Your company here — click to reach over 10,000 unique daily visitors

rz-gg - Man Page

rizin frontend for RzEgg, compile programs into tiny binaries for different architectures.


rz-gg[-FOLsrxvhz] [-a arch] [-b bits] [-k os] [-f format] [-o file] [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v] [-C file] [-n dword] [-N dword] [-d off:dword] [-D off:qword] [-w off:hexpairs] [-p padding] [-P size] [-q fragment] file|f.asm|-


This command is part of the Rizin project.

Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.

Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.


The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.

-a arch

Select architecture (x86, mips, arm)

-b bits

Set register size (32, 64, ..)

-B hexpairs

Append hexpair bytes

-c k=v

Set configure option for the shellcode encoder. The argument must be key=value

-C file

Append contents of file

-d off:dword

Patch dword (4 bytes) at given offset

-D off:qword

Patch qword (8 bytes) at given offset

-e encoder

Use specific encoder. See -L

-f format

Output format (raw, c, pe, elf, mach0, python, javascript)


Output native format (osx=mach0, linux=elf, ..)


Show usage help message

-i shellcode

Include shellcode plugin, use options. See -L

-I path

Add include path

-k kernel

Operating system's kernel (linux, bsd, osx, w32)


List all plugins (shellcodes and encoders)

-n num32

Append 32bit number (4 bytes)

-N num64

Append 64bit number (8 bytes)

-o file

Output file to write result of compilation


Use default output file (filename without extension or a.out)

-p padding

Add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end

-P size

Prepend debruijn sequence of given length

-q fragment

Debruijn pattern offset


Show raw bytes instead of hexpairs


Show assembler

-S string

Append a string


Show version information

-w off:hex

Patch hexpairs at given offset



-X hexpairs

Execute rop chain, using the stack provided


Output in C string syntax


$ cat hi.r
/* hello world in RzEgg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
$ rz-gg -O -F hi.r
$ ./hi

# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
$ rz-gg -O -F hi.c

$ ./hi

# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi

# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1

# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)

See Also

rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),


pancake <pancake@nopcode.org>


Referenced By

rizin(1), rz-asm(1), rz-ax(1), rz-bin(1), rz-diff(1), rz-find(1), rz-hash(1), rz-run(1), rz-sign(1).

January 24, 2024