rz-gg - Man Page
rizin frontend for RzEgg, compile programs into tiny binaries for different architectures.
Synopsis
Description
This command is part of the Rizin project.
Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.
Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.
Directives
The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
- -a arch
Select architecture (x86, mips, arm)
- -b bits
Set register size (32, 64, ..)
- -B hexpairs
Append hexpair bytes
- -c k=v
Set configure option for the shellcode encoder. The argument must be key=value
- -C file
Append contents of file
- -d off:dword
Patch dword (4 bytes) at given offset
- -D off:qword
Patch qword (8 bytes) at given offset
- -e encoder
Use specific encoder. See -L
- -f format
Output format (raw, c, pe, elf, mach0, python, javascript)
- -F
Output native format (osx=mach0, linux=elf, ..)
- -h
Show usage help message
- -i shellcode
Include shellcode plugin, use options. See -L
- -I path
Add include path
- -k kernel
Operating system's kernel (linux, bsd, osx, w32)
- -L
List all plugins (shellcodes and encoders)
- -n num32
Append 32bit number (4 bytes)
- -N num64
Append 64bit number (8 bytes)
- -o file
Output file to write result of compilation
- -O
Use default output file (filename without extension or a.out)
- -p padding
Add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end- -P size
Prepend debruijn sequence of given length
- -q fragment
Debruijn pattern offset
- -r
Show raw bytes instead of hexpairs
- -s
Show assembler
- -S string
Append a string
- -v
Show version information
- -w off:hex
Patch hexpairs at given offset
- -x
Execute
- -X hexpairs
Execute rop chain, using the stack provided
- -z
Output in C string syntax
Example
$ cat hi.r
/* hello world in RzEgg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!
# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ rz-gg -O -F hi.c
$ ./hi
Hello
# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165
# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3
# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083
See Also
rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),
Authors
pancake <pancake@nopcode.org>
byteninjaa0
Referenced By
rizin(1), rz-asm(1), rz-ax(1), rz-bin(1), rz-diff(1), rz-find(1), rz-hash(1), rz-run(1), rz-sign(1).