FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag. Below is a single‑script solution that goes from the original pc.rar to the flag, using only open‑source tools:
Challenge type: Reverse‑Engineering / Binary exploitation Difficulty: Medium – Hard (depending on the depth of analysis) Category: Misc / Forensics (the “pc.rar” file is the only artefact) Source: CTF (publicly available challenge, no illegal distribution) 1. Overview The challenge provides a single file that can be downloaded from the (now defunct) URL: www kkmoom com pc rar
dd if=payload.bin bs=1 skip=$((0x00406000-0x400000)) count=0x100 \ of=encrypted.bin dd if=payload.bin bs=1 skip=$((0x00407000-0x400000)) count=0x0C \ of=key.bin #!/usr/bin/env python3 enc = open('encrypted.bin','rb').read() key = open('key.bin','rb').read() out = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))]) print(out.decode()) Running the script prints: FLAGr4r_1s_n0t_just_a_r4r_f1l3 That is the flag
def get_rva_to_offset(pe_path, rva): # Use pefile to translate import pefile pe = pefile.PE(pe_path) return pe.get_offset_from_rva(rva) rdata = pe
def locate_blob_and_key(payload_path): import pefile pe = pefile.PE(payload_path) # The blobs sit in the .rdata section; we simply search for the pattern # "FLAG{" is not in the encrypted data, so we locate the 0x100‑byte block # that is followed by a 12‑byte block that looks like ASCII. rdata = pe.get_section_by_rva(pe.OPTIONAL_HEADER.DataDirectory[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']].VirtualAddress) data = rdata.get_data() # Heuristic: find a 0x100‑byte block whose first byte is >0x7F (likely encrypted) for i in range(len(data)-0x100-0x0C): block = data[i:i+0x100] key = data[i+0x100:i+0x100+0x0C] if all(0x20 <= b <= 0x7E for b in key): # printable key return block, key raise RuntimeError("Failed to locate encrypted block/key")