Www Kkmoom Com Pc Rar ((hot)) Today

# 3. Install the required tools (Linux distro) sudo apt update sudo apt install -y unzip unrar p7zip-full binutils \ radare2 ghidra yara clang gdb qemu-user-static \ mingw-w64-tools mingw-w64-common \ python3-pip && pip3 install lief capstone The binary is a 32‑bit Windows PE ( PE32 ). On a modern 64‑bit Linux host we will need the wine runtime for dynamic testing and mingw tools for static analysis. 3. Extraction & Basic File Inspection # Extract the rar archive unrar x pc.rar # → we obtain pc.exe (size ≈ 44 KB) # File type file pc.exe # pc.exe: PE32 executable (GUI) Intel 80386, for MS Windows

#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # ------------------------------------------------------------- www kkmoom com pc rar

# Entropy (use binwalk or custom script) binwalk -E pc.exe # High entropy sections → packed or encrypted payload The binary is with a custom packer. The entry point is not the usual mainCRTStartup ; it jumps to a stub that decompresses an embedded payload into memory and then executes it. 4. Static Analysis – Unpacking the Stub 4.1. Identify the packer stub Open the binary in radare2 (or Ghidra ) and locate the entry point: len(src): flags = src[i]

def lz_decompress(src): i = 0 dst = bytearray() while i < len(src): flags = src[i]; i += 1 for b in range(8): if i >= len(src): break if flags & (1 << b): dst.append(src[i]); i += 1 else: lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) return bytes(dst) hi = src[i+1]