https://panda0s.top/2021/07/19/Google-CTF-2021/#POLYMORPH

Polymorph

You have many samples of the same malware, but it changes every time. Write an antivirus program that can discern between malicious and legitimate.

You can find the malware samples in the malware directory. The "malware" is not actually malicious and will not harm your computer. Instead, it will simply display the EICAR test file.

您有许多相同恶意软件的样本，但每次都会发生变化。编写一个可以区分恶意和合法的防病毒程序。
您可以在 `malware` 目录中找到恶意软件样本。 **“恶意软件”实际上并非恶意软件，不会损害您的
计算机。相反，它只会显示 [EICAR 测试文件](<https://secure.eicar.org/eicar.com.txt>).**

Your Antivirus Program

Your antivirus program must take a single command-line argument: the path to an executable file. It must exit(0) if the file is not malicious, or exit(nonzero) if the file is malicious. (Specifically, if it is a sample of the Polymorph malware). It must, on average, take less than 4 seconds to run per sample.

您的防病毒程序必须采用单个命令行参数：可执行文件的路径。如果文件不是恶意的，
它必须`exit(0)`，如果文件是恶意的，它必须`exit(nonzero)`。 （具体来说，如
果它是 Polymorph 恶意软件的样本）。平均而言，每个样品的运行时间必须少于 4 秒。

The Autograder

You will submit your program to the Autograder to be judged. The Autograder will execute your program on two sets of binaries:

• The provided public "safe" and "malware" binaries
• A secret set of "safe" and "malware" binaries

Your program must be entirely accurate on the provided binaries, but is allowed to be slightly incorrect on the secret set. If the Autograder judges your program worthy, it shall present you with the flag.

To submit to the autograder, first send a newline-terminated solution to the proof-of-work challenge, followed by 4 little-endian bytes specifying the size of your antivirus file, followed by said antivirus file. You may use the provided upload_for_scoring.py to do this for you. Usage is ./upload_for_scoring.py <your-antivirus> <host> <port>.

您将把您的程序提交给 Autograder 进行评审。 Autograder 将在两组二进制文件上执行您的程序：
- 提供的公共“安全”和“恶意软件”二进制文件
- 一组秘密的“安全”和“恶意软件”二进制文件
您的程序在提供的二进制文件上必须完全准确，但允许在秘密集上稍微不正确。
如果 Autograder 判断您的程序值得，它将向您展示flag。
要提交给自动分级器，首先向工作量证明挑战发送一个以换行符结尾的解决方案，
然后是 4 个小端字节，指定您的防病毒文件的大小，然后是所述防病毒文件。您可以使用提供的

Debugging

You will be permitted to see the stderr and stdout of your binary when running on the public test cases. Be sure to test your detection techniques on the autograder before developing them too much - some operations may be disallowed in the sandboxed environment.

在公共测试用例上运行时，您将被允许查看二进制文件的 stderr 和 stdout。在开发太多之前
，请务必在自动分级器上测试您的检测技术 - 在沙盒环境中可能不允许某些操作。