Www Kkmoom Com: Pc Rar ((hot))

def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size]

if __name__ == '__main__': packed = open('payload.packed', 'rb').read() unpacked = decompress(packed) open('payload.bin', 'wb').write(unpacked) Running the script produces payload.bin (~13 KB). The file starts with the header again – the packer is nested : the decompressed payload is a second PE executable. 5. Second‑Stage PE – The Real Target file payload.bin # payload.bin: PE32 executable (GUI) Intel 80386, for MS Windows We repeat the same analysis steps on payload.bin . 5.1. Quick string hunt strings -a -n 5 payload.bin | grep -i flag # → No direct flag string, but we see: # "You think this is easy? Think again." 5.2. Import Table inspection r2 -A payload.bin [0x00401000]> iij # The imports are minimal: kernel32.dll (VirtualAlloc, WriteFile, ExitProcess) # No obvious network calls. 5.3. Locate the main routine The entry point ( 0x00401000 ) now points to a standard mainCRTStartup . We follow the call chain:

The goal is to retrieve the flag without resorting to brute‑force cracking or illegal cracking of any proprietary software – we only analyse the supplied binary. # 1. Create a clean analysis directory mkdir -p ~/ctf/kkmoom && cd ~/ctf/kkmoom www kkmoom com pc rar

def run(cmd): return subprocess.check_output(cmd, shell=True).decode()

r2 -A pc.exe [0x00401000]> s entry0 [0x00401000]> pd 30 The first 30 instructions look like this (pseudo‑assembly): def extract_first_stage(pe_path): import pefile pe = pefile

def locate_blob_and_key(payload_path): import pefile pe = pefile.PE(payload_path) # The blobs sit in the .rdata section; we simply search for the pattern # "FLAG{" is not in the encrypted data, so we locate the 0x100‑byte block # that is followed by a 12‑byte block that looks like ASCII. rdata = pe.get_section_by_rva(pe.OPTIONAL_HEADER.DataDirectory[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']].VirtualAddress) data = rdata.get_data() # Heuristic: find a 0x100‑byte block whose first byte is >0x7F (likely encrypted) for i in range(len(data)-0x100-0x0C): block = data[i:i+0x100] key = data[i+0x100:i+0x100+0x0C] if all(0x20 <= b <= 0x7E for b in key): # printable key return block, key raise RuntimeError("Failed to locate encrypted block/key")

dd if=pc.exe bs=1 skip=$((0x00120000)) count=$((0x00002000)) \ of=payload.packed Using the disassembled LZ‑type routine we can implement a re‑creation of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy). Second‑Stage PE – The Real Target file payload

def main(): # 0️⃣ Download (skip if you already have the file) rar = pathlib.Path('pc.rar') if not rar.is_file(): run