From fb31e03412cd175a69b17874d4c51dfae7a10051 Mon Sep 17 00:00:00 2001
From: linn <nature011235@gmail.com>
Date: Wed, 21 May 2025 16:16:45 +0800
Subject: [PATCH] done

---
 lab8/solve.py | 41 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/lab8/solve.py b/lab8/solve.py
index 9ab3ee2..2e8b5a9 100755
--- a/lab8/solve.py
+++ b/lab8/solve.py
@@ -1,10 +1,47 @@
 #!/usr/bin/env python3
 
 import angr,sys
+import claripy
 
 def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
+    proj = angr.Project('./chal')
+    
+ 
+    flag_chars = [claripy.BVS(f'flag_char_{i}', 8) for i in range(8)]
+    flag = claripy.Concat(*flag_chars)
+    
+  
+    stdin_stream = angr.SimFileStream('stdin', content=flag, has_end=True)
+    
+  
+    state = proj.factory.entry_state(
+        stdin=stdin_stream,
+        add_options={angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, 
+                    angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS}
+    )
+    
+  
+    for c in flag_chars:
+        state.solver.add(c >= 32)
+        state.solver.add(c <= 126)
+    
+   
+    simgr = proj.factory.simulation_manager(state)
+    
+   
+    simgr.explore(find=lambda s: b"Correct!" in s.posix.dumps(1))
+    
+   
+    if simgr.found:
+        
+        solution_state = simgr.found[0]
+        solution = solution_state.solver.eval(flag, cast_to=bytes)
+     
+        sys.stdout.buffer.write(solution)
+    else:
+        print("No solution found!")
+        secret_key = b""
+        sys.stdout.buffer.write(secret_key)
 
 
 if __name__ == '__main__':