Now let's do some dynamic analysis. Remember that dynamic analysis should be done in a sandbox environment. There are a few tools that are usually pre-installed in Linux that can be used to display more detailed information. We're introducing ltrace, strace, and gdb for this reversing activity.

Here's how ltrace is used:

The output of ltrace shows a readable code of what the program did. ltrace logged library functions that the program called and received. It called puts to display a message. It also received an exit status of 13 when the program terminated.

The address 0x804840b is also the address of the main function listed in the disassembly results.

strace is another tool we can use, but this logs system calls. Here's the result of running strace on our hello world program:

strace logged every system call that happened, starting from when it was being executed by the system. execve is the first system call that was logged. Calling execve runs a program pointed to by the filename in its function argument. open and read are system calls that are used here to read files. mmap2, mprotect, and brk are responsible for memory activities such as allocation, permissions, and segment boundary setting.

Deep inside the code of puts, it eventually executes a write system call. write, in general, writes data to the object it was pointed to. Usually, it is used to write to a file. In this case, write's first parameter has a value of 1. The value of 1 denotes STDOUT, which is the handle for the console output. The second parameter is the message, thus, it writes the message to STDOUT.