Scripting with Cutter and Jupyter notebooks.
Recently I’ve open for myself Cutter — a free and open-source reverse engineering framework powered by radare2. Recent releases are fully integrated with native Ghidra decompiler. Also, Cutter support useful plugin for scripting — Cutter-Jupyter
The purpose of this write-up is: to save someones time on installing this plugin and show how easy is to solve some reverse engineering tasks with Jupiter Notebooks.
Installation at macOS:
1. Cutter
Download the latest .dmg file or use Homebrew Cask
brew cask install cutter2. Pre-requirements for Cutter-Jupyter plugin installation:
Unfortunately, this is a required step and a little tricky. Without this step, things can go wrong.
This was a little tricky. First of all, we need an exact version of Python: 3.6.8
brew install pyenvpyenv install 3.6.8
This will install python to /Users/USER/.pyenv/versions/3.6.8/bin/python3
Next, we need to downgrade SSL lib to version 1.0.0 with the following commands:
brew uninstall opensslbrew uninstall openssl;brew install https://github.com/tebelorg/Tump/releases/download/v1.0.0/openssl.rb
Yes, uninstall twice :)
At this moment we are ready to install Jupyter, so the Python interpreter used by Cutter can find it:
/Users/USER/.pyenv/versions/3.6.8/bin/python3 -m pip install jupyter3. Cutter-Jupyte Plugin installation
git clone https://github.com/radareorg/cutter-jupyter.gitThen, check the plugins path of Cutter by looking into Edit -> Preferences -> Plugins and copy or symlink the subdirectory cutter_jupyter from the repository into the plugins/python subdirectory.
Lunch Cutter:
/Applications/Cutter.app/Contents/MacOS/Cutter
I was not ready to handle missing QtWebEngine ;) and Jupiter from the browser was OK for now.
Action time!
Let’s see how easy will be to solve the simple task with Cutter-Jupyter.
I have sample md5:ad21d000c23644ae22b33e8b146de30b
It is a upx-unpacked downloader, that was used during recent Konni APT Group Attacks in 2020
Function names are resolved at runtime and it takes time to find what exact function call. To speed up analysis — I will add comments to each such call with Cutter-Jupyter plugin.
- Let’s find a function that initializes names. It’s located at address 0x00401210
Using python — I’m able to map address with a name and add a comment on each use of such address.
After running this notebook, comments(yellow text) for function calls are created in Cutter GUI.
With these comments, an analysis will go much faster :)
Useful links:
- gist with python code: https://gist.github.com/duzvik/b850b0760c7a8e3500e1a57c6753e69e
2. Radare2 book: https://legacy.gitbook.com/book/radare/radare2book/details
3. Series of articles by @megabeets:https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/
4. Cutter community:
- Telegram: https://t.me/r2cutter
- IRC: #cutter on irc.freenode.net
- Twitter: @r2gui
