ToolsFebruary 9, 20261 min readby 0xt0pus

ltrace

Library call tracer for tracking shared library function calls in binary analysis

#binary-exploitation#reverse-engineering#debugging

ltrace

Description

Library call tracer used for debugging and binary analysis. Intercepts and records dynamic library calls made by a process, which is useful for revealing hardcoded string comparisons, password checks, and other sensitive operations in binaries.

Usage 1: Trace library calls of a binary

Run a binary and display all library function calls it makes. Useful for revealing string comparisons (e.g., strcmp) and other operations.

Command:

ltrace ./login

Usage 2: Reveal password comparisons in ELF binaries

When an extracted ELF binary asks for a password, ltrace can show what string it is comparing the input against (e.g., strcmp calls).

Context:

From a forensics challenge (JustSmile) -- after extracting an ELF binary from a PNG file using binwalk, ltrace was used to check what the binary was comparing user input with. It revealed the comparison string, which was then used to get the flag.