3. Hacking Minesweeper with Immunity (40 pts)

What You Need

A Windows machine, real or virtual. I used a Windows 2016 Server cloud machine.

Purpose

To hack MineSweeper at the binary level. This gives you practice using the Immunity debugger, Procdump, and Python.

Getting Minesweeper

Download the minesweeper program from the link below.

https://samsclass.info/126/proj/minesam.exe.zip

Right-click the zipped file and click "Extract All...", Extract.

Right-click the minesam.exe file and click Properties.

In the Properties sheet, at the bottom, click Unblock, as shown below. Click OK.

Double-click the minesam.exe file to launch Minesweeper.

The game launches. Click Game, Beginner to see the small gameboard shown below.

Click a cell. Some of the cells appear empty, and others are revealed with numbers in them, as shown below.

Viewing the Game in Immunity

Close Minesweeper. Start Minesweeper again.

On your desktop, right-click the Immunity icon and click "Run as Administrator".

In the User Account Control box, click Yes.

From the Immunity menu bar, click File, Attach. In the "Select process to attach" box, click minesam. Click the Attach button.

The program loads and pauses, as shown below.

Troubleshooting
If the font is too small, adjust it this way:

From the Immunity menu bar, click Options, Appearance.
Click the Fonts tab.
Click Rename and enter a new name of BIG
Click on Change and set the settings you wish
Click the Defaults tab and set the Default font to be BIG

Viewing Memory Segments

From the Immunity menu bar, click View, Memory.

The memory segments are shown, as shown below.

Right-click the minesam .data line and click Dump, as shown below.

In the Dump window, scroll down to show memory near 01005340.

Data is visible, consisting of 0F and 10 bytes, as shown below.

From the Immunity menu bar, click Debug, Run to resume the game.

Click the Minesweeper button on the taskbar to bring it to the front. Click a cell to change the display.

Compare the Minesweeper gameboard with the Dump window, as explained below.

Notice the two lines of cells outlined in red in the image below:

BLANK BLANK BLANK 1 BLANK BLANK BLANK 1 2

Now look at the RAM dump shown below. Look at the right side, displaying the ASCII values.

You can see matching sequences, outlined in red in the image below:

@@@A @@@AB

The gameboard is stored in RAM, using an "@" for an empty cell, "A" for "1", and a "B" for "2", etc.

If we can read the RAM, we can cheat at the game.

Notice the region of 8 bytes highlighted in light green in the image above. If we can find this sequence of bytes in RAM, we can find the gameboard in a memory dump.

Getting Procdump

In Internet Explorer, go to

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

Download Procdump.zip, and put it in your Downloads folder.

Click Start, Computer. Navigate to your Download folder.

Right-click Procdump.zip and click "Extract All...", Extract.

Capturing Process Memory

Close Immunity.

Double-click minesam.exe to run Minesweeper again.

Click the Start button. Type cmd. When cmd is found, double-click it to open a normal Command Prompt window (not an Administrator Command Prompt window).

Execute these commands:

cd %USERPROFILE% cd Downloads\Procdump procdump -ma minesam.exe mine

A box pops up, titled ProcDump License Agreement. Click Agree.

Procdump makes a dump file, as shown below.

Installing HxD

HxD is a simple hex viewer to examine disks, files, or RAM.

In Internet Explorer, go to:

https://mh-nexus.de/en/hxd/

Scroll to the lower portion of the page and find the current version, as shown below. Click the "Download page" link.

On the Downloads page, in the "English" line, click the "Download per HTTPS" link, as shown below. Save the HDSetup.zip file in your Downloads folder.

At the lower left of the desktop, click the yellow folder to open File Explorer. Navigate to the Downloads folder. Right-click the HDSetup.zip file and click "Extract All...", Extract.

Double-click the HDSetup icon and install the software with the default options.

Viewing the Memory with HxD

Open HxD. From the HxD menu bar, click File, Open.

Navigate to your Downloads folder. Open the Procdump folder and double-click the mine.dmp file.

From the HxD menu bar, click Search, Find.

In the "Find" box, click the Hex-values tab.

In the "Search for" field, enter this text, as shown below.

10 10 10 10 0F 0F 0F 0F

In the "Find" box, click OK.

It finds the gameboard data, as shown below.

Creating a Python Script

We can automate the process with Python. In a Command Prompt window, execute these commands:

cd C:\Users\Administrator\Downloads\Procdump notepad cheat.py

A box pops up, saying "Do you want to create a ne file...?". Click Yes.

Paste in this code, as shown below.

(Note: to make the program simpler, it searches for the sequence

10 10 10 0F 0F 0F 0F 0F

which starts on an 8-byte boundary.)

import os # Dump memory cmd = "del mine.dmp" os.system(cmd) cmd = "procdump -ma minesam.exe mine" os.system(cmd) # Find gameboard mark ='\x10\x10\x10\x0F\x0F\x0F\x0F\x0F' nread = 8 boardfound = 0 gameboard = [] with open("mine.dmp", "rb") as f: line = f.read(8) while (boardfound == 0): c = f.read(1) if c == "": print "File ended, but gameboard not found!" exit() line = line[1:] + c nread += 1 if nread % 0x100000 == 0: print "Looking at byte", hex(nread), nread if line == mark: print "Gameboard found at ", hex(nread) boardfound = 1 for i in range(4): gameboard.append('\x10') for i in range(500): gameboard.append(f.read(1)) # Print Gameboard l = len(gameboard) m = 32 # items per line for i in range(0, l-m, m): line = "" for j in range(m): g = gameboard[i+j] # print i, j, ord(g) if g == '\x10': c = "-" elif g == '\x0f': c = " " elif g == '\x8f': c = "*" elif g == '\x00': c = " " else: c = chr( ord(g) - 16 ) line += c print line