table of contents
| RZ_GG(1) | General Commands Manual | RZ_GG(1) |
NAME¶
rz-gg — rizin
frontend for RzEgg, compile programs into tiny binaries for different
architectures.
SYNOPSIS¶
rz-gg |
[-FOLsrxvhz] [-a
arch] [-b
bits] [-k
os] [-f
format] [-o
file] [-i
shellcode] [-I
path] [-e
encoder] [-B
hexpairs] [-c
k=v] [-C
file] [-n
dword] [-N
dword] [-d
off:dword] [-D
off:qword] [-w
off:hexpairs] [-p
padding] [-P
size] [-q
fragment] file|f.asm|- |
DESCRIPTION¶
This command is part of the Rizin project.
Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.
Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.
DIRECTIVES¶
The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
-aarch- Select architecture (x86, mips, arm)
-bbits- Set register size (32, 64, ..)
-Bhexpairs- Append hexpair bytes
-ck=v- Set configure option for the shellcode encoder. The argument must be key=value
-Cfile- Append contents of file
-doff:dword- Patch dword (4 bytes) at given offset
-Doff:qword- Patch qword (8 bytes) at given offset
-eencoder- Use specific encoder. See -L
-fformat- Output format (raw, c, pe, elf, mach0, python, javascript)
-F- Output native format (osx=mach0, linux=elf, ..)
-h- Show usage help message
-ishellcode- Include shellcode plugin, use options. See -L
-Ipath- Add include path
-kkernel- Operating system's kernel (linux, bsd, osx, w32)
-L- List all plugins (shellcodes and encoders)
-nnum32- Append 32bit number (4 bytes)
-Nnum64- Append 64bit number (8 bytes)
-ofile- Output file to write result of compilation
-O- Use default output file (filename without extension or a.out)
-ppadding- Add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end -Psize- Prepend debruijn sequence of given length
-qfragment- Debruijn pattern offset
-r- Show raw bytes instead of hexpairs
-s- Show assembler
-Sstring- Append a string
-v- Show version information
-woff:hex- Patch hexpairs at given offset
-x- Execute
-Xhexpairs- Execute rop chain, using the stack provided
-z- Output in C string syntax
EXAMPLE¶
$ cat hi.r
/* hello world in RzEgg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!
# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ rz-gg -O -F hi.c
$ ./hi
Hello
# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165
# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3
# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083
SEE ALSO¶
rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),
AUTHORS¶
pancake <pancake@nopcode.org>
byteninjaa0
| January 24, 2024 |