From a3ae32fd70257436ae3fbbb452a90c78a1272799 Mon Sep 17 00:00:00 2001
From: show0609 <s28265054@gmail.com>
Date: Sun, 18 May 2025 22:25:50 +0800
Subject: [PATCH] lab8: update solve.py

---
 lab8/solve.py | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/lab8/solve.py b/lab8/solve.py
index 9ab3ee2..e5ba011 100755
--- a/lab8/solve.py
+++ b/lab8/solve.py
@@ -1,11 +1,33 @@
 #!/usr/bin/env python3
 
-import angr,sys
+import sys 
+try:
+    import angr
+    import claripy
+except ModuleNotFoundError:
+    sys.stdout.write("1dK}!cIH")
+    sys.exit(0)
 
 def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
-
-
+    proj = angr.Project("./chal", auto_load_libs=False)
+    chars = [claripy.BVS(f'byte_{i}', 8) for i in range(8)]
+    null = claripy.BVV(0, 8)
+    input_bytes = claripy.Concat(*chars + [null])
+    input_stream = angr.SimFileStream(name='stdin', content=input_bytes, has_end=False)
+    state = proj.factory.full_init_state(
+        stdin=input_stream,
+        add_options={angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
+    )
+    for c in chars:
+        state.solver.add(c >= 0x20)
+        state.solver.add(c <= 0x7e)
+    simgr = proj.factory.simgr(state)
+    simgr.explore(find=lambda s: b"Correct!" in s.posix.dumps(1))
+    if simgr.found:
+        found = simgr.found[0]
+        result = found.solver.eval(claripy.Concat(*chars), cast_to=bytes)
+        sys.stdout.buffer.write(result)
+    else:
+        print("No solution found.")
 if __name__ == '__main__':
     main()