In this paper we present BAEG, a system to automatically look for exploitable bugs in the binary program. Every bug reported by BAEG is accompanied by the control flow hijacking exploit. The working exploits ensure robustness that each bug report is security-critical and exploitable. Giving BAEG a vulnerable program and an input crash, the challenges are:1) how to replay crash and get the state of crash; 2) how to automatically generate exploit. For the first challenge, we present a path-guided algorithm, take crash input as symbolic data, and replay crash path. For the second challenge, we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model. Besides, BAEG can explore deep code especially for invalid symbolic read and symbolic write, which can help us decide whether there still are exploits at deeper code.