├── Images ├── Cutter_import_script1.png ├── Cutter_import_script2.png ├── Cutter_Tiny_tracer_integration.png └── Cutter_Tiny_tracer_integration2.png ├── tiny_tracer_tag_to_cutter.py └── README.md /Images/Cutter_import_script1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/tiny_tracer_tag_to_cutter/HEAD/Images/Cutter_import_script1.png -------------------------------------------------------------------------------- /Images/Cutter_import_script2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/tiny_tracer_tag_to_cutter/HEAD/Images/Cutter_import_script2.png -------------------------------------------------------------------------------- /Images/Cutter_Tiny_tracer_integration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/tiny_tracer_tag_to_cutter/HEAD/Images/Cutter_Tiny_tracer_integration.png -------------------------------------------------------------------------------- /Images/Cutter_Tiny_tracer_integration2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/tiny_tracer_tag_to_cutter/HEAD/Images/Cutter_Tiny_tracer_integration2.png -------------------------------------------------------------------------------- /tiny_tracer_tag_to_cutter.py: -------------------------------------------------------------------------------- 1 | #Option1: Drag and Drop .tag file produced by tiny_tracer. 2 | #Option2: run script, example: tiny_tracer_tag_to_cutter.py Malware.exe.tag 3 | # example: tiny_tracer_tag_to_cutter.py "C:\Users\XXX\Desktop\TAG_TO_CUTTER\Malware.exe.tag" 4 | #Tag file will be converted to Cutter annotation script. 5 | import sys, base64 6 | try: 7 | droppedTagFile = sys.argv[1] 8 | Tag_file = open(droppedTagFile,'r').read() 9 | Cutter_RVA = [] 10 | Cutter_comment = [] 11 | Cutter_script = "" 12 | for k in range (0,len(Tag_file.split("\n")) -1): 13 | if Tag_file.split("\n")[k][0] != '>': 14 | Cutter_RVA.append(Tag_file.split("\n")[k].split(';')[0]) 15 | Cutter_comment.append(Tag_file.split("\n")[k].split(';')[1]) 16 | Cutter_script += "CCu base64:" + base64.b64encode(Cutter_comment[k].encode("utf-8")).decode() + " @ " + "$B+0x" + Cutter_RVA[k] +"\n" 17 | f = open(droppedTagFile + '.cutter.r2', "w").write(Cutter_script) 18 | 19 | except IndexError: 20 | print("No file dropped....\nDrag and drop .tag file or see examples:\ntiny_tracer_tag_to_cutter.py Malware.exe.tag\ntiny_tracer_tag_to_cutter.py\"C:\\Users\\XXX\\Desktop\\TAG_TO_CUTTER\\Malware.exe.tag\"\n") 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tiny_tracer_tag_to_cutter 2 | Converts .tag file produced by tiny_tracer to Cutter annotation script. 3 | 4 | The tags generated by the Tiny Tracer are helpful in deobfuscating obfuscated API calls or when functions are link at runtime.
5 | This script will annotate the code with tags produced by tool Tiny Tracer.
6 | Tiny Tracer repo: https://github.com/hasherezade/tiny_tracer.
7 | Tested on Tiny_tracer version 1.4 8 | 9 | How to use:
10 | You can use python script tiny_tracer_tag_to_cutter.py (Python 3+) or you can use standalone binary for Windows 64bit Here: https://github.com/Dump-GUY/tiny_tracer_tag_to_cutter/releases/tag/ver1.0
11 | Simply drag and drop .tag file produced by tiny_tracer or run script:
12 | Example: tiny_tracer_tag_to_cutter.py Malware.exe.tag
13 | Example: tiny_tracer_tag_to_cutter.py "C:\Users\XXX\Desktop\TAG_TO_CUTTER\Malware.exe.tag"
14 | 15 | Cutter .r2 script will be created in same directory as .tag file is located. 16 | 17 | Run Cutter, load relevant sample and run the .r2 script produced by tool tiny_tracer_tag_to_cutter. 18 | You can run the .r2 script via advanced options during sample loading. 19 | 20 | Advanced options during sample loading: 21 | 22 | ![Cutter_import_script1](/Images/Cutter_import_script1.png) 23 | 24 | Or you can run .r2 script from Cutter view. If you run script from Cutter view - you MUST refresh view with F5 or in View Tab/Refresh Contents to see modified contents. 25 | 26 | Running Cutter script from Cutter view: 27 | 28 | ![Cutter_import_script2](/Images/Cutter_import_script2.png) 29 | 30 | 31 | Tiny_tracer integration to Cutter - Annotated Disassembly view, Annotated Decompile view, Annotated Graph view and Comments view. 32 | 33 | ![Cutter_Tiny_tracer_integration](/Images/Cutter_Tiny_tracer_integration.png) 34 | 35 | Tiny_tracer integration to Cutter - Annotated Disassembly view, Annotated Graph view, Comments view end excelent new feature in Cutter 1.11.0 - Global Callgraph. 36 | 37 | ![Cutter_Tiny_tracer_integration2](/Images/Cutter_Tiny_tracer_integration2.png) 38 | 39 | --------------------------------------------------------------------------------