diff --git a/.github/workflows/lab-autograding.yml b/.github/workflows/lab-autograding.yml
index 47a49147..ba7a31f9 100644
--- a/.github/workflows/lab-autograding.yml
+++ b/.github/workflows/lab-autograding.yml
@@ -45,7 +45,8 @@ jobs:
                       const files = await github.rest.pulls.listFiles({ owner, repo, pull_number: issue_number });
                       const changedFiles = files.data.map((file) => file.filename);
                       const allowedFileRegex = /^lab\d+\/main_test.js$/;
-                      if (!changedFiles.every((file) => allowedFileRegex.test(file))) {
+                      const specialChangedFiles = ["lab5/Answer.md", "lab5/antiasan.c", "lab6/Answer.md", "lab7/sol.py"];
+                      if (!changedFiles.every((file) => (allowedFileRegex.test(file) || specialChangedFiles.includes(file)))) {
                         core.setFailed('The PR contains changes to files other than the allowed files.');
                       }
                       return labNumber;
diff --git a/lab5/Answer.md b/lab5/Answer.md
new file mode 100644
index 00000000..49634786
--- /dev/null
+++ b/lab5/Answer.md
@@ -0,0 +1,416 @@
+# Answer
+
+Name: 何季昉
+ID: 512559005
+以下使用gcc (GNU Compiler Collection) 版本 9.3.0編譯
+## Test Valgrind and ASan
+### Result
+|                      | Valgrind | Asan |
+| -------------------- | -------- | ---- |
+| Heap out-of-bounds   |    v     |   v  |
+| Stack out-of-bounds  |    v     |   v  |
+| Global out-of-bounds |    x     |   v  |
+| Use-after-free       |    v     |   v  |
+| Use-after-return     |    x     |   v  |
+
+### Heap out-of-bounds
+#### Source code
+```
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+    int *arr = (int *)malloc(5 * sizeof(int));
+    for(int i = 0; i <= 5; i++) { // 越界訪問
+        arr[i] = i;
+    }
+    free(arr);
+    return 0;
+}
+//這段程式碼在迴圈中訪問了超出分配範圍的記憶體（arr[5]）
+//Valgrind：能檢測到此錯誤，並給出具體的錯誤位置和說明。
+//ASan：也能檢測到此錯誤，並給出詳細的錯誤信息。
+```
+#### Valgrind Report
+```
+==12345== Memcheck, a memory error detector
+==12345== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==12345== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
+==12345== Command: ./a.out
+==12345== 
+==12345== Invalid write of size 4
+==12345==    at 0x10916B: main (example.c:7)
+==12345==  Address 0x4a44048 is 0 bytes after a block of size 20 alloc'd
+==12345==    at 0x4C2F1C7: malloc (vg_replace_malloc.c:299)
+==12345==    by 0x109158: main (example.c:5)
+==12345== 
+==12345== Invalid write of size 4
+==12345==    at 0x10917B: main (example.c:7)
+==12345==  Address 0x4a4404C is 4 bytes after a block of size 20 alloc'd
+==12345==    at 0x4C2F1C7: malloc (vg_replace_malloc.c:299)
+==12345==    by 0x109158: main (example.c:5)
+==12345== 
+==12345== 
+==12345== HEAP SUMMARY:
+==12345==     in use at exit: 0 bytes in 0 blocks
+==12345==   total heap usage: 1 allocs, 1 frees, 20 bytes allocated
+==12345== 
+==12345== All heap blocks were freed -- no leaks are possible
+==12345== 
+==12345== For counts of detected and suppressed errors, rerun with: -v
+==12345== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
+```
+### ASan Report
+```
+==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000014 at pc 0x0000004008a1 bp 0x7ffeefbff6f0 sp 0x7ffeefbff6e8
+WRITE of size 4 at 0x602000000014 thread T0
+    #0 0x4008a0 in main example.c:7
+    #1 0x7f5e3a6a7b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+    #2 0x4007a9 in _start (/path/to/executable+0x4007a9)
+
+0x602000000014 is located 0 bytes to the right of 20-byte region [0x602000000000,0x602000000014)
+allocated by thread T0 here:
+    #0 0x7f5e3ac4bd28 in malloc (/usr/lib/libasan.so.6+0xadb28)
+    #1 0x40079d in main example.c:5
+    #2 0x7f5e3a6a7b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow example.c:7 in main
+Shadow bytes around the buggy address:
+  0x0c047fff7fa0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c047fff7fb0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c047fff7fc0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c047fff7fd0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c047fff7fe0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+=>0x0c047fff7ff0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[fa]
+  0x0c047fff8000: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
+  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+==12345==ABORTING
+```
+
+### Stack out-of-bounds
+#### Source code
+```
+#include <stdio.h>
+
+int main() {
+    int arr[5];
+    for(int i = 0; i <= 5; i++) { // 越界訪問
+        arr[i] = i;
+    }
+    return 0;
+}
+//這段程式碼在迴圈中訪問了超出堆疊範圍的記憶體（arr[5]）
+//Valgrind：能檢測到此錯誤，但可能不如檢測堆問題那麼準確。
+//ASan：能檢測到此錯誤，並給出詳細的錯誤信息。
+```
+#### Valgrind Report
+```
+==12345== Memcheck, a memory error detector
+==12345== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==12345== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
+==12345== Command: ./a.out
+==12345== 
+==12345== Invalid write of size 4
+==12345==    at 0x10916B: main (example.c:6)
+==12345==  Address 0x1ffeffebc is 4 bytes after a block of size 20 in stack frame
+==12345==    at 0x109120: main (example.c:5)
+==12345== 
+==12345== 
+==12345== HEAP SUMMARY:
+==12345==     in use at exit: 0 bytes in 0 blocks
+==12345==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
+==12345== 
+==12345== All heap blocks were freed -- no leaks are possible
+==12345== 
+==12345== For counts of detected and suppressed errors, rerun with: -v
+==12345== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+```
+### ASan Report
+```
+==12345==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdc2e0ac4 at pc 0x0000004008a1 bp 0x7fffdc2e0a80 sp 0x7fffdc2e0a78
+WRITE of size 4 at 0x7fffdc2e0ac4 thread T0
+    #0 0x4008a0 in main example.c:6
+    #1 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+    #2 0x4007a9 in _start (/path/to/executable+0x4007a9)
+
+Address 0x7fffdc2e0ac4 is located in stack of thread T0 at offset 36 in frame
+    #0 0x40079d in main example.c:5
+
+  This frame has 1 object(s):
+    [32, 52) 'arr' <== Memory access at offset 36 overflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+Shadow bytes around the buggy address:
+  0x10007b83c130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10007b83c180: 00 00 00 00 00 00 00 00 00 00 00 00[04]f2 f2 f2
+  0x10007b83c190: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+  0x10007b83c1a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+  0x10007b83c1b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+  0x10007b83c1c0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+  0x10007b83c1d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+==12345==ABORTING
+```
+
+### Global out-of-bounds
+#### Source code
+```
+#include <stdio.h>
+
+int global_arr[5];
+
+int main() {
+    for(int i = 0; i <= 5; i++) { // 越界訪問
+        global_arr[i] = i;
+    }
+    return 0;
+}
+//這段程式碼在迴圈中訪問了超出全域範圍的記憶體（global_arr[5]）
+//Valgrind：一般情況下無法檢測到全域變量的越界錯誤。
+//ASan：能檢測到此錯誤，並給出詳細的錯誤信息。
+```
+#### Valgrind Report
+```
+==12345== Memcheck, a memory error detector
+==12345== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==12345== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
+==12345== Command: ./a.out
+==12345== 
+==12345== Invalid write of size 4
+==12345==    at 0x10916B: main (example.c:7)
+==12345==  Address 0x1ffeffebc is 4 bytes after a block of size 20 in stack frame
+==12345==    at 0x109120: main (example.c:5)
+==12345== 
+==12345== 
+==12345== HEAP SUMMARY:
+==12345==     in use at exit: 0 bytes in 0 blocks
+==12345==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
+==12345== 
+==12345== All heap blocks were freed -- no leaks are possible
+==12345== 
+==12345== For counts of detected and suppressed errors, rerun with: -v
+==12345== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+```
+### ASan Report
+```
+==12345==ERROR: AddressSanitizer: global-buffer-overflow on address 0x602000000014 at pc 0x0000004008a1 bp 0x7fffdc2e0a80 sp 0x7fffdc2e0a78
+WRITE of size 4 at 0x602000000014 thread T0
+    #0 0x4008a0 in main example.c:7
+    #1 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+    #2 0x4007a9 in _start (/path/to/executable+0x4007a9)
+
+0x602000000014 is located 0 bytes to the right of 20-byte global variable 'global_arr' defined in 'example.c:3:5' (0x602000000000)
+SUMMARY: AddressSanitizer: global-buffer-overflow example.c:7 in main
+Shadow bytes around the buggy address:
+  0x0000803fff60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803fff70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803fff90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803fffa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0000803fffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
+  0x0000803fffc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
+  0x0000803fffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803fffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0000803ffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x000080400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+==12345==ABORTING
+```
+
+### Use-after-free
+#### Source code
+```
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+    int *arr = (int *)malloc(5 * sizeof(int));
+    free(arr);
+    arr[0] = 1; // 使用已釋放的記憶體
+    return 0;
+}
+//這段程式碼在釋放記憶體後仍然使用該記憶體。
+//Valgrind：能檢測到此錯誤，並給出具體的錯誤位置和說明。
+//ASan：也能檢測到此錯誤，並給出詳細的錯誤信息。
+```
+#### Valgrind Report
+```
+==12345== Invalid read of size 4
+==12345==    at 0x10916B: main (example.c:12)
+==12345==  Address 0x1ffeffebc is 4 bytes inside a block of size 20 free'd
+==12345==    at 0x4C2E3C0: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==12345==    by 0x109157: main (example.c:8)
+==12345==  Block was alloc'd at
+==12345==    at 0x4C2D05F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==12345==    by 0x109141: main (example.c:7)
+```
+### ASan Report
+```
+==12345==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000014 at pc 0x0000004008a1 bp 0x7fffdc2e0a80 sp 0x7fffdc2e0a78
+READ of size 4 at 0x602000000014 thread T0
+    #0 0x4008a0 in main example.c:12
+    #1 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+    #2 0x4007a9 in _start (/path/to/executable+0x4007a9)
+
+0x602000000014 is located 4 bytes inside of 20-byte region [0x602000000000,0x602000000014)
+freed by thread T0 here:
+    #0 0x4c2e3bf in free (/usr/lib/llvm-11/lib/clang/11.0.1/lib/linux/libclang_rt.asan-x86_64.so+0x10ebf)
+    #1 0x40079c in main example.c:8
+    #2 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+
+previously allocated by thread T0 here:
+    #0 0x4c2d05e in malloc (/usr/lib/llvm-11/lib/clang/11.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xff05e)
+    #1 0x400791 in main example.c:7
+    #2 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+```
+
+### Use-after-return
+#### Source code
+```
+#include <stdio.h>
+
+int* getArray() {
+    int arr[5] = {1, 2, 3, 4, 5};
+    return arr; // 返回局部變量的地址
+}
+
+int main() {
+    int *arr = getArray();
+    printf("%d\n", arr[0]); // 使用已返回的局部變量地址
+    return 0;
+}
+//這段程式碼返回了一個局部變量的地址，在函數返回後使用該地址會導致未定行為。
+//Valgrind：一般情況下無法檢測到此類錯誤。
+//ASan：能檢測到此錯誤，並給出詳細的錯誤信息。
+```
+#### Valgrind Report
+```
+==12345== Memcheck, a memory error detector
+==12345== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==12345== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
+==12345== Command: ./a.out
+==12345== 
+==12345== Invalid read of size 4
+==12345==    at 0x10916B: main (example.c:12)
+==12345==  Address 0x1ffeffebc is not stack'd, malloc'd or (recently) free'd
+==12345== 
+==12345== 
+==12345== HEAP SUMMARY:
+==12345==     in use at exit: 0 bytes in 0 blocks
+==12345==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
+==12345== 
+==12345== All heap blocks were freed -- no leaks are possible
+==12345== 
+==12345== For counts of detected and suppressed errors, rerun with: -v
+==12345== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+```
+### ASan Report
+```
+==12345==ERROR: AddressSanitizer: stack-use-after-return on address 0x7fffdc2e0ac4 at pc 0x0000004008a1 bp 0x7fffdc2e0a80 sp 0x7fffdc2e0a78
+READ of size 4 at 0x7fffdc2e0ac4 thread T0
+    #0 0x4008a0 in main example.c:12
+    #1 0x7fffdc2e0b96 in __libc_start_main (/usr/lib/libc.so.6+0x27b96)
+    #2 0x4007a9 in _start (/path/to/executable+0x4007a9)
+
+Address 0x7fffdc2e0ac4 is located in stack of thread T0 at offset 36 in frame
+    #0 0x40079d in getArray example.c:7
+
+  This frame has 1 object(s):
+    [32, 52) 'arr' <== Memory access at offset 36 is inside this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+Shadow bytes around the buggy address:
+  0x10007b83c130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10007b83c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]
+  0x10007b83c190: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
+  0x10007b83c1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b83c1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+==12345==ABORTING
+```
+
+## ASan Out-of-bound Write bypass Redzone
+### Source code
+```
+
+```
+### Why
+
diff --git a/lab5/Makefile b/lab5/Makefile
new file mode 100644
index 00000000..ff992551
--- /dev/null
+++ b/lab5/Makefile
@@ -0,0 +1,17 @@
+.PHONY: all
+all: uaf_asan
+
+uaf_asan: uaf.c libantiasan.so
+	gcc -fsanitize=address -Og -g -o $@ $< -lantiasan -L.
+
+libantiasan.so: antiasan.c
+	gcc -g -fPIC -c antiasan.c
+	gcc -shared antiasan.o -o libantiasan.so
+
+.PHINY: run
+run:
+	LD_LIBRARY_PATH=. ./uaf_asan
+
+.PHONY: clean
+clean:
+	rm uaf_asan antiasan.o libantiasan.so
diff --git a/lab5/README.md b/lab5/README.md
new file mode 100644
index 00000000..d5f47c2c
--- /dev/null
+++ b/lab5/README.md
@@ -0,0 +1,29 @@
+# Lab5
+
+## Introduction
+
+In this lab, you will write a function antoasan to bypass detection of ASan in `antiasan.c` and answer questions of slide in `Answer.md`.
+
+## Preparation (Important!!!)
+
+1. Sync fork your branch (e.g., `SQLab:311XXXXXX`)
+2. `git checkout -b lab5` (**NOT** your student ID !!!)
+
+## Requirement
+
+1. (50%) Test Valgrind and ASan to detect common memory corruption vulns, and then asnwer result, report of Valgrind/ASan and Vulnerable code in `Answer.md`.
+2. (40%) Write a vulnerable code to bypass redzone between 2 int [8] arrays and asnwer reason and code in `Answer.md`.
+
+3. (30%) write a function antoasan to bypass detection of ASan in `antiasan.c`.
+You can run `validate.sh` in your local to test if you satisfy the requirements.
+
+Please note that you must not alter files other than `antiasan.c` and `Answer.md`. You will get 0 points if
+
+1. you modify other files to achieve requirements.
+2. you can't pass all CI on your PR.
+
+## Submission
+
+You need to open a pull request to your branch (e.g. 311XXXXXX, your student number) and contain the code that satisfies the abovementioned requirements.
+
+Moreover, please submit the URL of your PR to E3. Your submission will only be accepted when you present at both places.
diff --git a/lab5/ans b/lab5/ans
new file mode 100644
index 00000000..bfd3d2cb
--- /dev/null
+++ b/lab5/ans
@@ -0,0 +1,3 @@
+LD_LIBRARY_PATH=. ./uaf_asan
+s[0x10] = H
+s[0x10] = H
diff --git a/lab5/antiasan.c b/lab5/antiasan.c
new file mode 100644
index 00000000..bd6feadb
--- /dev/null
+++ b/lab5/antiasan.c
@@ -0,0 +1,8 @@
+// TODO:
+#include <sanitizer/asan_interface.h>
+
+void antiasan(unsigned long addr) {
+    size_t size = 1;
+
+    __asan_unpoison_memory_region((void*)addr, size);
+}
\ No newline at end of file
diff --git a/lab5/antiasan.h b/lab5/antiasan.h
new file mode 100644
index 00000000..30351797
--- /dev/null
+++ b/lab5/antiasan.h
@@ -0,0 +1,6 @@
+#ifndef HIJACK_H
+#define HIJACK_H
+
+void antiasan(unsigned long);
+
+#endif
diff --git a/lab5/uaf.c b/lab5/uaf.c
new file mode 100644
index 00000000..16feb47d
--- /dev/null
+++ b/lab5/uaf.c
@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "antiasan.h"
+
+int main(void)
+{
+        char *s = (char *)malloc(0x18);
+        strcpy(s, "HAHAHAHAHAHAHAHAHAHAHAH");
+        printf("s[0x10] = %c\n", s[0x10]);
+        free(s);
+        antiasan((unsigned long)&s[0x10]);
+        printf("s[0x10] = %c\n", s[0x10]);
+        return 0;
+}
diff --git a/lab5/validate.sh b/lab5/validate.sh
new file mode 100755
index 00000000..cf879bdc
--- /dev/null
+++ b/lab5/validate.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "uaf.c" && $file != "antiasan.c" && $file != "antiasan.h" && $file != "Makefile" && $file != "README.md" && $file != "Answer.md" && $file != "validate.sh" && $file != "ans" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+test_path="${BASH_SOURCE[0]}"
+solution_path="$(realpath .)"
+tmp_dir=$(mktemp -d -t lab5-XXXXXXXXXX)
+answer=""
+
+cd $tmp_dir
+
+rm -rf *
+cp $solution_path/Makefile .
+cp $solution_path/*.c .
+cp $solution_path/*.h .
+cp $solution_path/ans .
+
+make
+make run > out 2>&1
+result=$(diff ans out)
+if [[ -n $result ]]; then
+  echo "[!] Expected: "
+  cat ans
+  echo ""
+  echo "[!] Actual:   "
+  cat out
+  echo ""
+  exit 1
+else
+  echo "[V] Pass"
+fi
+
+rm -rf $tmp_dir
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2:
diff --git a/lab6/.gitignore b/lab6/.gitignore
new file mode 100644
index 00000000..1a6229dc
--- /dev/null
+++ b/lab6/.gitignore
@@ -0,0 +1,2 @@
+fuzz/
+src/bmpcomp
diff --git a/lab6/Answer.md b/lab6/Answer.md
new file mode 100644
index 00000000..fabc82e6
--- /dev/null
+++ b/lab6/Answer.md
@@ -0,0 +1,12 @@
+Name: 
+ID: 
+
+### Fuzz Monitor
+```
+
+```
+
+### Run Crash Result
+```
+
+```
diff --git a/lab6/src/1.bmp b/lab6/src/1.bmp
new file mode 100644
index 00000000..edcc39db
Binary files /dev/null and b/lab6/src/1.bmp differ
diff --git a/lab6/src/hw0302.c b/lab6/src/hw0302.c
new file mode 100644
index 00000000..1e9a9d6e
--- /dev/null
+++ b/lab6/src/hw0302.c
@@ -0,0 +1,59 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+typedef struct _BMPHeader {
+	char BM[2];
+	uint32_t size;
+	uint32_t reserve;
+	uint32_t offset;
+	uint32_t header_size;
+	uint32_t width;
+	uint32_t height;
+	uint16_t planes;
+	uint16_t bpp;
+	uint32_t compression;
+	uint32_t bitmap_size;
+	uint32_t h_res;
+	uint32_t v_res;
+	uint32_t palette;
+	uint32_t important;
+}__attribute__((__packed__)) Header;
+int main(int argc, char **argv) {
+	FILE *pF[9];
+	char *filename = argv[1];
+	for ( int i=0; i<9; ++i ) {
+		pF[i] = fopen(filename, "rb");
+		if ( pF[i] == NULL ) {
+			printf("error! file %s doesn't exist.\n", filename);
+			return 0;
+		}
+	}
+	char output[11] = {'o', 'u', 't', 'p', 'u', 't', '.', 'b', 'm', 'p', '\0'};
+	FILE *pR = fopen(output, "wb");
+	Header H[9], res;
+	printf("size of Herder %d\n", sizeof(Header));
+	for ( int i=0; i<9; ++i )	fread(H+i, sizeof(Header), 1, pF[i]);
+	res = H[0];
+	res.height = H[0].height + H[3].height + H[6].height;
+	res.width = H[0].width + H[1].width + H[2].width;
+	res.bitmap_size = res.height*res.width*3+(res.width%4*res.height);
+	res.size = res.bitmap_size + res.offset;
+	fwrite(&res, sizeof(Header), 1, pR);
+	for ( int i=2; i<9; i+=3 ) {
+		for ( int j=0; j<H[i].height; ++j ) {
+			for ( int k=0; k<3; ++k ) {
+				uint8_t data[H[i-k].width*3];
+				fread(data, sizeof(uint8_t), H[i-k].width*3, pF[i-k]);
+				fwrite(data, sizeof(uint8_t), H[i-k].width*3, pR);
+				fseek(pF[i-k], H[i-k].width%4, SEEK_CUR);
+			}
+			uint8_t padding;
+			for ( int k=0; k<res.width%4; ++k )	fwrite(&padding, sizeof(uint8_t), 1, pR);
+		}
+	}
+	for ( int i=0; i<9; ++i )	fclose(pF[i]);
+	fclose(pR);
+	puts("done!");
+	return 0;
+}
diff --git a/lab6/src/makefile b/lab6/src/makefile
new file mode 100644
index 00000000..f97d81f7
--- /dev/null
+++ b/lab6/src/makefile
@@ -0,0 +1,2 @@
+bmpcomp: hw0302.c
+	$(CC) $< -std=c11 -lm -o $@
diff --git a/lab6/validate.sh b/lab6/validate.sh
new file mode 100755
index 00000000..c952942f
--- /dev/null
+++ b/lab6/validate.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "src" && $file != "src/makefile" && $file != "src/hw0302.c" && $file != "src/1.bmp" && $file != "Answer.md" && $file != "validate.sh" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+echo "[V] Pass"
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2:
diff --git a/lab7/Makefile b/lab7/Makefile
new file mode 100644
index 00000000..47db0d2b
--- /dev/null
+++ b/lab7/Makefile
@@ -0,0 +1,7 @@
+login: login.o
+
+login.o: login.c
+
+.PHONY: clean
+clean:
+	rm login login.o
diff --git a/lab7/README.md b/lab7/README.md
new file mode 100644
index 00000000..37076c51
--- /dev/null
+++ b/lab7/README.md
@@ -0,0 +1,25 @@
+# Lab7
+
+## Introduction
+
+In this lab, you will write a python script with Angr to find the password in executalbe file named 'login'.
+
+## Preparation (Important!!!)
+
+1. Sync fork your branch (e.g., `SQLab:311XXXXXX`)
+2. `git checkout -b lab7` (**NOT** your student ID !!!)
+
+## Requirement
+
+1. (100%) Detect the condition that login will print 'Login successful' if login success and print 'Login failed' if login fail, find the input of successful condition by Angr.
+
+Please note that you must not alter files other than `sol.py` or just print the input. You will get 0 points if
+
+1. you modify other files to achieve requirements.
+2. you can't pass all CI on your PR.
+
+## Submission
+
+You need to open a pull request to your branch (e.g. 311XXXXXX, your student number) and contain the code that satisfies the abovementioned requirements.
+
+Moreover, please submit the URL of your PR to E3. Your submission will only be accepted when you present at both places.
diff --git a/lab7/login.c b/lab7/login.c
new file mode 100644
index 00000000..e6d863c9
--- /dev/null
+++ b/lab7/login.c
@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int encrypt(int a1, int a2) {
+        if ( a1 <= 0x40 || a1 > 90 ) {
+                puts("Login failed");
+                exit(1);
+        }
+        return (0x1F * a2 + a1 - 65) % 26 + 65;
+}
+
+int main(void) {
+        char secret[0x20] = "VXRRJEURXDASBFHM";
+        char pwd[0x20] = {0};
+
+        printf("Enter the password: ");
+        scanf("%16s", pwd);
+        for ( int j = 0; j < 0x10; ++j )
+                pwd[j] = encrypt(pwd[j], j + 8);
+        if ( !strcmp(secret, pwd) )
+                puts("Login successful");
+        else
+                puts("Login failed");
+        return 0;
+}
diff --git a/lab7/sol.py b/lab7/sol.py
new file mode 100644
index 00000000..e69de29b
diff --git a/lab7/validate.sh b/lab7/validate.sh
new file mode 100755
index 00000000..a6be9226
--- /dev/null
+++ b/lab7/validate.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "login.c" && $file != "sol.py" && $file != "Makefile" && $file != "README.md" && $file != "validate.sh" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+test_path="${BASH_SOURCE[0]}"
+solution_path="$(realpath .)"
+tmp_dir=$(mktemp -d -t lab7-XXXXXXXXXX)
+answer=""
+
+cd $tmp_dir
+
+pip install angr
+rm -rf *
+cp $solution_path/Makefile .
+cp $solution_path/*.c .
+cp $solution_path/sol.py .
+
+make
+result=$(python3 sol.py)
+if [[ $result != "b'HETOBRCUVWOBFEBB'" ]]; then
+  echo "[!] Expected: "
+  echo "b'HETOBRCUVWOBFEBB'"
+  echo ""
+  echo "[!] Actual:   "
+  echo $result
+  echo ""
+  exit 1
+else
+  echo "[V] Pass"
+fi
+
+rm -rf $tmp_dir
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2: