rz-gg - Man Page

rizin frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.

Synopsis

rz-gg[-a arch] [-b bits] [-k kernel] [-f format] [-o file] [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v] [-C file] [-n num32] [-N num64] [-d off:dword] [-D off:qword] [-w off:hexpair] [-p padding] [-P pattern] [-q fragment] [-FOLsrxvhz]

Description

rz-gg is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.

This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and integrated with r_asm and r_bin.

Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary file.

Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin and it is relocatable, so it can be used to inject it on any remote process. This feature is conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.

Directives

The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.

-a arch

set architecture x86, arm

-b bits

32 or 64

-k kernel

windows, linux or osx

-f format

output format (raw, c, pe, elf, mach0, python, javascript)

-o file

output file to write result of compilation

-i shellcode

specify shellcode name to be used (see -L)

-e encoder

specify encoder name to be used (see -L)

-B hexpair

specify shellcode as hexpairs

-c k=v

set configure option for the shellcode encoder. The argument must be key=value.

-C file

include contents of file

-d off:dword

Patch final buffer with given dword at specified offset

-D off:qword

Patch final buffer with given qword at specified offset

-w off:hexpairs

Patch final buffer with given hexpairs at specified offset

-n num32

Append a 32bit number in little endian

-N num64

Append a 64bit number in little endian

-p padding

Specify generic paddings with a format string. Use lowercase letters to prefix, and uppercase to suffix, keychars are. 'n' for nop, 't' for trap, 'a' for sequence and 's' for zero.

-P size

Prepend debruijn sequence of given length.

-q fragment

Output offset of debruijn sequence fragment.

-F

autodetect native file format (osx=mach0, linux=elf, ..)

-O

use default output file (filename without extension or a.out)

-I path

add include path

-s

show assembler code

-S

append a string

-r

show raw bytes instead of hexpairs

-x

execute (just-in-time)

-X

execute rop chain

-L

list all plugins (shellcodes and encoders)

-h

show this help

-z

output in C string syntax

-v

show version

Example

$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!

# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ rz-gg -O -F hi.c

$ ./hi
Hello

# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165

# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3

# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083

See Also

rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),

Authors

Written by pancake <pancake@nopcode.org>.

Referenced By

rizin(1), rz-asm(1), rz-ax(1), rz-bin(1), rz-diff(1), rz-find(1), rz-hash(1), rz-run(1), rz-sign(1).

September 30, 2014