RZ_GG(1) | General Commands Manual | RZ_GG(1) |
NAME
rz-gg
— rizin
frontend for RzEgg, compile programs into tiny binaries for different
architectures.
SYNOPSIS
rz-gg |
[-FOLsrxvhz ] [-a
arch] [-b
bits] [-k
os] [-f
format] [-o
file] [-i
shellcode] [-I
path] [-e
encoder] [-B
hexpairs] [-c
k=v] [-C
file] [-n
dword] [-N
dword] [-d
off:dword] [-D
off:qword] [-w
off:hexpairs] [-p
padding] [-P
size] [-q
fragment] file|f.asm|- |
DESCRIPTION
This command is part of the Rizin project.
Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.
Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.
DIRECTIVES
The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
-a
arch- Select architecture (x86, mips, arm)
-b
bits- Set register size (32, 64, ..)
-B
hexpairs- Append hexpair bytes
-c
k=v- Set configure option for the shellcode encoder. The argument must be key=value
-C
file- Append contents of file
-d
off:dword- Patch dword (4 bytes) at given offset
-D
off:qword- Patch qword (8 bytes) at given offset
-e
encoder- Use specific encoder. See -L
-f
format- Output format (raw, c, pe, elf, mach0, python, javascript)
-F
- Output native format (osx=mach0, linux=elf, ..)
-h
- Show usage help message
-i
shellcode- Include shellcode plugin, use options. See -L
-I
path- Add include path
-k
kernel- Operating system's kernel (linux, bsd, osx, w32)
-L
- List all plugins (shellcodes and encoders)
-n
num32- Append 32bit number (4 bytes)
-N
num64- Append 64bit number (8 bytes)
-o
file- Output file to write result of compilation
-O
- Use default output file (filename without extension or a.out)
-p
padding- Add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end -P
size- Prepend debruijn sequence of given length
-q
fragment- Debruijn pattern offset
-r
- Show raw bytes instead of hexpairs
-s
- Show assembler
-S
string- Append a string
-v
- Show version information
-w
off:hex- Patch hexpairs at given offset
-x
- Execute
-X
hexpairs- Execute rop chain, using the stack provided
-z
- Output in C string syntax
EXAMPLE
$ cat hi.r
/* hello world in RzEgg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!
# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ rz-gg -O -F hi.c
$ ./hi
Hello
# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165
# The compiled shellcode has zeroes
$ rz-gg hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3
# Use a xor encoder with key 64 to bypass
$ rz-gg -e xor -c key=64 -B $(rz-gg hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083
SEE ALSO
rizin(1), rz-hash(1), rz-find(1), rz-bin(1), rz-find(1), rz-diff(1), rz-asm(1),
AUTHORS
pancake <pancake@nopcode.org>
byteninjaa0
January 24, 2024 |