This talk will show how to perform a full chain control flow attack against a complex, stand-alone application. Specifically, how to use mcsema, llvm, and satisfiability solvers to discover a targeted execution path using side channel analysis. From this we show how to traverse this path to collect path constraints and solve for user input which would give us the desired output. This process can then be applied to any targeted behavior in a program, from finding known vulnerability characteristics to simply supplying the correct input to a ‘crackme’ binary. A demonstration will conclude the talk by solving an obfuscated ‘crackme’ challenge using the above described process as well as a mini ‘competition’ by running a pintool solver and a pysymemu solver against the same binary and comparing to see which gets the flag first.