Flag is mmaped to region of memory. Pointer to mmap region is XORed and stored in a heap buffer. Pointer to heap buffer is on the stack. It is possible to leak the binary data via resolving `main` and reading small chunks at a time. It is possible to leak a stack pointer by resolving the `environ` symbol in libc. Then you simply need to traverse the stack and try to dereference pointers as above until you find the mmap region and the flag.