def lz_decompress(src): i = 0 dst = bytearray() while i < len(src): flags = src[i]; i += 1 for b in range(8): if i >= len(src): break if flags & (1 << b): dst.append(src[i]); i += 1 else: lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) return bytes(dst)
# 3. Install the required tools (Linux distro) sudo apt update sudo apt install -y unzip unrar p7zip-full binutils \ radare2 ghidra yara clang gdb qemu-user-static \ mingw-w64-tools mingw-w64-common \ python3-pip && pip3 install lief capstone The binary is a 32‑bit Windows PE ( PE32 ). On a modern 64‑bit Linux host we will need the wine runtime for dynamic testing and mingw tools for static analysis. 3. Extraction & Basic File Inspection # Extract the rar archive unrar x pc.rar # → we obtain pc.exe (size ≈ 44 KB) # File type file pc.exe # pc.exe: PE32 executable (GUI) Intel 80386, for MS Windows www kkmoom com pc rar
# Convert RVA to file offset (using PE headers) r2 -qc "ie 0x403000" pc.exe # → 0x00120000 (example) def lz_decompress(src): i = 0 dst = bytearray()
r2 -A pc.exe [0x00401000]> s entry0 [0x00401000]> pd 30 The first 30 instructions look like this (pseudo‑assembly): s entry0 [0x00401000]>
