import angrproject = angr.Project("crackme3.exe", load_options={'auto_load

1. import angr
2.  
3.  
4. project = angr.Project("crackme3.exe", load_options={'auto_load_libs': False})
5. state = project.factory.blank_state(addr = 0x41CBF6)
6.  
7. state.regs.ebp = 0x200000
8. state.regs.esp = state.regs.ebp - 0x80
9.  
10. ptr_email_hash = state.regs.ebp - 0x14
11. ptr_serial_hash = state.regs.ebp - 0x24
12.  
13. state.memory.store(ptr_email_hash + 0x00, 0xAAAAAAAA, endness = 'Iend_LE')
14. state.memory.store(ptr_email_hash + 0x04, 0xBBBBBBBB, endness = 'Iend_LE')
15. state.memory.store(ptr_email_hash + 0x08, 0xCCCCCCCC, endness = 'Iend_LE')
16. state.memory.store(ptr_email_hash + 0x0C, 0xDDDDDDDD, endness = 'Iend_LE')
17.  
18. state.memory.store(ptr_serial_hash + 0x00, 0x11111111, endness = 'Iend_LE')
19. state.memory.store(ptr_serial_hash + 0x04, 0x22222222, endness = 'Iend_LE')
20. state.memory.store(ptr_serial_hash + 0x08, 0x33333333, endness = 'Iend_LE')
21. state.memory.store(ptr_serial_hash + 0x0C, 0x44444444, endness = 'Iend_LE')
22.  
23. state.stack_push(ptr_serial_hash + 0x0C)
24. state.stack_push(ptr_serial_hash + 0x08)
25. state.regs.edx = ptr_serial_hash + 0x04
26. state.regs.ecx = ptr_serial_hash + 0x00
27.  
28. sm = project.factory.simulation_manager(state)
29. sm.run(until = lambda pg: pg.active[0].addr >= 0x0041CBFE)
30.  
31. for i in xrange(500):
32. print(hex(state.regs.ebp - i * 4), hex(state.solver.eval(state.mem[state.mem[state.regs.ebp - i * 4].uint32_t.resolved].uint32_t.resolved)))