# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar
def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size] www kkmoom com pc rar
#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # ------------------------------------------------------------- FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag
dd if=pc.exe bs=1 skip=$((0x00120000)) count=$((0x00002000)) \ of=payload.packed Using the disassembled LZ‑type routine we can implement a re‑creation of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy). Dump the encrypted blob & the key #
FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools:
dd if=payload.bin bs=1 skip=$((0x00406000-0x400000)) count=0x100 \ of=encrypted.bin dd if=payload.bin bs=1 skip=$((0x00407000-0x400000)) count=0x0C \ of=key.bin #!/usr/bin/env python3 enc = open('encrypted.bin','rb').read() key = open('key.bin','rb').read() out = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))]) print(out.decode()) Running the script prints:
The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload
 |
Www Kkmoom Com Pc Rar //free\\ | 2K 2025 | |
 |
# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar
def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size]
#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # -------------------------------------------------------------
dd if=pc.exe bs=1 skip=$((0x00120000)) count=$((0x00002000)) \ of=payload.packed Using the disassembled LZ‑type routine we can implement a re‑creation of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy).
FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools:
dd if=payload.bin bs=1 skip=$((0x00406000-0x400000)) count=0x100 \ of=encrypted.bin dd if=payload.bin bs=1 skip=$((0x00407000-0x400000)) count=0x0C \ of=key.bin #!/usr/bin/env python3 enc = open('encrypted.bin','rb').read() key = open('key.bin','rb').read() out = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))]) print(out.decode()) Running the script prints:
The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload