Minesweeper Reverse #1

Today, I’ll be writing a blog on the steps that can be taken to reverse-engineer a Minesweeper game. First of all, as always, we should consider how the game works; there should be a clear methodology for understanding its mechanics before we can decide how to reverse it. I’m not sure yet how many parts this series will include, but let’s kick things off with small, manageable sections.

Minesweeper Game Setup

First of all, I would want to remark that reversing this game is entertaining. I used to play this game while younger and was always fascinated in how it operated. Let me briefly introduce the game: it’s a basic computer game in which you search a grid for concealed bombs. There are many little squares on the grid, some of which house bombs. Clicking on every square without bombs is the aim here. Clicking on a safe square — one free of a bomb — you get a number. This figure indicates the quantity of bombs close to that square, so guiding your estimate of their possible locations. The game closes if you click on a square bearing a bomb. You win the game by emptying every safe square bomb-free.

This is where the Minesweeper game starts, as you can see. The game board is the big area with the little squares on it. There are safe squares and dangerous squares here. To win, you need to click on the safe spots and stay away from the bombs. There is a happy face button in the middle that you can click to begin a new game. The number of bombs on the board is shown in red on the left. It says how long you’ve been playing in red on the right. The game may look easy at first, but is it really? We’ll use tools like Cheat Engine, x32dbg, and the free version of IDA (since I don’t have the pro version) to look into how it works. Because I’m going to try to change the game’s timer, it’s important to know how pointers, C code, and disassembly work. We need to keep things easy and pay attention to the most important parts. Changing the game’s timer is a good first goal. Cheat Engine will help us find the address that sets the time. We can move on to other goals, like learning how the bombs work, once we know that!

Cheating the time

Before changing the game’s timer, I’ll test it by clicking on a square. You can see that the timer starts ticking, and there are still ten bombs left. Great! Now we know how it works — the goal is to control the timer, but we have a few steps to follow. First, open Cheat Engine and attach it to the game’s process. Then, we’ll look for the value that controls the timer.

Please follow these steps:

We need to attach the process.

The goal is to enter the value of “10” into Cheat Engine. However, the scan type has different options — you can change it to float, integer, string, 4 bytes, and more. We should remember that the timer value could be stored as a float, integer, or another type. So, let’s try changing the scan type to ‘4 bytes’ to see what happens.

As you can see “mineasm+579C” is ticking the clock so the value is frequently changing that means we found the address that is based on the time. Let’s dive into it.

In order to to inspect this we can use right click on that and then “find out what writes to the address” and you will see this:

This image shows a disassembly of the Minesweeper game, where we can see a few lines of low-level code that control some actions in the game, likely related to the timer.

Here’s an explanation of each part:

1. inc [minesam.exe+579C]: This line increases (increments) the value stored at the memory address [minesam.exe+579C]. Since this has to do with time, this increment might be adding 1 to the timer, so every time this line is executed, the timer value goes up by 1.
2. call minesam.exe+28B5 and call minesam.exe+38ED: The call command jumps to another part of the code at these addresses. It runs whatever code is at those locations and then comes back to continue where it left off. These function calls might be performing specific tasks, like updating the display of the timer or checking game conditions.
3. push 01: The push command adds a value to the stack (a special area of memory used for temporary storage). In this case, push 01 places the value 1 onto the stack. This might be used as an argument for the next function call or as a flag (like "true" or "false") to indicate something about the timer.
4. ret: This stands for "return." It’s used to finish a function and go back to where the code was running before the function was called.
5. push ebp: This is another push command, which saves the current value of the ebp register onto the stack. This is often used at the start of functions to set up a "frame" for local variables and to keep track of where the function started.

In simple way , this code likely controls the updating of the timer in Minesweeper. The inc command increases the timer by 1, the call commands might update the game display or perform checks, and the push and ret commands manage memory and control flow. By understanding this, someone could modify the game’s timer, perhaps by changing the inc instruction to stop the timer from increasing.

This was the code. We can change ‘inc’ to ‘dec’ to decrease the timer value instead of increasing it. This technique lets us change the instruction’s command, or ‘mnemonic.’ When you do this, you’ll see the new timer value update.

As you can see, instead of counting up from 0 to 999, the timer is now decreasing to an unexpected value. Pretty cool! We could use some code to change the timer value dynamically, but our main goal is to focus more on the bomb locations.

Next part

In the next part, we’ll focus on finding the game board and the bomb array. The goal is to cheat the game by locating where the bombs are set up in the array. I plan to write a small script to help identify the bombs. See you then!