> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credential-recovery/information-gathering-credential-recovery-binary-analysis.md).

# Binary Analysis

## Ltrace Password Discovery

Use `ltrace` to dynamically analyze binary execution and intercept library calls, particularly string comparison functions, to reveal hardcoded passwords or sensitive strings. `ltrace` intercepts and records dynamic library calls made by a process.

Run the binary under `ltrace`, monitoring system calls (`-S`) as well as library calls. Displaying system calls can sometimes provide context, although the primary focus is library calls. The basic syntax is `ltrace [options] command [arguments]`. Look for calls like `strcmp`, `memcmp`, `strncmp`, etc., and examine the string arguments being compared. Useful options include `-f` to trace child processes as they are created by the traced process as a result of the `fork(2)`, `vfork(2)` or `clone(2)` system calls, and `-o filename` to write the output to the file `filename` instead of standard error. Another useful option is `-i` which prints the instruction pointer at the time of the library call.

```bash
ltrace -S /path/to/binary
```

The output typically shows the function name, arguments in parentheses, and the return value after an equals sign. As the program executes, especially when prompted for input like a password, observe the output for these comparison calls. One of the arguments to the comparison function is likely the hardcoded value the program is checking against. For example, running `ltrace ./checkpass` might show output like `strcmp("password", "user_input")`. For string comparison functions like `strcmp`, the arguments displayed are the strings being compared by the program. `strcmp(const char *s1, const char *s2)` compares two null-terminated strings. `strncmp(const char *s1, const char *s2, size_t n)` compares at most `n` characters. `memcmp(const void *s1, const void *s2, size_t n)` compares `n` bytes of two memory areas; while `strcmp` and `strncmp` are designed for null-terminated strings, `memcmp` is a more general byte-by-byte comparison often used for binary data. By tracing these calls, you can often see the hardcoded string being compared against user input or another variable. For example, running `ltrace ./crackme` might reveal a `strcmp` call comparing user input to the string 'correctpassword', thus revealing the password.

```bash
ltrace -f ./crackme
```

Using the `-f` flag is important when the target program might use `fork()` to create child processes that handle the password check. The `-o` option is useful for capturing extensive output for later analysis.

```bash
ltrace -o output.log -S -f /path/to/binary
```

Examining the `output.log` file allows you to scroll through all traced library and system calls, making it easier to spot the relevant comparison functions and their arguments.
