From 3aa9318985e3c0e012edb61462f6fbbf529ccac6 Mon Sep 17 00:00:00 2001
From: bruce6005 <bruce6005@gmail.com>
Date: Thu, 22 May 2025 14:55:11 +0800
Subject: [PATCH] 0522

---
 lab2/main_test.js |  3 ++-
 lab8/solve.py     | 33 ++++++++++++++++++++++++++++-----
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/lab2/main_test.js b/lab2/main_test.js
index b2047910..8651f965 100644
--- a/lab2/main_test.js
+++ b/lab2/main_test.js
@@ -92,8 +92,9 @@ test('Application: notifySelected()', () => {
     mockWrite.mock.restore();
     mockSend.mock.restore();
 });
-=======
 const { Application, MailSystem } = require('./main');
 
 // TODO: write your tests here
 // Remember to use Stub, Mock, and Spy when necessary
+
+const { Application, MailSystem } = require('./main');
diff --git a/lab8/solve.py b/lab8/solve.py
index 9ab3ee2f..3fd897fb 100755
--- a/lab8/solve.py
+++ b/lab8/solve.py
@@ -1,11 +1,34 @@
 #!/usr/bin/env python3
 
-import angr,sys
+import angr
+import claripy
+import sys
 
-def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
+def solve_binary(binary_path, input_len=8, success_msg=b"Correct!"):
+    proj = angr.Project(binary_path, auto_load_libs=False)
+
+    user_input = claripy.BVS("user_input", input_len * 8)
+    state = proj.factory.full_init_state(stdin=user_input)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    def is_successful(s):
+        output = s.posix.dumps(sys.stdout.fileno())
+        return success_msg in output
 
+    simgr.explore(find=is_successful)
+
+    if simgr.found:
+        solution_state = simgr.found[0]
+        result = solution_state.solver.eval(user_input, cast_to=bytes)
+        return result[:input_len]
+    else:
+        return b"[!] Not found\n"
+
+def main():
+    binary = "./chal"
+    flag = solve_binary(binary)
+    sys.stdout.buffer.write(flag)
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()