https://github.com/angr/angr Uses a Concolic execution engine where it can switch from running a binary concretely, break, and then define an unknown input and find what should I be to trigger a different breakpoint. - e.g. what should the “password” pointer be pointing to in order to trigger the “you’re in” branch of code.
Note: it still can’t reverse hashes. If you try to reverse md5 using this approach it’ll consume petabytes of RAM.
I think radare2 was looking into integrating with angr but I don’t know the status of the integration.
The concolic execution research is speeding up though slowly. At CGC we showed that automation could find plenty of vulnerabilities of the 90s. At the same time at the end of CGC the best machine was pitted against humans in DEFCON capture the flag and the best machine placed second-to-last. So old school vulnerabilities can now be found automatically, but we also have all-purpose mitigations for them now like no-execute memory pages, stack canaries, and addres-space layout randomization. Once automation is able to reason about those general purpose mitigations we will probably see many zero days in existing code bases. I think that day is about 10 years away.