Rating: 5.0

```bash
objdump --disassemble=main -CM intel chall | grep 'mov DWORD PTR \[rbp-0x4\],0x0' | awk '{print $1}' | tr -d ":" > avoid
```

```python3
import angr
import claripy
import logging

logging.getLogger('claripy').setLevel('CRITICAL')
proj = angr.Project("./chall")
argv = claripy.BVS('argv',8*42)
initial_state = proj.factory.entry_state(args=["./chall",argv],add_options=angr.options.unicorn)

for i in range(42):
initial_state.add_constraints(argv.get_byte(i) >= '\x20')
initial_state.add_constraints(argv.get_byte(i) <= '\x7e')

sm = proj.factory.simulation_manager(initial_state)

with open("avoid","r") as avoid:
avoid=avoid.read().split("\n")[:-1]
av = [ 0x400000 + int(a,16) for a in avoid]
sm.explore(find=0x400000+0x2887, avoid=av)

flag = sm.found[0].solver.eval(argv,cast_to=bytes).decode()
print(flag)
```

flag: `GLUG{C01nc1d3nc3_c4n_b3_fr3aky_T6LSERDYB6}`