Rizin Cutter

Rizin Cutter is a modern GUI-based reverse engineering framework built on the Rizin analysis engine. It provides intuitive tools for analyzing binaries, examining code structure, and understanding program behavior. Essential for malware analysis, vulnerability research, and binary security assessments on Linux, Windows, and macOS systems.

Installation

Kali Linux Installation

# Install via apt
sudo apt-get update
sudo apt-get install rizin-cutter

# Or download from official releases
wget https://github.com/rizinorg/cutter/releases/download/v2.x.x/Cutter-v2.x.x-Linux-x64.AppImage
chmod +x Cutter-v2.x.x-Linux-x64.AppImage
./Cutter-v2.x.x-Linux-x64.AppImage

# Build from source
git clone https://github.com/rizinorg/cutter.git
cd cutter
mkdir build && cd build
cmake .. && make
sudo make install

Command Line Interface

# Launch Cutter GUI
cutter /path/to/binary

# Launch with project file
cutter -p /path/to/project.c2project

# Open in headless mode
cutter --headless /path/to/binary

# Verify installation
cutter --version

User Interface Overview

Main Components

┌─────────────────────────────────────────────────────────┐
│  Menu Bar: File | Edit | View | Tools | Help            │
├─────────────────────────────────────────────────────────┤
│  ┌──────────────┬───────────────────┬──────────────┐    │
│  │ File Browser │  Disassembly View │ Decompiler   │    │
│  │              │                   │              │    │
│  │ - Sections   │ - Instructions    │ - Pseudocode │    │
│  │ - Functions  │ - Comments        │ - Variables  │    │
│  │ - Imports    │ - Cross-references│ - Control    │    │
│  │ - Symbols    │                   │   Flow       │    │
│  └──────────────┴───────────────────┴──────────────┘    │
│  ┌─────────────────────────────────────────────────┐    │
│  │ Information Panel: Strings | Hex | Graph | Info │    │
│  └─────────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────────┘

Opening and Analyzing Binaries

Load Binary File

# Open file in Cutter
cutter example.exe

# Opens with analysis options dialog:
# - Architecture detection
# - Endianness
# - Analysis options
# - Load address configuration

Basic Navigation

Action	Method
Search function	Ctrl+F or View > Search
Jump to address	Ctrl+G or press ‘g’ in disassembly
Go to function	Ctrl+Shift+G
Cross-references	Hover over function or press ‘x’
Back/Forward navigation	Alt+Left / Alt+Right

Disassembly Analysis

View Disassembly

Main disassembly view shows:
- Address (left column)
- Machine code (hex)
- Assembly instructions
- Comments and annotations

Example:
0x00401000  mov     rax, qword [rbp + 0x8]
0x00401004  add     rax, 0x1
0x00401008  ret

Hover over instruction for:
- Operand size and type
- Referenced functions
- Memory addresses

Add Comments and Annotations

In disassembly:
1. Right-click on instruction
2. Select "Add comment"
3. Type description

Keyboard shortcut: ';' key

Example annotations:
- "Stack frame setup"
- "Function prologue"
- "Buffer overflow check"
- "Suspicious API call"

Analyze Function Calls

1. Click on function name
2. View "References" tab
3. See all callers and callees

Analysis options:
- Call graph visualization
- Function signature analysis
- Parameter tracking
- Return value analysis

Decompilation

View Decompiled Code

Main decompiler options:
- Ghidra decompiler (if installed)
- Rizin native decompilation
- Side-by-side comparison with assembly

To enable decompiler:
1. View > Windows > Decompiler
2. Click on function to decompile
3. Read pseudocode alongside assembly

Example Decompiled Output

// Function at 0x401000
void __cdecl function_401000(int param_1) {
    int local_var;
    
    local_var = param_1 + 0x100;
    printf("Value: %d\n", local_var);
    return;
}

String Analysis

Search and Analyze Strings

View > Windows > Strings to show all strings

String information includes:
- Virtual address
- Section (.rodata, .data, etc.)
- String value
- References (cross-references)

Analysis workflow:
1. Strings tab shows all detected strings
2. Search: Ctrl+F in strings
3. Click string to jump to code
4. Analyze surrounding code

Find Hardcoded Credentials

1. Open Strings panel
2. Search for patterns:
   - "password", "secret"
   - API keys
   - URLs and domains
   - Email addresses
   - Special usernames

3. Click string reference to see usage
4. Analyze context in disassembly

Hex Viewer

Examine Raw Data

View > Windows > Hex Editor

Features:
- Direct byte examination
- Address navigation
- Pattern searching
- Edit capability (in memory only)

Example analysis:
- File headers and magic numbers
- String encoding detection
- Data structure patterns
- Packed binary identification

Identify File Types

Jump to address 0x0 (file start)
Check magic bytes:

PE Executable:    MZ 90 90 90 ...
ELF Binary:       7F 45 4C 46 ...
Mach-O Binary:    FE ED FA ...
Java Class:       CA FE BA BE ...
ZIP Archive:      50 4B 03 04 ...

Control Flow Analysis

View Function Graphs

Right-click function > "Show in Graph"

Graph view shows:
- Basic blocks (code sequences)
- Jump targets (conditional branches)
- Loop detection
- Function calls
- Edge labels (true/false conditions)

Navigation:
- Pan: mouse drag
- Zoom: mouse wheel
- Double-click block to view code

Analyze Control Flow

Key indicators to look for:
1. Decision points (if/else branches)
2. Loop structures (while, for)
3. Function calls (esp. to system APIs)
4. Exception handling
5. Unreachable code

Example analysis:
- Identify security checks
- Find alternative code paths
- Detect control flow hijacking
- Analyze error handling

Symbols and Imports

Analyze Imported Functions

Imports tab shows:
- DLL/SO imports
- Function names
- Import addresses

Suspicious imports:
- CreateRemoteThread (process injection)
- VirtualAlloc (memory allocation)
- WriteProcessMemory (memory writing)
- LoadLibrary (dynamic loading)
- RegOpenKey (registry access)

Identify Exported Functions

Exports tab shows:
- Exported function names
- Export addresses
- Export ordinals

Analysis:
- Check function naming
- Identify main functions
- Find callback functions
- Look for hidden exports

Search and Pattern Matching

Advanced Search Features

Ctrl+F opens search with options:
- Text search (strings, functions)
- Hex search (byte patterns)
- Regular expressions
- Cross-references
- Binary patterns

Search syntax:
- "main" - find string "main"
- "89 c3" - find hex bytes
- "[0-9]+" - regex pattern
- x/3i@0x401000 - x commands

Pattern Analysis

Search for common patterns:
- Suspicious API sequences
- Shellcode indicators
- Encryption patterns
- Anti-analysis checks

Example patterns:
- "GetProcAddress" + "LoadLibrary" (dynamic loading)
- "CreateProcess" + "WriteProcessMemory" (injection)
- "Sleep" + loop (timing evasion)

Malware Analysis Workflow

Rapid Malware Assessment

1. Load suspicious binary
2. Check file type and architecture
   - View > File Info
   
3. Examine imports
   - Look for suspicious APIs
   - Note loaded libraries
   
4. Scan strings
   - Search for URLs, IPs
   - Look for hardcoded credentials
   - Check for debug strings
   
5. Find entry point
   - Usually main() or WinMain()
   
6. Analyze main function
   - Trace execution flow
   - Identify key operations
   
7. Look for anti-analysis
   - IsDebuggerPresent checks
   - API hooks detection
   - VM detection code
   
8. Create project and save annotations

Automated Analysis Features

Tools > Plugins:
- Available analysis plugins
- Signature matching
- Behavior analysis
- Pattern recognition

Enable plugins:
1. Tools > Plugins
2. Check desired plugins
3. Analyze > Run Analysis
4. Wait for completion

Python Scripting

Rizin Python API

#!/usr/bin/env python3
# Rizin Python script for binary analysis

import rzpipe

# Open binary
r = rzpipe.open("/path/to/binary")

# Get file info
info = r.cmd("i")
print("File info:", info)

# Analyze
r.cmd("aaa")  # Analyze all

# List functions
functions = r.cmd("fl")
print("Functions:", functions)

# Get disassembly at address
disasm = r.cmd("pd 10 @ 0x401000")
print(disasm)

# Find strings
strings = r.cmd("izz")
print(strings)

# Close
r.quit()

Create Analysis Scripts

#!/usr/bin/env python3
import rzpipe
import sys

def analyze_imports(binary_path):
    """Analyze imported functions"""
    r = rzpipe.open(binary_path)
    r.cmd("aaa")
    
    imports = r.cmd("ii")
    
    suspicious_imports = [
        "CreateRemoteThread",
        "VirtualAlloc",
        "WriteProcessMemory",
        "SetWindowsHookEx",
        "CreateFileMapping"
    ]
    
    print("[*] Checking imports...")
    for imp in suspicious_imports:
        if imp.lower() in imports.lower():
            print(f"[!] SUSPICIOUS: {imp} imported")
    
    r.quit()

if __name__ == "__main__":
    binary = sys.argv[1] if len(sys.argv) > 1 else "sample.exe"
    analyze_imports(binary)

Advanced Analysis Tasks

Vulnerability Research

1. Load potentially vulnerable binary
2. Find dangerous functions:
   - strcpy, sprintf, gets (buffer overflow)
   - system, exec (command injection)
   - eval, exec (code injection)
   
3. Analyze usage context:
   - Input source
   - Bounds checking
   - Validation logic
   
4. Trace data flow:
   - Where does user input come from?
   - How is it processed?
   - Where could it cause harm?
   
5. Document findings:
   - Create comments
   - Export analysis
   - Generate report

Patch Analysis

Workflow for analyzing applied patches:
1. Load patched binary
2. Load original binary (side-by-side comparison)
3. Use diff tools to find changes:
   - Tools > Diff
   
4. Analyze modifications:
   - Changed functions
   - New code additions
   - Removed code sections
   
5. Determine patch intent:
   - Security fix
   - Feature addition
   - Performance improvement

Export and Reporting

Save Analysis Project

File > Save Project:
- Saves all annotations
- Preserves symbol information
- Stores custom comments
- Maintains analysis state

Project file extension: .c2project

Export Analysis Results

File > Export:
- Export as PDF report
- Export symbols
- Export functions list
- Export strings
- Export assembly listing

Generate comprehensive report:
1. File > Export > PDF
2. Select sections to include
3. Add custom title/description
4. Save report

Keyboard Shortcuts

Shortcut	Action
Ctrl+F	Search
Ctrl+G	Jump to address
Ctrl+Shift+G	Go to function
’;‘	Add comment
’x’	Cross-references
’g’	Graph view
’d’	Define/undefine
’N’	Rename variable
Ctrl+L	Toggle graph/linear view
Ctrl+S	Save project

Troubleshooting

Issue	Solution
Binary not analyzed	Tools > Analysis > Re-analyze (Ctrl+A)
Functions not identified	Tools > Analysis > Run as 64-bit/32-bit
Decompiler not available	Install Ghidra plugin: Tools > Plugins > Ghidra
Slow analysis	Try limited analysis scope for large binaries
Memory issues	Close other applications, try headless mode

Best Practices

1. Document findings - Use comments extensively
2. Save projects - Preserve analysis state
3. Cross-validate - Use multiple analysis techniques
4. Automated checks - Use plugins for common signatures
5. Compare samples - Use diff for variant analysis
6. Maintain timeline - Track analysis progression
7. Export reports - Generate formal documentation

Comparison: Cutter vs IDA Pro vs Ghidra

Feature	Cutter	IDA Pro	Ghidra
Cost	Free	$$$$	Free
GUI Quality	Good	Excellent	Good
Decompilation	Good	Excellent	Excellent
Plugins	Yes	Yes	Yes
Linux Support	Excellent	Good	Excellent
Malware Analysis	Good	Excellent	Excellent

Resources

• Official Cutter GitHub - Latest releases and documentation
• Rizin Documentation - Complete API reference
• Reverse Engineering Materials - Analysis tutorials
• Binary Exploitation Guides - Vulnerability research methods
• Malware Analysis Resources - Industry best practices

Common Malware Analysis Patterns

Anti-Analysis Detection

Patterns to search for:
- "IsDebuggerPresent" - debugger check
- "CheckRemoteDebuggerPresent" - remote debugger check
- "GetTickCount" - timing checks
- "NtQueryInformationProcess" - process examination
- "OutputDebugString" - debug string output

These indicate malware trying to detect analysis tools.

Process Injection

Suspicious API sequences:
1. CreateProcess (with SUSPENDED flag)
2. VirtualAllocEx (allocate memory in target)
3. WriteProcessMemory (write payload)
4. ResumeThread (start execution)

Or alternatively:
1. CreateRemoteThread (create thread in target)
2. VirtualAlloc (allocate memory)
3. Followed by WriteProcessMemory

Persistence Mechanisms

Registry access patterns:
- "HKLM\Software\Microsoft\Windows\Run"
- "HKCU\Software\Microsoft\Windows\Run"
- Scheduled Tasks registry modifications

File system patterns:
- %AppData% folder access
- %ProgramFiles% modifications
- Windows\System32 writes