ltrace configs

ltrace is a dynamic library call interceptor. It allows you to have a custom ~/ltrace.conf to define the parameters of the library function call.

A quick demonstration of how you can leverage custom configs will be shared in this post.

Basics

Using picoCTF's "Let's Get Dynamic" challenge as the basis for this demonstration. Once the binary is downloaded and compiled, we can run ltrace against it to see what the library calls of the binary are.

> echo "asd" | ltrace ./chall
fgets("asd\n", 49, 0x7f303e1f5aa0)                                                 = 0x7ffcf7c17fa0
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032"...) = 49
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032"...) = 49
.
.
.
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032"...) = 49
memcmp(0x7ffcf7c17fa0, 0x7ffcf7c17f60, 49, 0x7ffcf7c17f60)                         = 0xfffffff1
puts("Correct! You entered the flag."Correct! You entered the flag.
)                                             = 31
+++ exited (status 0) +++

This gives us a hint that the input is probably 49 characters long. We change the ltrace parameters to include -s 49 for printing any 49 characters it encounters.

> python3 -c "print('A'*49)"  | ltrace -s 49 ./chall
fgets("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 49, 0x7f2f0c528aa0)      = 0x7ffebaa91060
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
.
.
.
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
memcmp(0x7ffebaa91060, 0x7ffebaa91020, 49, 0x7ffebaa91020)                         = 0xffffffd1
puts("Correct! You entered the flag."Correct! You entered the flag.
)                                             = 31
+++ exited (status 0) +++

Comparing the two results from ltrace, we can see that the memcmp can potentially have suspicious things. Unfortunately, we'd have to use a debugger if we wanted to manually inspect the addresses.

Here's where the power of configurations comes in. The default understanding of the ltrace tool for memcmp is : int memcmp(addr, addr, int, addr). Most function definitions are defined in /etc/ltrace.conf. Fortunately, we can override the interpretation of the functions by ltrace.

> cat ~/.ltrace.conf
int memcmp(string,string,int,string);

I added the custom override for ltrace and if we run the same command as before now, we see -

> python3 -c "print('A'*49)"  | ltrace -s 49 ./chall
fgets("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 49, 0x7f0cb1af0aa0)      = 0x7ffdefac93e0
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
.
.
.
strlen("\273\364%n,*\242\234\275\254\234\223s\a\212\364\005\003\277\327tM\352\n\2534\244h1[\363\032\017\027\363\026\341\\\265.f\264\247\020\357\261\230\263G"...) = 49
memcmp("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "picoCTF{dyn4m1c_4n4ly1s_1s_5up3r_us3ful_xxxxxxxx}"..., 49, "picoCTF{dyn4m1c_4n4ly1s_1s_5up3r_us3ful_xxxxxxxx}"...) = -47
puts("Correct! You entered the flag."Correct! You entered the flag.
)                                             = 31
+++ exited (status 0) +++

The custom override worked without having to use a debugger to peek into things. This feels way faster than Intel PIN tools to iterate with, as there is no compilation necessary. Hope this helps iterating faster when blind tracing!