Posts Tagged ‘timer

24
Apr
09

[C++] :Minesweeper: Toggle Timer

Local call from MainWndProc+1A3
winmine.DoTimer

01002FE0 w>/$  833D 64510001 00  CMP DWORD PTR DS:[fTimer],0
01002FE7       74 1E             JE SHORT winmine.01003007
01002FE9   |.  813D 9C570001 E70>CMP DWORD PTR DS:[cSec],3E7
01002FF3   |.  7D 12             JGE SHORT winmine.01003007
01002FF5       FF05 9C570001     INC DWORD PTR DS:[cSec]
01002FFB   |.  E8 B5F8FFFF       CALL winmine.DisplayTime
01003000   |.  6A 01             PUSH 1
01003002   |.  E8 E6080000       CALL winmine.PlayTune
01003007   \>  C3                RETN

At 0x01002FE7 you have an instruction that checks to see if the game is running. If the value is equal, then it jumps over.
There would be many ways to effectively removing the timer, I have done it by changing the opcode of JE, to that of an short unconditional jump, 0xEB.

bool TimerCheat = false;

void ToggleTimerCheat()
{
	int *ori_JE = ((int*) 0x01002FE7);
	int JMP;
	if(TimerCheat)
		JMP = 0x74;
	else
		JMP = 0xEB;
	DWORD dwProtection;
	VirtualProtect((LPVOID)0x01002FE7, 1, PAGE_EXECUTE_READWRITE,&dwProtection);
	memcpy(ori_JE, &JMP, 1);
	VirtualProtect((LPVOID)0x01002FE7, 1,dwProtection,&dwProtection);
	TimerCheat = TimerCheat^true;
}

The above code will either enable or disable the timer based upon the bool TimerCheat.
After calling the function, the timer will not increase, the DoTimer function should look like:

01002FE0 w>/$  833D 64510001 00  CMP DWORD PTR DS:[fTimer],0
01002FE7       EB 1E             JMP SHORT winmine.01003007
01002FE9   |.  813D 9C570001 E70>CMP DWORD PTR DS:[cSec],3E7
01002FF3   |.  7D 12             JGE SHORT winmine.01003007
01002FF5       FF05 9C570001     INC DWORD PTR DS:[cSec]
01002FFB   |.  E8 B5F8FFFF       CALL winmine.DisplayTime
01003000   |.  6A 01             PUSH 1
01003002   |.  E8 E6080000       CALL winmine.PlayTune
01003007   \>  C3                RETN