Skip to main content

Www Kkmoom Com Pc Rar 【DIRECT】

FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools:

def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size]

def main(): # 0️⃣ Download (skip if you already have the file) rar = pathlib.Path('pc.rar') if not rar.is_file(): run www kkmoom com pc rar

def locate_blob_and_key(payload_path): import pefile pe = pefile.PE(payload_path) # The blobs sit in the .rdata section; we simply search for the pattern # "FLAG{" is not in the encrypted data, so we locate the 0x100‑byte block # that is followed by a 12‑byte block that looks like ASCII. rdata = pe.get_section_by_rva(pe.OPTIONAL_HEADER.DataDirectory[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']].VirtualAddress) data = rdata.get_data() # Heuristic: find a 0x100‑byte block whose first byte is >0x7F (likely encrypted) for i in range(len(data)-0x100-0x0C): block = data[i:i+0x100] key = data[i+0x100:i+0x100+0x0C] if all(0x20 <= b <= 0x7E for b in key): # printable key return block, key raise RuntimeError("Failed to locate encrypted block/key")

import subprocess, os, struct, sys, pathlib FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload

r2 -A pc.exe [0x00401000]> s entry0 [0x00401000]> pd 30 The first 30 instructions look like this (pseudo‑assembly): s 0x00406000 # (example address) [0x00406000]&gt

#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # -------------------------------------------------------------