Skip to content

Strace Ltrace Retrace⚓︎

Elf: Tinsel Upatree
Direct link: ltrace terminal
Objective: Customer Complaint Analysis


Tinsel Upatree

Hiya hiya, I'm Tinsel Upatree!
Say, do you know what's going on next door?
I'm a bit worried about the whole FrostFest event.
It feels a bit... ill-conceived, somehow. Nasty even.
Well, regardless – and more to the point, what do you know about tracing processes in Linux?
We rebuilt this here Cranberry Pi that runs the cotton candy machine, but we seem to be missing a file.
Do you think you can use strace or ltrace to help us rebuild the missing config?
We'd like to help some of our favorite children enjoy the sweet spun goodness again!
And, if you help me with this, I'll give you some hints about using Wireshark filters to look for unusual options that might help you achieve Objectives here at the North Pole.


Welcome message

Please, we need your help! The cotton candy machine is broken!

We replaced the SD card in the Cranberry Pi that controls it and reinstalled the
software. Now it's complaining that it can't find a registration file!

Perhaps you could figure out what the cotton candy software is looking for...


Debugging tools like ltrace allow us to trace a program's execution flow by intercepting all of the dynamic library and system calls the program makes. Its verbose output can help to determine where and why exactly things are going wrong. Start by running the program normally using ./make_the_candy to confirm we're indeed missing a configuration file.

Running make_the_candy

Use ltrace ./make_the_candy to trace the program's execution and reveal the expected file name is registration.json.

Missing registration.json

Create the registration file with touch registration.json and run ltrace again. This time we get a different message telling us that the program is trying to get or read a line from the file. Since registration.json is still empty, this fails as well.

Missing content

So, add some dummy data using echo dummy > registration.json and keep repeating the process.

Missing Registration string

From this point on the program will try to read data from the configuration file and compare it to several expected values, starting with Registration. Use the ltrace output to determine what the final string should look like and gradually update the configuration file's content using echo statements like we did in the previous step.

Add expected content

After updating the contents of registration.json with Registration:True the program runs as expected!

Working again


Tinsel Upatree

Great! Thanks so much for your help!
I'm sure I can put those skills I just learned from you to good use.
Are you familiar with RFC3514?
Wireshark uses a different name for the Evil Bit: ip.flags.rb.
HTTP responses are often gzip compressed. Fortunately, Wireshark decompresses them for us automatically.
You can search for strings in Wireshark fields using display filters with the contains keyword.