rz-gg - Man Page

rizin frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.


rz-gg[-a arch] [-b bits] [-k kernel] [-f format] [-o file] [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v] [-C file] [-n num32] [-N num64] [-d off:dword] [-D off:qword] [-w off:hexpair] [-p padding] [-P pattern] [-q fragment] [-FOLsrxvhz]


rz-gg is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.

This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and integrated with r_asm and r_bin.

Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary file.

Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin and it is relocatable, so it can be used to inject it on any remote process. This feature is conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.


The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.

-a arch

set architecture x86, arm

-b bits

32 or 64

-k kernel

windows, linux or osx

-f format

output format (raw, c, pe, elf, mach0, python, javascript)

-o file

output file to write result of compilation

-i shellcode

specify shellcode name to be used (see -L)

-e encoder

specify encoder name to be used (see -L)

-B hexpair

specify shellcode as hexpairs

-c k=v

set configure option for the shellcode encoder. The argument must be key=value.

-C file

include contents of file

-d off:dword

Patch final buffer with given dword at specified offset

-D off:qword

Patch final buffer with given qword at specified offset

-w off:hexpairs

Patch final buffer with given hexpairs at specified offset

-n num32

Append a 32bit number in little endian

-N num64

Append a 64bit number in little endian

-p padding

Specify generic paddings with a format string. Use lowercase letters to prefix, and uppercase to suffix, keychars are. 'n' for nop, 't' for trap, 'a' for sequence and 's' for zero.

-P size

Prepend debruijn sequence of given length.

-q fragment

Output offset of debruijn sequence fragment.


autodetect native file format (osx=mach0, linux=elf, ..)


use default output file (filename without extension or a.out)

-I path

add include path


show assembler code


append a string


show raw bytes instead of hexpairs


execute (just-in-time)


execute rop chain


list all plugins (shellcodes and encoders)


show this help


output in C string syntax


show version


$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
$ rz-gg -O -F hi.r
$ ./hi

# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
$ rz-gg -O -F hi.c

$ ./hi

# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi

# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1

# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)

See Also

rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),


Written by pancake <pancake@nopcode.org>.

Referenced By

rizin(1), rz-asm(1), rz-ax(1), rz-bin(1), rz-diff(1), rz-find(1), rz-hash(1), rz-run(1).

September 30, 2014