From 551c30708be7fe4885689ff13565b7c4e8cfcd3f Mon Sep 17 00:00:00 2001
From: yungen-lu <70182238+yungen-lu@users.noreply.github.com>
Date: Thu, 22 May 2025 09:56:55 +0800
Subject: [PATCH] finish lab8

---
 lab8/solve.py | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/lab8/solve.py b/lab8/solve.py
index 9ab3ee2..85c9d20 100755
--- a/lab8/solve.py
+++ b/lab8/solve.py
@@ -1,11 +1,38 @@
 #!/usr/bin/env python3
 
-import angr,sys
+import angr
+import claripy
+import sys
+
 
 def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
+    # Create the project
+    project = angr.Project("./chal")
+
+    # Create a symbolic bitvector for the 8-byte input
+    input_size = 8
+    sym_input = claripy.BVS("sym_input", input_size * 8)
+
+    # Create an initial state with symbolic stdin
+    # The program reads from stdin using fgets
+    initial_state = project.factory.entry_state(stdin=sym_input)
+
+    # Create a simulation manager
+    simgr = project.factory.simulation_manager(initial_state)
+
+    simgr.explore(find=lambda s: b"Correct!" in s.posix.dumps(1))
+
+    if simgr.found:
+        found_state = simgr.found[0]
+        # Retrieve the symbolic stdin content
+        solution_bytes = found_state.solver.eval(sym_input, cast_to=bytes)
+        solution = solution_bytes[:input_size]  # Ensure it's exactly 8 bytes
+    else:
+        print("No solution found!", file=sys.stderr)
+        solution = b""
+
+    sys.stdout.buffer.write(solution)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()