cnathansmith on 9:27 PM 02/07/2024: I don't quite understand this challenge. There doesn't appear to be any way to supply input, and all of the codebase seems to be reached
alperaktasm on 10:56 PM 02/07/2024: this challenge was created to fully understand the impossible disassembly and heaven's gate techniques. If you think you understand the techniques, you can solve it easily.
nightxyz on 10:13 AM 02/12/2024: ZAYOTEM
nightxyz on 10:22 AM 02/12/2024: ZAYOTEM{r3v3r53_3n61n33r}eyt
rrookie on 10:59 PM 02/19/2024: Don't get it, is the result of this the flag?
3: bf 68 31 15 00 mov edi,0x153168
8: 81 f7 74 79 65 68 xor edi,0x68657974
nightxyz on 12:57 AM 02/20/2024: @rrookie Yes,0x153168 is address of flag data which begins just after "did you capture the flag" message. It is xor'ed with 0x68657974 value four by four.
Programista on 6:15 PM 02/20/2024: Hello everyone.
I'm writing with a question because I'm interested in this crackme because it's my first contact with Heaven's Gate and yesterday I spent about 5 or 6 hours on it. I learned a little about it from the internet. And my question is: To find the flag, do I need to convert the code after the instructions:
push 33
call $+5
add albod ptr ss:[esp],5
ret far
for x64 assembler is this the wrong way and it would be nice if you could get a short description of what to look for where, because it will allow you to learn how to analyze programs containing Heaven's Gate and may be useful for future users. |
nightxyz on 9:31 PM 02/20/2024: @Programista After your code snippet, Process enters 64-bit mode and your debugger doesn't follow it. After the "ret far" command, there is a code snippet which ends with "ret far" again. The codes in between are 64-bit instructions. To decode it easily, copy that code hex equivalent and paste it to online x64 disassembler. For example this online disassembler : https://defuse.ca/online-x86-assembler.htm
Hint : EB instruction jumps next byte in 64-bit mode as you will see in online disassembler. So, delete EB and redisassemble it.
Also search on this site with name "heaven" and there are two other heaven's gate related crackmes which has solution on it.
rrookie on 10:19 PM 02/20/2024: @nightxyz Still don't quite get it. I see what you're saying, but 'bf 68 31 15 00' will do an immediate load of the value 0x153168 to rdi (not the value from the pointer 0x153168).
And where is the code that xor's the values four by four?
Don't recognize any loop in the x64 code.
nightxyz on 8:16 AM 02/21/2024: @rrookie You are right, there is no loop. Only four characters are loaded. As you see, there is no print function also. I dedoded rest of the bytes with same xor value by manually. I thought that author wants this secret message.
cnathansmith on 2:31 PM 02/22/2024: I don't know if there are other debuggers that handle it well, but WinDbg is generally your best bet when dealing with architecture jumping. It's designed to seamlessly handle it to make sure it can follow WoW transitions
1337ReverseEngineer on 11:40 AM 03/16/2024: Nice crackme. So guys basically when you decompile it as 64 bit, the first mov tells you the address of the flag in memory, and the xor instruction is a hint that you got to xor the flag to get the real flag.