Www Kkmoom Com Pc Rar Updated File

Challenge type: Reverse‑Engineering / Binary exploitation Difficulty: Medium – Hard (depending on the depth of analysis) Category: Misc / Forensics (the “pc.rar” file is the only artefact) Source: CTF (publicly available challenge, no illegal distribution) 1. Overview The challenge provides a single file that can be downloaded from the (now defunct) URL:

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload www kkmoom com pc rar

def locate_blob_and_key(payload_path): import pefile pe = pefile.PE(payload_path) # The blobs sit in the .rdata section; we simply search for the pattern # "FLAG{" is not in the encrypted data, so we locate the 0x100‑byte block # that is followed by a 12‑byte block that looks like ASCII. rdata = pe.get_section_by_rva(pe.OPTIONAL_HEADER.DataDirectory[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']].VirtualAddress) data = rdata.get_data() # Heuristic: find a 0x100‑byte block whose first byte is >0x7F (likely encrypted) for i in range(len(data)-0x100-0x0C): block = data[i:i+0x100] key = data[i+0x100:i+0x100+0x0C] if all(0x20 <= b <= 0x7E for b in key): # printable key return block, key raise RuntimeError("Failed to locate encrypted block/key") Dump the encrypted blob & the key #

def decompress(src): src = memoryview(src) dst = bytearray() i = 0 while i < len(src): flags = src[i]; i += 1 for b in range(8): if flags & (1 << b): # literal dst.append(src[i]); i += 1 else: # back‑reference lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) if i >= len(src): break return bytes(dst) Somewhere inside the binary (or in its execution)

#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # -------------------------------------------------------------

http://www.kkmoom.com/pc.rar Inside the archive lies a Windows PE executable named pc.exe . The binary, when executed, prints a garbled string and then terminates. Somewhere inside the binary (or in its execution) is a of the form FLAG… .

# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example)