The goal is to retrieve the flag without resorting to brute‑force cracking or illegal cracking of any proprietary software – we only analyse the supplied binary. # 1. Create a clean analysis directory mkdir -p ~/ctf/kkmoom && cd ~/ctf/kkmoom
dd if=pc.exe bs=1 skip=$((0x00120000)) count=$((0x00002000)) \ of=payload.packed Using the disassembled LZ‑type routine we can implement a re‑creation of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy). www kkmoom com pc rar
#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # ------------------------------------------------------------- The goal is to retrieve the flag without
dd if=payload.bin bs=1 skip=$((0x00406000-0x400000)) count=0x100 \ of=encrypted.bin dd if=payload.bin bs=1 skip=$((0x00407000-0x400000)) count=0x0C \ of=key.bin #!/usr/bin/env python3 enc = open('encrypted.bin','rb').read() key = open('key.bin','rb').read() out = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))]) print(out.decode()) Running the script prints: 'rb').read() key = open('key.bin'