Scripting with Cutter and Jupyter notebooks.

Den Iuzvyk
Jan 29 · 3 min read

Recently I’ve open for myself Cutter — a free and open-source reverse engineering framework powered by radare2. Recent releases are fully integrated with native Ghidra decompiler. Also, Cutter support useful plugin for scripting — Cutter-Jupyter

The purpose of this write-up is: to save someones time on installing this plugin and show how easy is to solve some reverse engineering tasks with Jupiter Notebooks.


Installation at macOS:

1. Cutter

Download the latest .dmg file or use Homebrew Cask

brew cask install cutter

2. Pre-requirements for Cutter-Jupyter plugin installation:

Unfortunately, this is a required step and a little tricky. Without this step, things can go wrong.

This was a little tricky. First of all, we need an exact version of Python: 3.6.8

brew install pyenvpyenv install 3.6.8

This will install python to /Users/USER/.pyenv/versions/3.6.8/bin/python3

Next, we need to downgrade SSL lib to version 1.0.0 with the following commands:

brew uninstall opensslbrew uninstall openssl;brew install https://github.com/tebelorg/Tump/releases/download/v1.0.0/openssl.rb

Yes, uninstall twice :)

At this moment we are ready to install Jupyter, so the Python interpreter used by Cutter can find it:

/Users/USER/.pyenv/versions/3.6.8/bin/python3 -m pip install jupyter

3. Cutter-Jupyte Plugin installation

git clone https://github.com/radareorg/cutter-jupyter.git

Then, check the plugins path of Cutter by looking into Edit -> Preferences -> Plugins and copy or symlink the subdirectory cutter_jupyter from the repository into the plugins/python subdirectory.

Lunch Cutter:

/Applications/Cutter.app/Contents/MacOS/Cutter

I was not ready to handle missing QtWebEngine ;) and Jupiter from the browser was OK for now.


Action time!

Let’s see how easy will be to solve the simple task with Cutter-Jupyter.

I have sample md5:ad21d000c23644ae22b33e8b146de30b

It is a upx-unpacked downloader, that was used during recent Konni APT Group Attacks in 2020

Function names are resolved at runtime and it takes time to find what exact function call. To speed up analysis — I will add comments to each such call with Cutter-Jupyter plugin.

Using python — I’m able to map address with a name and add a comment on each use of such address.

After running this notebook, comments(yellow text) for function calls are created in Cutter GUI.

With these comments, an analysis will go much faster :)

Useful links:

2. Radare2 book: https://legacy.gitbook.com/book/radare/radare2book/details

3. Series of articles by @megabeets:https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/

4. Cutter community:

Den Iuzvyk

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade