Www Kkmoom Com Pc Rar __link__ May 2026

# Key location: [0x00401000]> s 0x00407000 [0x00407000]> pd 12 # → key = "kKMo0M_cRaZ" Extract both blobs:

def decompress(src): src = memoryview(src) dst = bytearray() i = 0 while i < len(src): flags = src[i]; i += 1 for b in range(8): if flags & (1 << b): # literal dst.append(src[i]); i += 1 else: # back‑reference lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) if i >= len(src): break return bytes(dst)

if __name__ == '__main__': packed = open('payload.packed', 'rb').read() unpacked = decompress(packed) open('payload.bin', 'wb').write(unpacked) Running the script produces payload.bin (~13 KB). The file starts with the header again – the packer is nested : the decompressed payload is a second PE executable. 5. Second‑Stage PE – The Real Target file payload.bin # payload.bin: PE32 executable (GUI) Intel 80386, for MS Windows We repeat the same analysis steps on payload.bin . 5.1. Quick string hunt strings -a -n 5 payload.bin | grep -i flag # → No direct flag string, but we see: # "You think this is easy? Think again." 5.2. Import Table inspection r2 -A payload.bin [0x00401000]> iij # The imports are minimal: kernel32.dll (VirtualAlloc, WriteFile, ExitProcess) # No obvious network calls. 5.3. Locate the main routine The entry point ( 0x00401000 ) now points to a standard mainCRTStartup . We follow the call chain: www kkmoom com pc rar

def run(cmd): return subprocess.check_output(cmd, shell=True).decode()

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload Second‑Stage PE – The Real Target file payload

r2 -A pc.exe [0x00401000]> s entry0 [0x00401000]> pd 30 The first 30 instructions look like this (pseudo‑assembly):

FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools: Think again

http://www.kkmoom.com/pc.rar Inside the archive lies a Windows PE executable named pc.exe . The binary, when executed, prints a garbled string and then terminates. Somewhere inside the binary (or in its execution) is a of the form FLAG… .