alperaktasm's Heaven's Gate & Impossible Disassembly

Author:
alperaktasm

Language:
C/C++

Upload:
2024-02-06 13:30

Download

Platform:
Windows

Difficulty:
2.5

Quality:
3.5

Arch:
x86

Downloads:
7

Writeups:
0

Comments:
12

Description

This contains heaven's gate and impossible disassembly techniques. Very basic crypto challenge.

Comments (12)
Writeups (0)

You must be logged in to post a comment

cnathansmith on 2024-02-07 21:27: I don't quite understand this challenge. There doesn't appear to be any way to supply input, and all of the codebase seems to be reached

alperaktasm on 2024-02-07 22:56: this challenge was created to fully understand the impossible disassembly and heaven's gate techniques. If you think you understand the techniques, you can solve it easily.

nightxyz on 2024-02-12 10:13: [Click to reveal]

nightxyz on 2024-02-12 10:22: [Click to reveal]

rrookie on 2024-02-19 22:59: Don't get it, is the result of this the flag? 3: bf 68 31 15 00 mov edi,0x153168 8: 81 f7 74 79 65 68 xor edi,0x68657974

nightxyz on 2024-02-20 00:57: @rrookie Yes,0x153168 is address of flag data which begins just after "did you capture the flag" message. It is xor'ed with 0x68657974 value four by four.

Programista on 2024-02-20 18:15: Hello everyone. I'm writing with a question because I'm interested in this crackme because it's my first contact with Heaven's Gate and yesterday I spent about 5 or 6 hours on it. I learned a little about it from the internet. And my question is: To find the flag, do I need to convert the code after the instructions: push 33 call $+5 add albod ptr ss:[esp],5 ret far for x64 assembler is this the wrong way and it would be nice if you could get a short description of what to look for where, because it will allow you to learn how to analyze programs containing Heaven's Gate and may be useful for future users. |

nightxyz on 2024-02-20 21:31: @Programista After your code snippet, Process enters 64-bit mode and your debugger doesn't follow it. After the "ret far" command, there is a code snippet which ends with "ret far" again. The codes in between are 64-bit instructions. To decode it easily, copy that code hex equivalent and paste it to online x64 disassembler. For example this online disassembler : https://defuse.ca/online-x86-assembler.htm Hint : EB instruction jumps next byte in 64-bit mode as you will see in online disassembler. So, delete EB and redisassemble it. Also search on this site with name "heaven" and there are two other heaven's gate related crackmes which has solution on it.

rrookie on 2024-02-20 22:19: @nightxyz Still don't quite get it. I see what you're saying, but 'bf 68 31 15 00' will do an immediate load of the value 0x153168 to rdi (not the value from the pointer 0x153168). And where is the code that xor's the values four by four? Don't recognize any loop in the x64 code.

nightxyz on 2024-02-21 08:16: @rrookie You are right, there is no loop. Only four characters are loaded. As you see, there is no print function also. I dedoded rest of the bytes with same xor value by manually. I thought that author wants this secret message.

cnathansmith on 2024-02-22 14:31: I don't know if there are other debuggers that handle it well, but WinDbg is generally your best bet when dealing with architecture jumping. It's designed to seamlessly handle it to make sure it can follow WoW transitions

1337ReverseEngineer on 2024-03-16 11:40: Nice crackme. So guys basically when you decompile it as 64 bit, the first mov tells you the address of the flag in memory, and the xor instruction is a hint that you got to xor the flag to get the real flag.

Show all spoilers

You must be logged in to submit a writeup

crackmes.one

crackmes.one

alperaktasm's Heaven's Gate & Impossible Disassembly