One of the issues of a malware detection service is to update its database. For that, an analysis of new samples must be performed. Usually, one tries to replay the behavior of malware in a safe environment. But, a bot sample may activate a malicious function only if it receives some particular input from its command and control server. The game is to find inputs which activate all relevant branches in a bot binary in order to retrieve its malicious behaviors. From a larger viewpoint, this problem is an aggregation of the program exploration and the message format extraction problem, both of them captures many active researches. This is a work in progress in which we try a new approach to code coverage relying on input tainting.