[News] Minesweeper, Behind the scenes

看板EngTalk (全英文聊天)作者uniserv1002 (uniserv)時間15年前 (2010/12/02 12:06)推噓0(0推 0噓 1→)

留言1則, 1人參與討論串1/1

http://www.codeproject.com/KB/trace/minememoryreader.aspx Step 1 - Investigate winmine.exe If you're not an assembly fan, you might want to skip to the end of this step, to the conclusions.. So, in order to know better what is happening behind the scenes of Minesweeper I've started by opening the file in a debugger. My personally favorite debugger is Olly Debugger v1.08, this is a very simple and intuitive debugger. Anyway, I've open winmine.exe in the debugger and looked a bit on the file. I've found in the Import section (a section that lists all the dll functions that are used in the program) the following entry: 010011B0 8D52C377 DD msvcrt.rand which means that the Minesweeper uses the randomize function of the MicroSoft Visual C RunTime dll, So I thought it might help me. I've search the file to find where the rand() function is being called, I've found only one such place: 01003940 FF15 B0110001 CALL DWORD PTR DS:[<&msvcrt.rand>] Then I've put a breakpoint on this single call and ran the program. I've discovered that every time you click the smiley a new mines map is generated. the mines map is created as follows: 1. Allocate a block of memory for the mines map and set all the memory bytes to 0x0F, which means that there is no mine in that "cell". 2. second, loop over the number of mines and for each mine: 2.1. randomize x position (1 .. width). 2.2. randomize y position (1 .. height). 2.3. set the correct cell in the memory block to 0x8F, which represents a mine in this cell. here is the original code, I've added some remarks, and bolded the important parts: 010036A7 MOV DWORD PTR DS:[1005334],EAX ; [0x1005334] = Width 010036AC MOV DWORD PTR DS:[1005338],ECX ; [0x1005338] = Height 010036B2 CALL winmine.01002ED5 ; Generate empty block of memory and clears it 010036B7 MOV EAX,DWORD PTR DS:[10056A4] 010036BC MOV DWORD PTR DS:[1005160],EDI 010036C2 MOV DWORD PTR DS:[1005330],EAX ; [0x1005330] = number of mines ; loop over the number of mines 010036C7 PUSH DWORD PTR DS:[1005334] ; push Max Width into the stack 010036CD CALL winmine.01003940 ; Mine_Width = randomize x position (0 .. max width-1) 010036D2 PUSH DWORD PTR DS:[1005338] ; push Max Height into the stack 010036D8 MOV ESI,EAX 010036DA INC ESI ; Mine_Width = Mine_Width + 1 010036DB CALL winmine.01003940 ; Mine_Height = randomize y position ; (0 .. max height-1) 010036E0 INC EAX ; Mine_Height = Mine_Height +1 010036E1 MOV ECX,EAX ; calculate the address of the cell in the memory block ; (the map) 010036E3 SHL ECX,5 ; the calculation goes: ; cell_memory_address = 0x1005340 + 32 * height + width 010036E6 TEST BYTE PTR DS:[ECX+ESI+1005340],80 ; [cell_memory_address] == is already mine? 010036EE JNZ SHORT winmine.010036C7 ; if already mine start over this iteration 010036F0 SHL EAX,5 ; otherwise, set this cell as mine 010036F3 LEA EAX,DWORD PTR DS:[EAX+ESI+1005340] 010036FA OR BYTE PTR DS:[EAX],80 010036FD DEC DWORD PTR DS:[1005330] 01003703 JNZ SHORT winmine.010036C7 ; go to next iteration As you can see from the code I've discovered 4 important things: 1.Reading the memory in address [0x1005334] gives me the Width of the map. 2.Reading the memory in address [0x1005338] gives me the Height of the map. 3.Reading the memory in address [0x1005330] gives me the number of mines in the map. 4.Given x,y that represents a cell in the map, in column x, row y, the address [0x1005340 + 32 * y + x] gives me the cell value. -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 114.44.129.186