From 19582878ff6c64bd46888df071c961477304ae7b Mon Sep 17 00:00:00 2001
From: Chen Chun-Hsuan <hsuan@Hsuans-MacBook-Air.local>
Date: Thu, 22 May 2025 08:41:10 +0800
Subject: [PATCH] feat: finish solve.py

---
 lab8/solve.py | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/lab8/solve.py b/lab8/solve.py
index 9ab3ee2..4e801a8 100755
--- a/lab8/solve.py
+++ b/lab8/solve.py
@@ -1,10 +1,39 @@
 #!/usr/bin/env python3
 
-import angr,sys
+import angr
+import claripy
+import sys
+
+angr.loggers.disable_root_logger()
+
+def is_flag_found(state):
+    output = state.posix.dumps(1)
+    return b"flag" in output
 
 def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
+    project = angr.Project("./chal", auto_load_libs=False)
+
+    sym_chars = [claripy.BVS(f'byte_{i}', 8) for i in range(8)]
+    sym_input = claripy.Concat(*sym_chars)
+
+    state = project.factory.full_init_state(
+        stdin = angr.SimFileStream(name='stdin', content=sym_input, has_end=True)
+    )
+
+
+    simgr = project.factory.simgr(state)
+
+    simgr.explore(
+        find = lambda s:b"Correct!" in s.posix.dumps(1)
+    )
+
+    if simgr.found:
+        found = simgr.found[0]
+        secret_key = found.solver.eval(sym_input, cast_to=bytes)
+        sys.stdout.buffer.write(secret_key)
+    else:
+        print("No solution found!")
+        sys.exit(1)
 
 
 if __name__ == '__main__':