\n\nThis page has been machine-translated from the original page.
\n
I participated as a solo player in HITCON CTF 2024 and placed 120th.
\nI only solved one problem, so it’s a very short writeup.
\n\nA .cbc file (ClamAV bytecode signature file) was provided and we needed to determine what conditions that bytecode checks.
ClamAV can detect malicious files using three types of signatures:
\nBytecode signatures are compiled with clambc and distributed as .cbc files. When ClamAV scans a file, the bytecode is executed against it.
Running the file through clambc --printbcir disassembles the bytecode into a human-readable IR format.
The output is very long, but the key structure is:
\nclambc --printbcir AntiVirus.cbc > AntiVirus.cbc.irThe IR uses a virtual-register SSA form. Key instructions:
\n%RXX = load i8 ... from @apiptr[...] — read bytes from the scanned file%RXX = (RXXX RXXX == comparisons) Func0 performs the following checks at a high level:
\n0x18c bytes longMZ (i.e., 0x4d 0x5a) — a Windows PE headerIf all comparisons pass, the file is flagged as “malicious” — meaning it is actually the correct flag executable.
\nif (filesize != 0x18c) -> return NOT_FOUND\nif (bytes[0] != 0x4d) -> return NOT_FOUND\nif (bytes[1] != 0x5a) -> return NOT_FOUND\nfor i in 2..0x18c:\n transformed = Func1(input[i], i)\n if transformed != expected[i]: return NOT_FOUND\nreturn FOUND (i.e., this is the flag)Func1 takes the byte value and its index as inputs and applies a complex transformation across 93 basic blocks. The transformation involves:
\nFully reversing Func1 is possible but time-consuming due to the 93-block structure.
\nRather than fully reversing Func1, we can use a side-channel approach:
\n1185 = (1136 == 1184) pattern in the trace indicates a match)Patching libclamav to enable bytecode debug tracing:
\n# Build ClamAV with debug output enabled\ncmake .. -DCMAKE_BUILD_TYPE=Debug -DENABLE_BYTECODE_TRACE=ON\nmake -j$(nproc)Brute-force script:
\nimport subprocess\n\ntarget = 0\n\ndef bruteforce(target):\n for n in range(0x100):\n with open(\"print_flag.exe\", \"r+b\") as f:\n f.seek(2 + target)\n f.write(bytes([n]))\n\n command = [\"clamscan\", \"--bytecode-unsigned\", \"-d\", \"print_flag.cbc\", \"print_flag.exe\"]\n result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n outputs = result.stdout.decode(\"utf-8\").splitlines()\n\n is_find = False\n counter = 0\n for i, line in enumerate(outputs):\n if \"1185 = (1136 == 1184)\" in line:\n r = int(outputs[i+3][-1])\n if r == 1:\n if counter == target:\n is_find = True\n print(hex(n), line, counter, target)\n return n\n counter += 1\n else:\n break\n return -1\n\nfor x in range(0x18c - 2):\n r = bruteforce(target)\n if r >= 0:\n target += 1\n else:\n exit()Running this script takes several hours (worst-case complexity is 0xFF × 0x18c iterations, each requiring an EXE write and a clamscan invocation), but it successfully recovers the correct EXE byte by byte.
Once all bytes are recovered and the complete EXE is assembled, executing it yields the flag.
\nThis was a low-solver problem, but after studying ClamAV bytecode signatures and libclamav debug tracing, it was possible to solve it fairly smoothly.
\nIf you understand the bytecode IR format and can set up the debug trace pipeline, the brute-force approach — though slow — is methodical and reliable.
","fields":{"slug":"/ctf-hitcon-ctf-2024-antivirus-en","tagSlugs":["/tag/clam-av-en/","/tag/malware-en/","/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2024-08-17","description":"HITCON CTF 2024 Writeup — Reverse-engineering a ClamAV bytecode signature file","tags":["ClamAV (en)","Malware (en)","CTF (en)","Rev (en)","English"],"title":"HITCON CTF 2024 Writeup — AntiVirus (Rev)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-hitcon-ctf-2024-antivirus-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}