OWASP · cpholguera · May 7, 2022 · Apr 25, 2022 · May 7, 2022 · May 7, 2022
diff --git a/Crackmes/README.md b/Crackmes/README.md
@@ -130,13 +130,18 @@ A brand new Android app sparks your interest. Of course, you are planning to pur
 Copy the binary to your Android device and run using the shell.
 
 ```shell
-  $ adb push validate /data/local/tmp
-  [100%] /data/local/tmp/validate
-  $ adb shell chmod 755 /data/local/tmp/validate
-  $ adb shell /data/local/tmp/validate
-  Usage: ./validate <serial>
-  $ adb shell /data/local/tmp/validate 1234
-  Incorrect serial (wrong format).
+$ adb push validate /data/local/tmp
+[100%] /data/local/tmp/validate
+$ adb shell chmod 755 /data/local/tmp/validate
+$ adb shell /data/local/tmp/validate
+Usage: ./validate <serial>
+$ adb shell /data/local/tmp/validate 1234
+Incorrect serial (wrong format).
+$ adb shell /data/local/tmp/validate JACE6ACIARNAAIIA
+Entering base32_decode
+Outlen = 10
+Entering check_license
+Product activation passed. Congratulations!
 ```
 
 #### Solutions

diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md
@@ -1216,18 +1216,21 @@ You need to perform several steps to initialize Angr's symbolic execution engine
 The final solution script is presented below:
 
 ```python
-import angr
-import claripy
+import angr # Version: 9.2.2
 import base64
 
 load_options = {}
 
 b = angr.Project("./validate", load_options = load_options)
-
 # The key validation function starts at 0x401760, so that's where we create the initial state.
 # This speeds things up a lot because we're bypassing the Base32-encoder.
 
-state = b.factory.blank_state(addr=0x401760)
+options = {
+    angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
+    angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
+}
+
+state = b.factory.blank_state(addr=0x401760, add_options=options)
 
 simgr = b.factory.simulation_manager(state)
 simgr.explore(find=0x401840, avoid=0x401854)
@@ -1238,7 +1241,7 @@ found = simgr.found[0]
 
 # Get the solution string from *(R11 - 0x20).
 
-addr = found.memory.load(found.regs.r11 - 0x20, endness='Iend_LE')
+addr = found.memory.load(found.regs.r11 - 0x20, 1, endness="Iend_LE")
 concrete_addr = found.solver.eval(addr)
 solution = found.solver.eval(found.memory.load(concrete_addr,10), cast_to=bytes)
 print(base64.b32encode(solution))
@@ -1257,13 +1260,14 @@ Also, it may appear as if the script is simply reading the solution string from
 Running this script should return the following output:
 
 ```bash
-(angr) $ python solve.py
-WARNING | cle.loader | The main binary is a position-independent executable.
-It is being loaded with a base address of 0x400000.
+$ python3 solve.py
+WARNING | ... | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
 
-b'ABGAATYAJQAFUABB'
+b'JACE6ACIARNAAIIA'
 ```
 
+Now you can run the validate binary in your Android device to verify the solution as indicated [here](../Crackmes/README.md#android-license-validatorandroidlicense01-"android-license-validator").
+
 > You may obtain different solutions using the script, as there are multiple valid license keys possible.
 
 To conclude, learning symbolic execution might look a bit intimidating at first, as it requires deep understanding and extensive practice. However, the effort is justified considering the valuable time it can save in contrast to analyzing complex disassembled instructions manually. Typically you'd use hybrid techniques, as in the above example, where we performed manual analysis of the disassembled code to provide the correct criteria to the symbolic execution engine. Please to the iOS chapter for more examples on Angr usage.