Below is a solution that goes from the original pc.rar to the flag, using only open‑source tools:
# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar
Using the disassembled LZ‑type routine we can implement a of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy). www kkmoom com pc rar
def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size]
The specific request for a "PC RAR" file indicates that the user is looking for a compressed archive containing an executable program (likely a .exe file inside the .rar archive) intended for Windows. Below is a solution that goes from the original pc
.rar files require extraction software like WinRAR or 7-Zip. How to Install KKmoon Software on PC
def decompress(src): src = memoryview(src) dst = bytearray() i = 0 while i < len(src): flags = src[i]; i += 1 for b in range(8): if flags & (1 << b): # literal dst.append(src[i]); i += 1 else: # back‑reference lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) if i >= len(src): break return bytes(dst) def extract_first_stage(pe_path): import pefile pe = pefile
# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example)
Many RAR files from these types of sites may trigger "false positive" alerts from antivirus software because they contain unsigned drivers.
Below is a solution that goes from the original pc.rar to the flag, using only open‑source tools:
# 2. Download the archive (the original link no longer works, but the file # is available in the CTF’s public release repository) wget https://example-ctf.org/files/kkmoom_pc.rar -O pc.rar
Using the disassembled LZ‑type routine we can implement a of the algorithm in Python (the routine uses a 12‑bit sliding window with a flag byte controlling literal vs. copy).
def extract_first_stage(pe_path): import pefile pe = pefile.PE(pe_path) # These RVAs were discovered manually; they are constant for the challenge packed_rva = 0x403000 packed_size = 0x2000 # 8 KiB – enough to cover the blob off = pe.get_offset_from_rva(packed_rva) return pe.__data__[off:off+packed_size]
The specific request for a "PC RAR" file indicates that the user is looking for a compressed archive containing an executable program (likely a .exe file inside the .rar archive) intended for Windows.
.rar files require extraction software like WinRAR or 7-Zip. How to Install KKmoon Software on PC
def decompress(src): src = memoryview(src) dst = bytearray() i = 0 while i < len(src): flags = src[i]; i += 1 for b in range(8): if flags & (1 << b): # literal dst.append(src[i]); i += 1 else: # back‑reference lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) if i >= len(src): break return bytes(dst)
# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example)
Many RAR files from these types of sites may trigger "false positive" alerts from antivirus software because they contain unsigned drivers.