Www Kkmoom Com Pc Rar < 95% CONFIRMED >

int __cdecl main() { char buf[0x100]; DWORD bytes; GetStdHandle(STD_OUTPUT_HANDLE); VirtualAlloc(0, 0x2000, MEM_COMMIT, PAGE_READWRITE); // Decrypt loop: for (i = 0; i < 0x100; ++i) buf[i] = encrypted[i] ^ key[i % keylen]; // WriteFile to stdout WriteFile(hStdOut, buf, 0x100, &bytes, 0); // Compare with expected value if (memcmp(buf, "FLAG", 5) == 0) puts(buf); else puts("Try again!"); return 0;

The buffer buf is filled from an encrypted static array ( encrypted ) using a XOR key that lives in the .rdata section. 5.4. Dump the encrypted blob & the key # Encrypted data location (r2): [0x00401000]> s 0x00406000 # (example address) [0x00406000]> pd 20 # → .rdata: 0x100 bytes = encrypted payload www kkmoom com pc rar

#!/usr/bin/env python3 # kkmoom_pc_writeup.py # ------------------------------------------------------------- # 1️⃣ Extract the .rar → pc.exe # 2️⃣ Dump the first‑stage packed payload (RVA 0x403000) # 3️⃣ Decompress it with the custom LZ‑type routine # 4️⃣ Dump the second‑stage PE (payload.bin) # 5️⃣ Locate the encrypted blob and XOR key in .rdata # 6️⃣ Decrypt → flag # ------------------------------------------------------------- int __cdecl main() { char buf[0x100]; DWORD bytes;