Challenge type: Reverse‑Engineering / Binary exploitation Difficulty: Medium – Hard (depending on the depth of analysis) Category: Misc / Forensics (the “pc.rar” file is the only artefact) Source: CTF (publicly available challenge, no illegal distribution) 1. Overview The challenge provides a single file that can be downloaded from the (now defunct) URL:
# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar www kkmoom com pc rar
0x00401000 push ebp 0x00401001 mov ebp, esp 0x00401003 sub esp, 0x200 0x00401009 call 0x00402000 ; → get current module handle 0x0040100e mov eax, dword [0x00403000] ; pointer to packed data 0x00401013 mov ecx, dword [0x00403004] ; packed size 0x00401018 mov edx, dword [0x00403008] ; uncompressed size 0x0040101d call 0x00404000 ; → custom LZ‑type decompressor 0x00401022 jmp eax ; jump to decompressed payload The decompressor resides at 0x00404000 . It is a relatively small routine (≈ 120 bytes) that implements a . 4.2. Dump the packed data The packed payload is stored as a raw byte array at RVA 0x403000 . Extract it with readelf / dd : It is a relatively small routine (≈ 120
def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size] Extract it with readelf / dd : def
import subprocess, os, struct, sys, pathlib