaded the new version.

Share this post


Link to post
  • 0
blank

@kao Thank you, your work is fantastic, as usual 🙂. Now that I checked it, indeed the success screen doesn't show up. I initialized a bool with the wrong value... 🙁 . Anyway, I get how you were able to retrieve the original IL code. However, I can't understand how you put the patched code back. If I alter the string that holds the code, the program doesn't work anymore. Could you please give us some clues on how to do it?

Thanks again for taking the time to look into this, and for the detailed explanation!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...