Www Kkmoom Com Pc Rar [updated] May 2026
The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload
The goal is to retrieve the flag without resorting to brute‑force cracking or illegal cracking of any proprietary software – we only analyse the supplied binary. # 1. Create a clean analysis directory mkdir -p ~/ctf/kkmoom && cd ~/ctf/kkmoom www kkmoom com pc rar
def get_rva_to_offset(pe_path, rva): # Use pefile to translate import pefile pe = pefile.PE(pe_path) return pe.get_offset_from_rva(rva) The buffer buf is filled from an encrypted
# Entropy (use binwalk or custom script) binwalk -E pc.exe # High entropy sections → packed or encrypted payload The binary is with a custom packer. The entry point is not the usual mainCRTStartup ; it jumps to a stub that decompresses an embedded payload into memory and then executes it. 4. Static Analysis – Unpacking the Stub 4.1. Identify the packer stub Open the binary in radare2 (or Ghidra ) and locate the entry point: s 0x00406000 # (example address) [0x00406000]>
if __name__ == '__main__': packed = open('payload.packed', 'rb').read() unpacked = decompress(packed) open('payload.bin', 'wb').write(unpacked) Running the script produces payload.bin (~13 KB). The file starts with the header again – the packer is nested : the decompressed payload is a second PE executable. 5. Second‑Stage PE – The Real Target file payload.bin # payload.bin: PE32 executable (GUI) Intel 80386, for MS Windows We repeat the same analysis steps on payload.bin . 5.1. Quick string hunt strings -a -n 5 payload.bin | grep -i flag # → No direct flag string, but we see: # "You think this is easy? Think again." 5.2. Import Table inspection r2 -A payload.bin [0x00401000]> iij # The imports are minimal: kernel32.dll (VirtualAlloc, WriteFile, ExitProcess) # No obvious network calls. 5.3. Locate the main routine The entry point ( 0x00401000 ) now points to a standard mainCRTStartup . We follow the call chain:
# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example)