General

Introduction

Before diving into full decompilation, basic static and dynamic analysis can uncover valuable information from any binary. In CTF challenges, tools like strings, strace, and ltrace can expose command execution, embedded text, or system calls that lead to the flag path.

Quick Reference

Task	Command
Display visible strings in binary	`strings <binary>`
Trace system calls	`strace ./binary`
Trace library calls	`ltrace ./binary`

Tools

Tool	Purpose
`strings`	Extract readable strings from binaries
`strace`	Trace system calls used by a program
`ltrace`	Trace library calls and function parameters
xxd / hexdump	View or edit binary data at hex level
Ghidra	Inspect code structure and disassembly

Example: Tracing Syscalls

You can use strace to observe all system-level interactions:

strace ./encodedpayload

Example output (truncated):

execve("./encodedpayload", ["./encodedpayload"], 0x7fffe...) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {af=AF_INET, port=1337, addr="127.0.0.1"}, 16) = -1 ECONNREFUSED
write(1, "HTB{PLz_strace_M333}\n", 21)

Tips

Combine strings + grep to locate likely flag strings: strings binary | grep -i flag
Use ltrace when strace gives only syscall-level output, it can reveal internal function calls such as strcmp() or printf().
For stripped binaries, even short syscall traces can guide you to logic branches.
Always run binaries inside sandboxes or containers to avoid harmful system effects.