1RZ_GG(1) BSD General Commands Manual RZ_GG(1)
2
4 rz-gg — rizin frontend for r_egg, compile programs into tiny binaries for
5 x86-32/64 and arm.
6
8 rz-gg [-a arch] [-b bits] [-k kernel] [-f format] [-o file]
9 [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v]
10 [-C file] [-n num32] [-N num64] [-d off:dword] [-D off:qword]
11 [-w off:hexpair] [-p padding] [-P pattern] [-q fragment]
12 [-FOLsrxvhz]
13
15 rz-gg is a frontend for r_egg, compile programs into tiny binaries for
16 x86-32/64 and arm.
17 This tool is experimental and it is a rewrite of the old rarc2 and
19 rarc2-tool programs as a library and integrated with r_asm and r_bin.
20 Programs generated by r_egg are relocatable and can be injected in a run‐
22 ning process or on-disk binary file.
23 Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code.
25 The final code can be linked with rz-bin and it is relocatable, so it can
26 be used to inject it on any remote process. This feature is conceptually
27 based on shellforge4, but only linux/osx x86-32/64 platforms are sup‐
28 ported.
29
31 The rrz (rz-gg) configuration file accepts the following directives,
32 described as key=value entries and comments defined as lines starting
33 with '#'.
34 -a arch set architecture x86, arm
36 -b bits 32 or 64
38 -k kernel windows, linux or osx
40 -f format output format (raw, c, pe, elf, mach0, python, javascript)
42 -o file output file to write result of compilation
44 -i shellcode
46 specify shellcode name to be used (see -L)
47 -e encoder specify encoder name to be used (see -L)
49 -B hexpair specify shellcode as hexpairs
51 -c k=v set configure option for the shellcode encoder. The argument
53 must be key=value.
54 -C file include contents of file
56 -d off:dword
58 Patch final buffer with given dword at specified offset
59 -D off:qword
61 Patch final buffer with given qword at specified offset
62 -w off:hexpairs
64 Patch final buffer with given hexpairs at specified offset
65 -n num32 Append a 32bit number in little endian
67 -N num64 Append a 64bit number in little endian
69 -p padding Specify generic paddings with a format string. Use lowercase
71 letters to prefix, and uppercase to suffix, keychars are. 'n'
72 for nop, 't' for trap, 'a' for sequence and 's' for zero.
73 -P size Prepend debruijn sequence of given length.
75 -q fragment
77 Output offset of debruijn sequence fragment.
78 -F autodetect native file format (osx=mach0, linux=elf, ..)
80 -O use default output file (filename without extension or a.out)
82 -I path add include path
84 -s show assembler code
86 -S append a string
88 -r show raw bytes instead of hexpairs
90 -x execute (just-in-time)
92 -X execute rop chain
94 -L list all plugins (shellcodes and encoders)
96 -h show this help
98 -z output in C string syntax
100 -v show version
102
104 $ cat hi.r
105 /* hello world in r_egg */
106 write@syscall(4); //x64 write@syscall(1);
107 exit@syscall(1); //x64 exit@syscall(60);
108 main@global(128) {
110 .var0 = "hi!\n";
111 write(1,.var0, 4);
112 exit(0);
113 }
114 $ rz-gg -O -F hi.r
115 $ ./hi
116 hi!
117 # With C file :
119 $ cat hi.c
120 main() {
121 write(1, "Hello\n", 6);
122 exit(0);
123 }
124 $ rz-gg -O -F hi.c
125 $ ./hi
127 Hello
128 # Linked into a tiny binary. This is 165 bytes
130 $ wc -c < hi
131 165
132 # The compiled shellcode has zeroes
134 $ rz-gg hi.c | tail -1
135 eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
136 000000f0531ffb83c0000000f0531c0c3
137 # Use a xor encoder with key 64 to bypass
139 $ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
140 6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
141 c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
142 71bff87c4040404f45718083
143
145 rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1),
146 rz-asm(1),
147
149 Written by pancake <pancake@nopcode.org>.
150 Sep 30, 2014