### Short summary

We're given a file containing the execution trace of a standard CTF RE problem. It contains the instructions executed with a hash of the memory address of the instruction, but not the actual data. With that start point, we were able to extract the functions and the basic blocks of the program, along with the path that was executed. I reversed the assembly, and determined the original program build a self-balancing binary tree based on the input. Based on the execution path taken, I could find out which nodes in the tree were accessed when each character in the flag was added.

With the rebuilt tree structure and knowing which tree nodes corresponded to each index of the flag, I was able to built a list of constraints for the flag. For example, the farthest left value leaf of the tree was accessed by flag indices 8,11,17,22,26,30,34,39,44,51. We thus know that all of those characters in the flag have the same value (space in this case), and all other nodes in the tree must have higher ascii values. I dumped all possible strings that fit these constraints (~480k in total), and found the one that was the most human readable, which was the flag.

[Full writeup](https://github.com/WilliamParks/ctf_writeups/tree/master/ctf_writeups/defcon_quals_2020/flag-hunting)