1RAGG2(1) BSD General Commands Manual RAGG2(1)
2
4 ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries
5 for x86-32/64 and arm.
6
8 ragg2 [-a arch] [-b bits] [-k kernel] [-f format] [-o file]
9 [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v]
10 [-C file] [-n num32] [-N num64] [-d off:dword] [-D off:qword]
11 [-w off:hexpair] [-p padding] [-P pattern] [-q fragment]
12 [-FOLsrxvhz]
13
15 ragg2 is a frontend for r_egg, compile programs into tiny binaries for
16 x86-32/64 and arm.
17 This tool is experimental and it is a rewrite of the old rarc2 and
19 rarc2-tool programs as a library and integrated with r_asm and r_bin.
20 Programs generated by r_egg are relocatable and can be injected in a run‐
22 ning process or on-disk binary file.
23 Since the ragg2-cc merge, ragg2 can now generate shellcodes from C code.
25 The final code can be linked with rabin2 and it is relocatable, so it can
26 be used to inject it on any remote process. This feature is conceptually
27 based on shellforge4, but only linux/osx x86-32/64 platforms are sup‐
28 ported.
29
31 The rr2 (ragg2) configuration file accepts the following directives,
32 described as key=value entries and comments defined as lines starting
33 with '#'.
34 -a arch set architecture x86, arm
36 -b bits 32 or 64
38 -k kernel windows, linux or osx
40 -f format output format (raw, c, pe, elf, mach0, python, javascript)
42 -o file output file to write result of compilation
44 -i shellcode
46 specify shellcode name to be used (see -L)
47 -e encoder specify encoder name to be used (see -L)
49 -B hexpair specify shellcode as hexpairs
51 -c k=v set configure option for the shellcode encoder. The argument
53 must be key=value.
54 -C file include contents of file
56 -d off:dword
58 Patch final buffer with given dword at specified offset
59 -D off:qword
61 Patch final buffer with given qword at specified offset
62 -w off:hexpairs
64 Patch final buffer with given hexpairs at specified offset
65 -n num32 Append a 32bit number in little endian
67 -N num64 Append a 64bit number in little endian
69 -p padding Specify generic paddings with a format string. Use lowercase
71 letters to prefix, and uppercase to suffix, keychars are. 'n'
72 for nop, 't' for trap, 'a' for sequence and 's' for zero.
73 -P size Prepend debruijn sequence of given length.
75 -q fragment
77 Output offset of debruijn sequence fragment.
78 -F autodetect native file format (osx=mach0, linux=elf, ..)
80 -O use default output file (filename without extension or a.out)
82 -I path add include path
84 -s show assembler code
86 -S append a string
88 -r show raw bytes instead of hexpairs
90 -x execute (just-in-time)
92 -X execute rop chain
94 -L list all plugins (shellcodes and encoders)
96 -h show this help
98 -z output in C string syntax
100 -v show version
102
104 $ cat hi.r
105 /* hello world in r_egg */
106 write@syscall(4); //x64 write@syscall(1);
107 exit@syscall(1); //x64 exit@syscall(60);
108 main@global(128) {
110 .var0 = "hi!\n";
111 write(1,.var0, 4);
112 exit(0);
113 }
114 $ ragg2 -O -F hi.r
115 $ ./hi
116 hi!
117 # With C file :
119 $ cat hi.c
120 main() {
121 write(1, "Hello\n", 6);
122 exit(0);
123 }
124 $ ragg2 -O -F hi.c
125 $ ./hi
127 Hello
128 # Linked into a tiny binary. This is 165 bytes
130 $ wc -c < hi
131 165
132 # The compiled shellcode has zeroes
134 $ ragg2 hi.c | tail -1
135 eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
136 000000f0531ffb83c0000000f0531c0c3
137 # Use a xor encoder with key 64 to bypass
139 $ ragg2 -e xor -c key=64 -B $(ragg2 hi.c | tail -1)
140 6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
141 c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
142 71bff87c4040404f45718083
143
145 radare2(1), rahash2(1), rafind2(1), rabin2(1), rafind2(1), radiff2(1),
146 rasm2(1),
147
149 Written by pancake <pancake@nopcode.org>.
150 Sep 30, 2014