gistfile1.txt

(angr)aris@ubuntu1404:~/crackme$ cat xxx.c 
#include <stdio.h>
#include <string.h>
 
int main(int argc, char **argv) {
int a = 0, b = 0, i, e = 0, j;
char * ptr = NULL;
char *text = argv[1]; 
char c[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789`~!@#$%^&*()_+-=|[];',.{}:<>? ";
 
for (i = 0; i < strlen(text); i++) {
ptr = strchr(c, text[i]);
 
if (ptr == NULL)
e = strlen(c) + 1;
else
e = (int)(ptr - c);
 
for (j = 0; j < 16; j++) {
a = a * -4 + b + 0x7494 - e;
b = ((b << 5) ^ (b >> 27)) ^ 0x85A8 & a - e;
}
}
if (a==0xd0c0c93d && b == 0xcff308d1)
return 1;

printf("%08x%08x\n", a, b);
return 0;
}
 
(angr)aris@ubuntu1404:~/crackme$ cat xxx.py
#!/usr/bin/env python
import angr
import simuvex

p = angr.Project('./xxx', load_options={"auto_load_libs":False})
argv1 = angr.claripy.BVS('argv1',32*8)
#options = { "BYPASS_UNSUPPORTED_SYSCALL", simuvex.o.UNICORN }
init_state = p.factory.entry_state(args=['argv0',argv1])
init_path = p.factory.path(init_state)
path_group = p.factory.path_group(init_state)
print path_group.explore(find=0x4006ac, avoid=0x40071e)
found=path_group.found[0]
print repr(found.state.se.any_str(argv1))