rz-gg - Man Page

rizin frontend for RzEgg, compile programs into tiny binaries for different architectures.

Synopsis

rz-gg[-FOLsrxvhz] [-a arch] [-b bits] [-k os] [-f format] [-o file] [-i shellcode] [-I path] [-e encoder] [-B hexpairs] [-c k=v] [-C file] [-n dword] [-N dword] [-d off:dword] [-D off:qword] [-w off:hexpairs] [-p padding] [-P size] [-q fragment] file|f.asm|-

Description

This command is part of the Rizin project.

Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.

Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.

Directives

The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.

-a arch

Select architecture (x86, mips, arm)

-b bits

Set register size (32, 64, ..)

-B hexpairs

Append hexpair bytes

-c k=v

Set configure option for the shellcode encoder. The argument must be key=value

-C file

Append contents of file

-d off:dword

Patch dword (4 bytes) at given offset

-D off:qword

Patch qword (8 bytes) at given offset

-e encoder

Use specific encoder. See -L

-f format

Output format (raw, c, pe, elf, mach0, python, javascript)

-F

Output native format (osx=mach0, linux=elf, ..)

-h

Show usage help message

-i shellcode

Include shellcode plugin, use options. See -L

-I path

Add include path

-k kernel

Operating system's kernel (linux, bsd, osx, w32)

-L

List all plugins (shellcodes and encoders)

-n num32

Append 32bit number (4 bytes)

-N num64

Append 64bit number (8 bytes)

-o file

Output file to write result of compilation

-O

Use default output file (filename without extension or a.out)

-p padding

Add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end

-P size

Prepend debruijn sequence of given length

-q fragment

Debruijn pattern offset

-r

Show raw bytes instead of hexpairs

-s

Show assembler

-S string

Append a string

-v

Show version information

-w off:hex

Patch hexpairs at given offset

-x

Execute

-X hexpairs

Execute rop chain, using the stack provided

-z

Output in C string syntax

Example

$ cat hi.r
/* hello world in RzEgg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!

# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ rz-gg -O -F hi.c

$ ./hi
Hello

# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165

# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3

# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083

See Also

rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),

Authors

pancake <pancake@nopcode.org>

byteninjaa0

Referenced By

rizin(1), rz-asm(1), rz-ax(1), rz-bin(1), rz-diff(1), rz-find(1), rz-hash(1), rz-run(1), rz-sign(1).

January 24, 2024