[Windbg Script] Playing with Minesweeper

First, this script is not really about cheating. It does that with Minesweeper, but there are several other possibilities using a bit more bytes that do a better job to fool the application.

However, the point here is to show you how powerful the debugger is or, more precisely, the power you have when you know how to use the debugger.


When working on “just for fun” scripts, I don’t use source code access or symbols. I just use raw disassembled code. I do this to improve my assembly skills; by improving my assembly reading I can identify common patterns and their meanings. Moreover, I can try to figure out the possible source code. It helps me a lot during my daily work. Thus, if you want to improve your assembly skills this is a good and fun approach.


The script presented below is a fun script that I categorize as a “just for fun” script. I won’t tell you what it does: you’ll need to find out by yourself. 🙂


Just load Minesweeper on Windows XP SP 2, attach the debugger to it, run the script, and then create a New Game.

You don’t need symbols!


It’s fun! I hope you enjoy it.







$$ =======================================================================================

$$ Displays all hidden bombs (from Minesweeper :)). 


$$ Compatibility: Win32, specific for Windows XP SP2.


$$ Usage: $$>< to run the program.


$$ Roberto Alexis Farah

$$ Blog: http://blogs.msdn.com/debuggingtoolbox/


$$ All my scripts are provided “AS IS” with no warranties, and confer no rights.

$$ =======================================================================================


eb poi(@$peb+0x8)+0x36fa c6 00 8a

$$ =============================================================================


Read me.

Comments (17)

  1. Emilio Meira says:

    Oh… my… GOD!!!! 😀

    Ok, maybe I’m overreacting, maybe some of the readers of this Blog are so "bit brushers" that may not be as impressed as I am, but it’s worth mentioning that we’re talking about just ONE LINE OF CODE!!!! :O

    This is not the first time I see it: about two years ago, I had the great priviledge of attending a course delivered by him… we were on one of those labs that nobody wants to do, so he decided to show us some tricks: he created "on the fly" a small C# program with a hard-coded string and got to retrieve the string using disassembly… amazing!!!

    Congratulations, Farah!!! Keep the excellent quality of the Blog, both here and on LATAM!!!



  2. Joao Delinger de Souza says:

    This is really cool. It motivates me to go back and start debugging again and learn more about assembly.

    I am also glad to say that I had the opportunity to work with Roberto at Microsoft and the guy rocks.

    He even has a binary clock in his cube. That is right. This guy will tell you the time in binary 🙂

    Congrats Farah! Keep doing the great work you always do.


  3. Erico Andrei says:

    Ok, this was was so great you deserve it…

    Man, you are the alpha geek of our social circle.

    Now, to beat you in coolness, I’ll have to find a clever way to cheat on Halo using only sticks ands stones

    Good to hear from you!


  4. Vedala says:

    It’d be great if you could give us list of books sitting on your bookshelf.

  5. Chris Conner says:

    I get memory access denied on Windows Vista. Is there something you have to do to have this work on Windows Vista?

  6. Hi Chris, sorry for the late answer.

    Yes, on Vista you need to enable things.

    Check this out:

    How to create a user-mode process dump file in Windows Vista


    However, keep in mind this script is not going to work on Minesweeper running in other OS other than Windows XP SP2. This happens because I change the binary code in memory. It’s like a surgery. 🙂

  7. There are circumstances where taking a dump is not possible or simply not convenient; imagine a situation

  8. There are circumstances where taking a dump is not possible or simply not convenient; imagine a situation

  9. Jim says:

    Very cool.

    Try the !peb command to see what $peb is about.

    poi(@$peb+0x8)is this:

    ImageBaseAddress:         01000000

    eb poi(@$peb+0x8)+0x36fa c6 00 8a

    Changes this instruction:

    or      byte ptr [eax],80h

    to this:

    mov     byte ptr [eax],8Ah


    eb poi(@$peb+0x8)+0x36fa c6 00 8d

    It saves you from doing all the right clicks on the mines.

  10. Jim says:

    I meant to say:

    eb poi(@$peb+0x8)+0x36fa c6 00 8e

    to mark all mines with flags automatically.

  11. I haven’t tested it yet, but it seems to be pretty cool! 🙂

    Thanks for posting.

  12. Jim says:

    Thanks for the view behind the scenes, I’ve been playing around with winmine some more.

    It looks like the playing board is at "winmine!rgBlk+20" if you want to edit the playing board directly.  Just minimize and restore to make it redraw.  You need the symbols for that I think.

    Bits [3..0] decide the picture:

    1-8 – draws 1 – 8

    9   – question mark, depressed

    a   – mine

    b   – X’ed mine

    c   – red bkgd mine. (game over one)

    d   – question mark

    e   – flag

    f   – blank tile

    Then the upper bits modify the tile:

    10h  – start or end or no draw

    40h  – clicked / cleared tile

    80h  – this bit indicates a mine is under that tile.

    Each row uses 32 bytes, regardless of how wide it is, and starts and ends with 10h.

  13. I must tell you I’ve never expected this post was going to be so viewed. I just read your comment and I have just one thing to say:  Wow!!! 🙂

    For one of my future articles I was planning to reuse Minesweeper, but based on your comment and others above I don’t think it’s going to have the fun factor anymore. 😉

    You guys decoded it!

  14. Jim says:

    Maybe do something on debug extensions?

    I made up one to generate characters on the board with mines. Check it out here:


    Anyway, that was a lot of fun hacking around with minesweeper thanks to one line.

  15. Wow! 🙂 I loved this video! Really! I do agree with you, too, this is a lot of fun! 🙂

  16. こんにちわ、d99 です。 さて、 前回の連載エントリ でデバッガ(windbg.exe)の動作確認まで行いました。予告通り、引き続いてメモ帳をデバッグしてみましょう。 – 前提条件 1) Debugging