Rizin Cutter is a modern GUI-based reverse engineering framework built on the Rizin analysis engine. It provides intuitive tools for analyzing binaries, examining code structure, and understanding program behavior. Essential for malware analysis, vulnerability research, and binary security assessments on Linux, Windows, and macOS systems.
# Install via apt
sudo apt-get update
sudo apt-get install rizin-cutter
# Or download from official releases
wget https://github.com/rizinorg/cutter/releases/download/v2.x.x/Cutter-v2.x.x-Linux-x64.AppImage
chmod +x Cutter-v2.x.x-Linux-x64.AppImage
./Cutter-v2.x.x-Linux-x64.AppImage
# Build from source
git clone https://github.com/rizinorg/cutter.git
cd cutter
mkdir build && cd build
cmake .. && make
sudo make install
# Launch Cutter GUI
cutter /path/to/binary
# Launch with project file
cutter -p /path/to/project.c2project
# Open in headless mode
cutter --headless /path/to/binary
# Verify installation
cutter --version
┌─────────────────────────────────────────────────────────┐
│ Menu Bar: File | Edit | View | Tools | Help │
├─────────────────────────────────────────────────────────┤
│ ┌──────────────┬───────────────────┬──────────────┐ │
│ │ File Browser │ Disassembly View │ Decompiler │ │
│ │ │ │ │ │
│ │ - Sections │ - Instructions │ - Pseudocode │ │
│ │ - Functions │ - Comments │ - Variables │ │
│ │ - Imports │ - Cross-references│ - Control │ │
│ │ - Symbols │ │ Flow │ │
│ └──────────────┴───────────────────┴──────────────┘ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Information Panel: Strings | Hex | Graph | Info │ │
│ └─────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
# Open file in Cutter
cutter example.exe
# Opens with analysis options dialog:
# - Architecture detection
# - Endianness
# - Analysis options
# - Load address configuration
| Action | Method |
|---|
| Search function | Ctrl+F or View > Search |
| Jump to address | Ctrl+G or press ‘g’ in disassembly |
| Go to function | Ctrl+Shift+G |
| Cross-references | Hover over function or press ‘x’ |
| Back/Forward navigation | Alt+Left / Alt+Right |
Main disassembly view shows:
- Address (left column)
- Machine code (hex)
- Assembly instructions
- Comments and annotations
Example:
0x00401000 mov rax, qword [rbp + 0x8]
0x00401004 add rax, 0x1
0x00401008 ret
Hover over instruction for:
- Operand size and type
- Referenced functions
- Memory addresses
In disassembly:
1. Right-click on instruction
2. Select "Add comment"
3. Type description
Keyboard shortcut: ';' key
Example annotations:
- "Stack frame setup"
- "Function prologue"
- "Buffer overflow check"
- "Suspicious API call"
1. Click on function name
2. View "References" tab
3. See all callers and callees
Analysis options:
- Call graph visualization
- Function signature analysis
- Parameter tracking
- Return value analysis
Main decompiler options:
- Ghidra decompiler (if installed)
- Rizin native decompilation
- Side-by-side comparison with assembly
To enable decompiler:
1. View > Windows > Decompiler
2. Click on function to decompile
3. Read pseudocode alongside assembly
// Function at 0x401000
void __cdecl function_401000(int param_1) {
int local_var;
local_var = param_1 + 0x100;
printf("Value: %d\n", local_var);
return;
}
View > Windows > Strings to show all strings
String information includes:
- Virtual address
- Section (.rodata, .data, etc.)
- String value
- References (cross-references)
Analysis workflow:
1. Strings tab shows all detected strings
2. Search: Ctrl+F in strings
3. Click string to jump to code
4. Analyze surrounding code
1. Open Strings panel
2. Search for patterns:
- "password", "secret"
- API keys
- URLs and domains
- Email addresses
- Special usernames
3. Click string reference to see usage
4. Analyze context in disassembly
View > Windows > Hex Editor
Features:
- Direct byte examination
- Address navigation
- Pattern searching
- Edit capability (in memory only)
Example analysis:
- File headers and magic numbers
- String encoding detection
- Data structure patterns
- Packed binary identification
Jump to address 0x0 (file start)
Check magic bytes:
PE Executable: MZ 90 90 90 ...
ELF Binary: 7F 45 4C 46 ...
Mach-O Binary: FE ED FA ...
Java Class: CA FE BA BE ...
ZIP Archive: 50 4B 03 04 ...
Right-click function > "Show in Graph"
Graph view shows:
- Basic blocks (code sequences)
- Jump targets (conditional branches)
- Loop detection
- Function calls
- Edge labels (true/false conditions)
Navigation:
- Pan: mouse drag
- Zoom: mouse wheel
- Double-click block to view code
Key indicators to look for:
1. Decision points (if/else branches)
2. Loop structures (while, for)
3. Function calls (esp. to system APIs)
4. Exception handling
5. Unreachable code
Example analysis:
- Identify security checks
- Find alternative code paths
- Detect control flow hijacking
- Analyze error handling
Imports tab shows:
- DLL/SO imports
- Function names
- Import addresses
Suspicious imports:
- CreateRemoteThread (process injection)
- VirtualAlloc (memory allocation)
- WriteProcessMemory (memory writing)
- LoadLibrary (dynamic loading)
- RegOpenKey (registry access)
Exports tab shows:
- Exported function names
- Export addresses
- Export ordinals
Analysis:
- Check function naming
- Identify main functions
- Find callback functions
- Look for hidden exports
Ctrl+F opens search with options:
- Text search (strings, functions)
- Hex search (byte patterns)
- Regular expressions
- Cross-references
- Binary patterns
Search syntax:
- "main" - find string "main"
- "89 c3" - find hex bytes
- "[0-9]+" - regex pattern
- x/3i@0x401000 - x commands
Search for common patterns:
- Suspicious API sequences
- Shellcode indicators
- Encryption patterns
- Anti-analysis checks
Example patterns:
- "GetProcAddress" + "LoadLibrary" (dynamic loading)
- "CreateProcess" + "WriteProcessMemory" (injection)
- "Sleep" + loop (timing evasion)
1. Load suspicious binary
2. Check file type and architecture
- View > File Info
3. Examine imports
- Look for suspicious APIs
- Note loaded libraries
4. Scan strings
- Search for URLs, IPs
- Look for hardcoded credentials
- Check for debug strings
5. Find entry point
- Usually main() or WinMain()
6. Analyze main function
- Trace execution flow
- Identify key operations
7. Look for anti-analysis
- IsDebuggerPresent checks
- API hooks detection
- VM detection code
8. Create project and save annotations
Tools > Plugins:
- Available analysis plugins
- Signature matching
- Behavior analysis
- Pattern recognition
Enable plugins:
1. Tools > Plugins
2. Check desired plugins
3. Analyze > Run Analysis
4. Wait for completion
#!/usr/bin/env python3
# Rizin Python script for binary analysis
import rzpipe
# Open binary
r = rzpipe.open("/path/to/binary")
# Get file info
info = r.cmd("i")
print("File info:", info)
# Analyze
r.cmd("aaa") # Analyze all
# List functions
functions = r.cmd("fl")
print("Functions:", functions)
# Get disassembly at address
disasm = r.cmd("pd 10 @ 0x401000")
print(disasm)
# Find strings
strings = r.cmd("izz")
print(strings)
# Close
r.quit()
#!/usr/bin/env python3
import rzpipe
import sys
def analyze_imports(binary_path):
"""Analyze imported functions"""
r = rzpipe.open(binary_path)
r.cmd("aaa")
imports = r.cmd("ii")
suspicious_imports = [
"CreateRemoteThread",
"VirtualAlloc",
"WriteProcessMemory",
"SetWindowsHookEx",
"CreateFileMapping"
]
print("[*] Checking imports...")
for imp in suspicious_imports:
if imp.lower() in imports.lower():
print(f"[!] SUSPICIOUS: {imp} imported")
r.quit()
if __name__ == "__main__":
binary = sys.argv[1] if len(sys.argv) > 1 else "sample.exe"
analyze_imports(binary)
1. Load potentially vulnerable binary
2. Find dangerous functions:
- strcpy, sprintf, gets (buffer overflow)
- system, exec (command injection)
- eval, exec (code injection)
3. Analyze usage context:
- Input source
- Bounds checking
- Validation logic
4. Trace data flow:
- Where does user input come from?
- How is it processed?
- Where could it cause harm?
5. Document findings:
- Create comments
- Export analysis
- Generate report
Workflow for analyzing applied patches:
1. Load patched binary
2. Load original binary (side-by-side comparison)
3. Use diff tools to find changes:
- Tools > Diff
4. Analyze modifications:
- Changed functions
- New code additions
- Removed code sections
5. Determine patch intent:
- Security fix
- Feature addition
- Performance improvement
File > Save Project:
- Saves all annotations
- Preserves symbol information
- Stores custom comments
- Maintains analysis state
Project file extension: .c2project
File > Export:
- Export as PDF report
- Export symbols
- Export functions list
- Export strings
- Export assembly listing
Generate comprehensive report:
1. File > Export > PDF
2. Select sections to include
3. Add custom title/description
4. Save report
| Shortcut | Action |
|---|
| Ctrl+F | Search |
| Ctrl+G | Jump to address |
| Ctrl+Shift+G | Go to function |
| ’;‘ | Add comment |
| ’x’ | Cross-references |
| ’g’ | Graph view |
| ’d’ | Define/undefine |
| ’N’ | Rename variable |
| Ctrl+L | Toggle graph/linear view |
| Ctrl+S | Save project |
| Issue | Solution |
|---|
| Binary not analyzed | Tools > Analysis > Re-analyze (Ctrl+A) |
| Functions not identified | Tools > Analysis > Run as 64-bit/32-bit |
| Decompiler not available | Install Ghidra plugin: Tools > Plugins > Ghidra |
| Slow analysis | Try limited analysis scope for large binaries |
| Memory issues | Close other applications, try headless mode |
- Document findings - Use comments extensively
- Save projects - Preserve analysis state
- Cross-validate - Use multiple analysis techniques
- Automated checks - Use plugins for common signatures
- Compare samples - Use diff for variant analysis
- Maintain timeline - Track analysis progression
- Export reports - Generate formal documentation
| Feature | Cutter | IDA Pro | Ghidra |
|---|
| Cost | Free | $$$$ | Free |
| GUI Quality | Good | Excellent | Good |
| Decompilation | Good | Excellent | Excellent |
| Plugins | Yes | Yes | Yes |
| Linux Support | Excellent | Good | Excellent |
| Malware Analysis | Good | Excellent | Excellent |
- Official Cutter GitHub - Latest releases and documentation
- Rizin Documentation - Complete API reference
- Reverse Engineering Materials - Analysis tutorials
- Binary Exploitation Guides - Vulnerability research methods
- Malware Analysis Resources - Industry best practices
Patterns to search for:
- "IsDebuggerPresent" - debugger check
- "CheckRemoteDebuggerPresent" - remote debugger check
- "GetTickCount" - timing checks
- "NtQueryInformationProcess" - process examination
- "OutputDebugString" - debug string output
These indicate malware trying to detect analysis tools.
Suspicious API sequences:
1. CreateProcess (with SUSPENDED flag)
2. VirtualAllocEx (allocate memory in target)
3. WriteProcessMemory (write payload)
4. ResumeThread (start execution)
Or alternatively:
1. CreateRemoteThread (create thread in target)
2. VirtualAlloc (allocate memory)
3. Followed by WriteProcessMemory
Registry access patterns:
- "HKLM\Software\Microsoft\Windows\Run"
- "HKCU\Software\Microsoft\Windows\Run"
- Scheduled Tasks registry modifications
File system patterns:
- %AppData% folder access
- %ProgramFiles% modifications
- Windows\System32 writes
