blocks|key|1543547|text|请查看这篇代码项目文章，它比您提到的博客文章更深入一些。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1543548|http://www.codeproject.com/KB/trace/minememoryreader.aspx|offset|length|1543549|编辑|1543550|这篇文章虽然不是直接关于扫雷器的，但它给了你一个很好的使用WinDbg搜索内存的逐步指南：|1543551|http://www.codingthewheel.com/archives/extracting-hidden-text-with-windbg|1543552|编辑2|1543553|再说一次，这不是关于扫雷，但它确实给了我一些思考的食物，我的内存调试，这里有大量的教程：|1543554|http://memoryhacking.com/forums/index.php|1543555|另外，下载CheatEngine+(+Nick+D提到过)。并完成它附带的教程。|1543556|entityMap|0|LINK|mutability|MUTABLE|url|1|2|3|http://www.cheatengine.org/^0|0|0|1L|0|0|0|0|0|21|1|0|0|0|0|15|2|0|5|B|3|0^^$0|@$1|2|3|4|5|6|7|14|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|15|8|@]|9|@$D|16|E|17|1|18]]|A|$]]|$1|F|3|G|5|6|7|19|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|1A|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|1B|8|@]|9|@$D|1C|E|1D|1|1E]]|A|$]]|$1|L|3|M|5|6|7|1F|8|@]|9|@]|A|$]]|$1|N|3|O|5|6|7|1G|8|@]|9|@]|A|$]]|$1|P|3|Q|5|6|7|1H|8|@]|9|@$D|1I|E|1J|1|1K]]|A|$]]|$1|R|3|S|5|6|7|1L|8|@]|9|@$D|1M|E|1N|1|1O]]|A|$]]|$1|T|3|-4|5|6|7|1P|8|@]|9|@]|A|$]]]|U|$V|$5|W|X|Y|A|$Z|C]]|10|$5|W|X|Y|A|$Z|K]]|11|$5|W|X|Y|A|$Z|Q]]|12|$5|W|X|Y|A|$Z|13]]]]

Check out this code project article, it's a little more in depth than the blog post you mentioned.
<a href="http://www.codeproject.com/KB/trace/minememoryreader.aspx" rel="noreferrer">http://www.codeproject.com/KB/trace/minememoryreader.aspx</a>
<h2>Edit</h2>
And this article, although not about minesweeper directly, gives you a good step by step guide on hunting through memory using WinDbg:
<a href="http://www.codingthewheel.com/archives/extracting-hidden-text-with-windbg" rel="noreferrer">http://www.codingthewheel.com/archives/extracting-hidden-text-with-windbg</a>
<h2>Edit 2</h2>
Again, this isn't about minesweeper, but it has definitely given me some food for thought for my memory debugging, there's a wealth of tutorials here:
<a href="http://memoryhacking.com/forums/index.php" rel="noreferrer">http://memoryhacking.com/forums/index.php</a>
Also, download <a href="http://www.cheatengine.org/" rel="noreferrer">CheatEngine</a> (mentioned by Nick D.) and work through the tutorial it comes with.

blocks|key|1543626|text|在调试器中开始跟踪的一个好点是在鼠标打开时。所以找到主窗口过程(我认为像spyxx这样的工具可以检查窗口属性，事件处理程序地址就是其中之一)。打开它并找到它处理鼠标事件的位置--如果您可以在汇编程序中识别它，就会有一个开关(查看windows.h中鼠标打开的WM_XXX值)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1543627|在那里设置一个断点，并开始介入。在您释放鼠标按钮和屏幕更新之间的某个时间，victum将访问您正在寻找的数据结构。|1543628|要有耐心，试着在任何给定的时间确定正在做什么，但不要太深入地查看你怀疑对当前目标毫无兴趣的代码。可能需要在调试器中运行几次才能确定它。|1543629|了解正常的win32应用程序工作流程也会有所帮助。|1543630|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|L|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|M|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|I|$]]

A good point to start tracing in debugger would be on mouse up. So find main window procedure (I think tools like spyxx can inspect windows properties and event handler address is one of them). Break in to it and find where it handles mouse events -- there will be a switch, if you can recognize it in assembler (look at value of WM_XXX for mouse up in windows.h).

Put a breakpoint there and start stepping in. Somewhere between the time you released mouse button and screen being updated the victum will access the datastructure you are looking for.

Be patient, try to identify what is being done at any given time, but don't bother looking too deep into code you suspect of being uninteresting for your current objective. It might take several runs in debugger to nail it down.

Knowledge of normal win32 applications workflow helps too.

blocks|key|1543770|text|看起来您正在尝试反汇编源代码，但您需要做的是查看正在运行的程序的内存空间。十六进制编辑器HxD有一个特性可以让你做到这一点。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1543771|​|1543772|📷|atomic|1543773|一旦进入内存空间，就需要在摆弄电路板的同时对内存进行快照。当你认为你已经掌握了十六进制内存中数据结构的句柄时，试着在内存中编辑它，看看电路板是否会因此而改变。|1543774|您想要的过程与为视频游戏构建“培训师”没有什么不同。这些通常是基于找出健康和弹药等价值在记忆中的位置，并在飞行中改变它们。你也许能找到一些关于如何构建游戏训练器的好的教程。|1543775|entityMap|0|LINK|mutability|MUTABLE|url|http://mh-nexus.de/en/hxd/|1|IMAGE|IMMUTABLE|imageUrl|https://ask.qcloudimg.com/http-save/yehe-900000/948d44f2c225871c0efeb77742997623.png|imageAlt^0|18|3|0|0|0|0|1|1|0|0|0^^$0|@$1|2|3|4|5|6|7|10|8|@]|9|@$A|11|B|12|1|13]]|C|$]]|$1|D|3|E|5|6|7|14|8|@]|9|@]|C|$]]|$1|F|3|G|5|H|7|15|8|@]|9|@$A|16|B|17|1|18]]|C|$]]|$1|I|3|J|5|6|7|19|8|@]|9|@]|C|$]]|$1|K|3|L|5|6|7|1A|8|@]|9|@]|C|$]]|$1|M|3|-4|5|6|7|1B|8|@]|9|@]|C|$]]]|N|$O|$5|P|Q|R|C|$S|T]]|U|$5|V|Q|W|C|$X|Y|Z|-4]]]]

It seems like you are trying to disassemble the source but what you need to do is look at the memory space of the running program. The hex editor <a href="http://mh-nexus.de/en/hxd/" rel="nofollow noreferrer">HxD</a> has a feature that lets you just that.

<a href="https://i.stack.imgur.com/aFVjt.png" rel="nofollow noreferrer"><img src="https://i.stack.imgur.com/aFVjt.png" alt="http://www.freeimagehosting.net/uploads/fcc1991162.png"></a>


Once you're in the memory space, it is a matter of taking snapshots of the memory while you mess around with the board. Isolate what changes versus what doesn't. When you think you have a handle on where the data structure lies in hex memory, try editing it while it is in memory and see if the board changes as a result.

The process you want is not unlike building a 'trainer' for a video game. Those are usually based on finding where values like health and ammo live in memory and changing them on the fly. You may be able to find some good tutorials on how to build game trainers.

blocks|key|1328563|text|这些矿可能会被存储在某种二维数组中。这意味着它要么是指针数组，要么是布尔值的单个C样式数组。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1328564|每当窗体接收到鼠标释放事件时，都会引用此数据结构。索引将使用鼠标坐标计算，可能使用整数除法。这意味着您可能应该寻找偏移量或类似的指令，其中一个操作数是使用cmp和x计算的，其中x是涉及整数除法的计算结果。然后，偏移量将是指向数据结构开头的指针。|offset|length|style|CODE|1328565|entityMap^0|0|25|3|29|1|2G|1|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@$D|L|E|M|F|G]|$D|N|E|O|F|G]|$D|P|E|Q|F|G]]|9|@]|A|$]]|$1|H|3|-4|5|6|7|R|8|@]|9|@]|A|$]]]|I|$]]

The mines will probably be stored in some kind of two-dimensional array. This means that it is either an array of pointers or a single C style array of booleans.

Whenever the form receives a mouse-up event this data structure is referenced. The index will be calculated using the mouse coordinate, probably using integer division. That means that you should probably look for a <code>cmp</code> or a similar instruction, where one of the operands is computed using an offset and <code>x</code>, where <code>x</code> is the result of a calculation involving integer division. The offset will then be the pointer to the beginning of the data structure.

blocks|key|1543895|text|假设关于地雷的信息至少是针对行的连续布局在内存中是相当合理的(即它是一个2D数组，或者是一个数组的数组)。因此，我会尝试在同一行中打开几个相邻的单元，在执行过程中进行内存转储，然后对它们进行比较，并在相同的内存区域中查找任何重复的更改(例如，第一步更改1个字节，下一步更改为完全相同的值，依此类推)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1543896|也有可能它是一个压缩位数组(每个矿3位应该足以记录所有可能的状态-关闭/打开，矿/无矿，已标记/未标记)，所以我也会注意这一点(模式也是可重复的，尽管更难识别)。但这不是一个方便的结构，我不认为内存使用是扫雷的瓶颈，所以这类东西不太可能被使用。|1543897|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

It is fairly reasonable to assume that information about mines is layed out contiguously in memory at least for rows (i.e. it's a 2D-array, or an array-of-arrays). Thus, I would try opening several adjacent cells in the same row, making memory dumps of the process as I go, and then diff them and look for any repeating changes in the same memory region (i.e. 1 byte changed on first step, the next byte changed to exact same value on the next step, etc).

There's also possibility that it's a packed bit array (3 bits per mine should be sufficient to record all possible states - closed/open, mine/no-mine, flagged/non-flagged), so I'd look out for that too (the patterns would also be repeatable, though harder to spot). But it's not a convenient structure to deal with, and I don't think memory usage was a bottleneck for Minesweeper, so it is unlikely that this sort of thing would be used.

blocks|key|1543922|text|在Uninformed上可以找到一篇关于这个主题的很好的文章。它涵盖了反向扫雷(作为反向工程Win32应用程序的介绍)的非常详细的内容，并且围绕着一个非常棒的资源。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1543923|entityMap|0|LINK|mutability|MUTABLE|url|http://uninformed.org/?v=all&a=7^0|1|A|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

A pretty good article on this very topic can be found at <a href="http://uninformed.org/?v=all&amp;a=7" rel="noreferrer">Uninformed</a>. It covers reversing Minesweeper (as an introduction to reverse engineering Win32 apps) in pretty great detail and is all around a pretty great resource.

blocks|key|1328714|text|虽然不是严格意义上的“逆向工程工具”，甚至像我这样的笨蛋也可以使用更多的玩具，但请查看Cheat+Engine。它使得跟踪内存的哪些部分、何时发生了变化变得很容易，甚至还提供了通过指针跟踪发生变化的内存部分的功能(尽管您可能不需要这样做)。其中包含了一个很好的交互式教程。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1328715|entityMap|0|LINK|mutability|MUTABLE|url|http://www.cheatengine.org/^0|17|C|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

While not strictly a "reverse engineer's tool", and more of a toy even an idiot like me could use, check out <a href="http://www.cheatengine.org/" rel="nofollow noreferrer">Cheat Engine</a>. It makes it somewhat easy to track what parts of memory have changed, when, and even has provisions for tracking the changed memory parts through pointers (though you probably don't need that). A nice interactive tutorial is included.

I'm trying to learn about reverse engineering, using Minesweeper as a sample application. I've found this <a href="http://blogs.msdn.com/debuggingtoolbox/archive/2007/03/28/windbg-script-playing-with-minesweeper.aspx" rel="noreferrer">MSDN article</a> on a simple WinDbg command that reveals all the mines but it is old, is not explained in any detail and really isn't what I'm looking for.

I have <a href="http://www.hex-rays.com/idapro/" rel="noreferrer">IDA Pro disassembler</a> and the <a href="http://www.microsoft.com/whdc/devtools/debugging/installx86.Mspx" rel="noreferrer">WinDbg debugger</a> and I've loaded winmine.exe into both of them. Can someone provide some practical tips for either of these programs in terms of finding the location of the data structure that represents the mine field?

In WinDbg I can set breakpoints, but it is difficult for me to imagine at what point to set a breakpoint and at what memory location. Similarly, when I view the static code in IDA Pro, I'm not sure where to even begin to find the function or data structure that represents the mine field.

Are there any Reverse Engineers on Stackoverflow that can point me in the right direction?

How can I find the data structure that represents mine layout of Minesweeper in memory?

数据结构

调试器

我正在尝试学习反向工程，使用Minesweeper作为示例应用程序。我在一个简单的WinDbg命令中找到了这个，它显示了所有的地雷，但它很旧，没有详细解释，真的不是我要找的。我有和，并且我已经将winmine.exe加载到这两个文件中。有人能为这两个程序中的任何一个提供一些实用的技巧来查找表示雷区的数据结构的位置吗？在...

问如何在内存中找到代表扫雷布局的数据结构？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何在内存中找到代表扫雷布局的数据结构？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何在内存中找到代表扫雷布局的数据结构？
EN