1RAGG2(1) BSD General Commands Manual RAGG2(1)
2
4 ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries
5 for x86-32/64 and arm.
6
8 ragg2 [-a arch] [-b bits] [-k kernel] [-f format] [-o file]
9 [-i shellcode] [-I path] [-e eggstr] [-E encoder] [-B hexpairs]
10 [-c k=v] [-C file] [-n num32] [-N num64] [-d off:dword]
11 [-D off:qword] [-w off:hexpair] [-p padding] [-P pattern]
12 [-q fragment] [-FOLsrxvhz]
13
15 ragg2 is a frontend for r_egg, compile programs into tiny binaries for
16 x86-32/64 and arm.
17 This tool is experimental and it is a rewrite of the old rarc2 and
19 rarc2-tool programs as a library and integrated with r_asm and r_bin.
20 Programs generated by r_egg are relocatable and can be injected in a run‐
22 ning process or on-disk binary file.
23 Since the ragg2-cc merge, ragg2 can now generate shellcodes from C code.
25 The final code can be linked with rabin2 and it is relocatable, so it can
26 be used to inject it on any remote process. This feature is conceptually
27 based on shellforge4, but only linux/osx x86-32/64 platforms are sup‐
28 ported.
29
31 The rr2 (ragg2) configuration file accepts the following directives, de‐
32 scribed as key=value entries and comments defined as lines starting with
33 '#'.
34 -a arch set architecture x86, arm
36 -b bits 32 or 64
38 -k kernel windows, linux or osx
40 -f format output format (raw, c, pe, elf, mach0, python, javascript)
42 -o file output file to write result of compilation
44 -i shellcode
46 specify shellcode name to be used (see -L)
47 -e encoder pass egg program as argument instead of in a file
49 -E encoder specify encoder name to be used (see -L)
51 -B hexpair specify shellcode as hexpairs
53 -c k=v set configure option for the shellcode encoder. The argument
55 must be key=value.
56 -C file include contents of file
58 -d off:dword
60 Patch final buffer with given dword at specified offset
61 -D off:qword
63 Patch final buffer with given qword at specified offset
64 -w off:hexpairs
66 Patch final buffer with given hexpairs at specified offset
67 -n num32 Append a 32bit number in little endian
69 -N num64 Append a 64bit number in little endian
71 -p padding Specify generic paddings with a format string. Use lowercase
73 letters to prefix, and uppercase to suffix, keychars are. 'n'
74 for nop, 't' for trap, 'a' for sequence and 's' for zero.
75 -P size Prepend debruijn sequence of given length.
77 -q fragment
79 Output offset of debruijn sequence fragment.
80 -F autodetect native file format (osx=mach0, linux=elf, ..)
82 -O use default output file (filename without extension or a.out)
84 -I path add include path
86 -s show assembler code
88 -S append a string
90 -r show raw bytes instead of hexpairs
92 -x execute (just-in-time)
94 -X execute rop chain
96 -L list all plugins (shellcodes and encoders)
98 -h show this help
100 -z output in C string syntax
102 -v show version
104
106 $ cat hi.r
107 /* hello world in r_egg */
108 write@syscall(4); //x64 write@syscall(1);
109 exit@syscall(1); //x64 exit@syscall(60);
110 main@global(128) {
112 .var0 = "hi!\n";
113 write(1,.var0, 4);
114 exit(0);
115 }
116 $ ragg2 -O -F hi.r
117 $ ./hi
118 hi!
119 # With C file :
121 $ cat hi.c
122 main() {
123 write(1, "Hello\n", 6);
124 exit(0);
125 }
126 $ ragg2 -O -F hi.c
127 $ ./hi
129 Hello
130 # Linked into a tiny binary. This is 165 bytes
132 $ wc -c < hi
133 165
134 # The compiled shellcode has zeroes
136 $ ragg2 hi.c | tail -1
137 eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
138 000000f0531ffb83c0000000f0531c0c3
139 # Use a xor encoder with key 64 to bypass
141 $ ragg2 -e xor -c key=64 -B $(ragg2 hi.c | tail -1)
142 6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
143 c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
144 71bff87c4040404f45718083
145
147 radare2(1)
148
150 Written by pancake <pancake@nopcode.org>.
151 May 4, 2021