http://www.kkmoom.com/pc.rar Inside the archive lies a Windows PE executable named pc.exe . The binary, when executed, prints a garbled string and then terminates. Somewhere inside the binary (or in its execution) is a of the form FLAG… .
FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools:
if __name__ == '__main__': packed = open('payload.packed', 'rb').read() unpacked = decompress(packed) open('payload.bin', 'wb').write(unpacked) Running the script produces payload.bin (~13 KB). The file starts with the header again – the packer is nested : the decompressed payload is a second PE executable. 5. Second‑Stage PE – The Real Target file payload.bin # payload.bin: PE32 executable (GUI) Intel 80386, for MS Windows We repeat the same analysis steps on payload.bin . 5.1. Quick string hunt strings -a -n 5 payload.bin | grep -i flag # → No direct flag string, but we see: # "You think this is easy? Think again." 5.2. Import Table inspection r2 -A payload.bin [0x00401000]> iij # The imports are minimal: kernel32.dll (VirtualAlloc, WriteFile, ExitProcess) # No obvious network calls. 5.3. Locate the main routine The entry point ( 0x00401000 ) now points to a standard mainCRTStartup . We follow the call chain: www kkmoom com pc rar
The goal is to retrieve the flag without resorting to brute‑force cracking or illegal cracking of any proprietary software – we only analyse the supplied binary. # 1. Create a clean analysis directory mkdir -p ~/ctf/kkmoom && cd ~/ctf/kkmoom
# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example) http://www
# 3. Install the required tools (Linux distro) sudo apt update sudo apt install -y unzip unrar p7zip-full binutils \ radare2 ghidra yara clang gdb qemu-user-static \ mingw-w64-tools mingw-w64-common \ python3-pip && pip3 install lief capstone The binary is a 32‑bit Windows PE ( PE32 ). On a modern 64‑bit Linux host we will need the wine runtime for dynamic testing and mingw tools for static analysis. 3. Extraction & Basic File Inspection # Extract the rar archive unrar x pc.rar # → we obtain pc.exe (size ≈ 44 KB) # File type file pc.exe # pc.exe: PE32 executable (GUI) Intel 80386, for MS Windows
#!/usr/bin/env python3 import sys
[0x00401000]> pdf @ sym.main The decompiled pseudo‑code (via Ghidra) shows: