Www Kkmoom Com Pc Rar //free\\ May 2026

# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload www kkmoom com pc rar

dd if=pc.exe bs=1 skip=$((0x00120000)) count=$((0x00002000)) \ of=payload.packed Using the disassembled LZ‑type routine we can implement a re‑creation of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy). Dump the encrypted blob & the key #

def get_rva_to_offset(pe_path, rva): # Use pefile to translate import pefile pe = pefile.PE(pe_path) return pe.get_offset_from_rva(rva) rdata = pe

def locate_blob_and_key(payload_path): import pefile pe = pefile.PE(payload_path) # The blobs sit in the .rdata section; we simply search for the pattern # "FLAG{" is not in the encrypted data, so we locate the 0x100‑byte block # that is followed by a 12‑byte block that looks like ASCII. rdata = pe.get_section_by_rva(pe.OPTIONAL_HEADER.DataDirectory[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']].VirtualAddress) data = rdata.get_data() # Heuristic: find a 0x100‑byte block whose first byte is >0x7F (likely encrypted) for i in range(len(data)-0x100-0x0C): block = data[i:i+0x100] key = data[i+0x100:i+0x100+0x0C] if all(0x20 <= b <= 0x7E for b in key): # printable key return block, key raise RuntimeError("Failed to locate encrypted block/key")

0x00401000 push ebp 0x00401001 mov ebp, esp 0x00401003 sub esp, 0x200 0x00401009 call 0x00402000 ; → get current module handle 0x0040100e mov eax, dword [0x00403000] ; pointer to packed data 0x00401013 mov ecx, dword [0x00403004] ; packed size 0x00401018 mov edx, dword [0x00403008] ; uncompressed size 0x0040101d call 0x00404000 ; → custom LZ‑type decompressor 0x00401022 jmp eax ; jump to decompressed payload The decompressor resides at 0x00404000 . It is a relatively small routine (≈ 120 bytes) that implements a . 4.2. Dump the packed data The packed payload is stored as a raw byte array at RVA 0x403000 . Extract it with readelf / dd :