Www Kkmoom Com Pc Rar !!exclusive!! May 2026

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload

0x00401000 push ebp 0x00401001 mov ebp, esp 0x00401003 sub esp, 0x200 0x00401009 call 0x00402000 ; → get current module handle 0x0040100e mov eax, dword [0x00403000] ; pointer to packed data 0x00401013 mov ecx, dword [0x00403004] ; packed size 0x00401018 mov edx, dword [0x00403008] ; uncompressed size 0x0040101d call 0x00404000 ; → custom LZ‑type decompressor 0x00401022 jmp eax ; jump to decompressed payload The decompressor resides at 0x00404000 . It is a relatively small routine (≈ 120 bytes) that implements a . 4.2. Dump the packed data The packed payload is stored as a raw byte array at RVA 0x403000 . Extract it with readelf / dd :

import subprocess, os, struct, sys, pathlib www kkmoom com pc rar

# Entropy (use binwalk or custom script) binwalk -E pc.exe # High entropy sections → packed or encrypted payload The binary is with a custom packer. The entry point is not the usual mainCRTStartup ; it jumps to a stub that decompresses an embedded payload into memory and then executes it. 4. Static Analysis – Unpacking the Stub 4.1. Identify the packer stub Open the binary in radare2 (or Ghidra ) and locate the entry point:

[0x00401000]> pdf @ sym.main The decompiled pseudo‑code (via Ghidra) shows: The buffer buf is filled from an encrypted

def lz_decompress(src): i = 0 dst = bytearray() while i < len(src): flags = src[i]; i += 1 for b in range(8): if i >= len(src): break if flags & (1 << b): dst.append(src[i]); i += 1 else: lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) return bytes(dst)

http://www.kkmoom.com/pc.rar Inside the archive lies a Windows PE executable named pc.exe . The binary, when executed, prints a garbled string and then terminates. Somewhere inside the binary (or in its execution) is a of the form FLAG… . It is a relatively small routine (≈ 120

if __name__ == '__main__': packed = open('payload.packed', 'rb').read() unpacked = decompress(packed) open('payload.bin', 'wb').write(unpacked) Running the script produces payload.bin (~13 KB). The file starts with the header again – the packer is nested : the decompressed payload is a second PE executable. 5. Second‑Stage PE – The Real Target file payload.bin # payload.bin: PE32 executable (GUI) Intel 80386, for MS Windows We repeat the same analysis steps on payload.bin . 5.1. Quick string hunt strings -a -n 5 payload.bin | grep -i flag # → No direct flag string, but we see: # "You think this is easy? Think again." 5.2. Import Table inspection r2 -A payload.bin [0x00401000]> iij # The imports are minimal: kernel32.dll (VirtualAlloc, WriteFile, ExitProcess) # No obvious network calls. 5.3. Locate the main routine The entry point ( 0x00401000 ) now points to a standard mainCRTStartup . We follow the call chain: