MineSweeper

[blank 3]

Language: .NET
Platform: Windows x32/x64
OS Version: Tested on Windows 10, with .NET 4.6.2
Packer / Protector: WinterStorm 0.1 (Personal Project)

Description:

Here is a project I've been working on for the last 6 months. It's a follow-up to my previous DynamicMethod attempts. This time I also included some simple JIT hooking.  Everything here was written by myself, except a helper class for loading dlls from memory. I hope you'll find it entertaining. I can't wait to hear your thoughts. 

This is (arguably) the best iteration of the popular game, MineSweeper. Unfortunately, it's a demo, and it only allows for 5 moves. In order to keep playing you have to purchase the full version (contact me for a price 🙂) or to try and patch it. There are 3 checks for the number of moves, that prevent the player from finishing the game.

GOALS:

1. Find and remove the first move counter
2. Find and remove the second check
3. Find and remove the third check, making the game playable to the end.
4. BONUS (if you are really bored): There is a secret 'cheat code' that, when used, gives the player a substantial advantage. Find the secret code to master the game.

After achieving one, some, or all of the goals, post the patched file and the steps you took.

PS: Sorry if the game is a bit slow. Sometimes you have to give it a second between moves.

EDIT: If it doesn't run, make sure you have the C runtime library installed too. (specifically, it asks for ucrtbased.dll)

EDIT 2: After Eddy's advice, I recompiled the native parts and tried to get rid of most of the useless dependencies. Please download the second version.

Screenshot :

 

minesweeper2.exe

Edited April 29, 2019 by blank
removed useless dependencies (see edit history)

[kao 1,967]

It builds a lot on your previous crackmes. So, most of the answers are already there.

1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those;

2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field;

3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help:

 
4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints.

5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways.

 

So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen.

Spoiler

Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field:

Spoiler

 

minesweeper-solution-kao.zip

[NeoNCoding 3]

then it will crash

[blank 3]

4 hours ago, NeoNCoding said:

then it will crash

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Edited April 23, 2019 by blank (see edit history)

[0X7C9 5]

6 hours ago, blank said:

Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2

EDIT: It seems you will also need the C/C++ runtime library from Microsoft

Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.

Blank , you need recompile native part under VC 2008 runtime  Without depencies to new Windows CRT Runtime. 

[blank 3]

1 hour ago, Eddy^CZ said:

Blank , you need recompile native part under VC 2008 runtime  Without depencies to new Windows CRT Runtime. 

Thanks for the advice, I uploaded the new version.

[blank 3]

@kao Thank you, your work is fantastic, as usual 🙂. Now that I checked it, indeed the success screen doesn't show up. I initialized a bool with the wrong value... 🙁 . Anyway, I get how you were able to retrieve the original IL code. However, I can't understand how you put the patched code back. If I alter the string that holds the code, the program doesn't work anymore. Could you please give us some clues on how to do it?

Thanks again for taking the time to look into this, and for the detailed explanation!