Update solve.py

Author: banana1715

lab8/solve.py

@@ -4,30 +4,37 @@
 import sys
 
 def main():
-   proj = angr.Project('./chal', auto_load_libs=False)
+    # 載入二進位，不載入動態函式庫加快速度
+    proj = angr.Project('./chal', auto_load_libs=False)
 
-    #建立8-bit輸入
-    sym_chars = [claripy.BVS(f'byte_{i}', 8) for i in range(8)]
-    sym_input = claripy.Concat(*sym_chars)
+    # 建立 8 個符號字元
+    flag_chars = [claripy.BVS(f'c{i}', 8) for i in range(8)]
+    flag = claripy.Concat(*flag_chars)
 
-    #初始化執行狀態並模擬stdin輸入
-    state = proj.factory.full_init_state(
-        stdin = angr.SimFileStream(name='stdin', content=sym_input, has_end=True)
-    )
+    # 製作帶有符號輸入的初始狀態
+    # has_end=True 表示讀到 flag 後即結束輸入
+    stdin = angr.SimFileStream(name='stdin', content=flag, has_end=True)
+    state = proj.factory.full_init_state(stdin=stdin)
 
-    #建立模擬器並開始搜尋個別狀態
-    simgr = proj.factory.simgr(state)
-    simgr.explore(
-        find = lambda s:b"Correct!" in s.posix.dumps(1)
-    )
+    # 限制每個字元為可列印 ASCII（32~126）
+    for c in flag_chars:
+        state.solver.add(c >= 0x20)
+        state.solver.add(c <= 0x7e)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    # 尋找印出「Correct! The flag is」的路徑
+    target = b"Correct! The flag is"
+    simgr.explore(find=lambda s: target in s.posix.dumps(1))
 
-    #找到則輸出結果，否則輸出 "No solution found!"
     if simgr.found:
         found = simgr.found[0]
-        secret_key = found.solver.eval(sym_input, cast_to=bytes)
-        sys.stdout.buffer.write(secret_key)
+        # 求解出具體 key
+        solution = found.solver.eval(flag, cast_to=bytes)
+        # 輸出到 stdout，供 validate.sh 傳給 chal
+        sys.stdout.buffer.write(solution)
     else:
-        print("No solution found!")
+        print("No solution found.", file=sys.stderr)
         sys.exit(1)
 
 if __name__ == '__main__':