.Dd Jan 24, 2024 .Dt RZ_GG 1 .Sh NAME .Nm rz-gg .Nd rizin frontend for RzEgg, compile programs into tiny binaries for different architectures. .Sh SYNOPSIS .Nm rz-gg .Op Fl FOLsrxvhz .Op Fl a Ar arch .Op Fl b Ar bits .Op Fl k Ar os .Op Fl f Ar format .Op Fl o Ar file .Op Fl i Ar shellcode .Op Fl I Ar path .Op Fl e Ar encoder .Op Fl B Ar hexpairs .Op Fl c Ar k=v .Op Fl C Ar file .Op Fl n Ar dword .Op Fl N Ar dword .Op Fl d Ar off:dword .Op Fl D Ar off:qword .Op Fl w Ar off:hexpairs .Op Fl p Ar padding .Op Fl P Ar size .Op Fl q Ar fragment .Ar file|f.asm|- .Sh DESCRIPTION This command is part of the Rizin project. .Pp Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file. .Pp Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms. .Sh DIRECTIVES .Pp The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'. .Bl -tag -width Fl .It Fl a Ar arch Select architecture (x86, mips, arm) .It Fl b Ar bits Set register size (32, 64, ..) .It Fl B Ar hexpairs Append hexpair bytes .It Fl c Ar k=v Set configure option for the shellcode encoder. The argument must be key=value .It Fl C Ar file Append contents of file .It Fl d Ar off:dword Patch dword (4 bytes) at given offset .It Fl D Ar off:qword Patch qword (8 bytes) at given offset .It Fl e Ar encoder Use specific encoder. See -L .It Fl f Ar format Output format (raw, c, pe, elf, mach0, python, javascript) .It Fl F Output native format (osx=mach0, linux=elf, ..) .It Fl h Show usage help message .It Fl i Ar shellcode Include shellcode plugin, use options. See -L .It Fl I Ar path Add include path .It Fl k Ar kernel Operating system's kernel (linux, bsd, osx, w32) .It Fl L List all plugins (shellcodes and encoders) .It Fl n Ar num32 Append 32bit number (4 bytes) .It Fl N Ar num64 Append 64bit number (8 bytes) .It Fl o Ar file Output file to write result of compilation .It Fl O Use default output file (filename without extension or a.out) .It Fl p Ar padding Add padding after compilation (padding=n10s32) ntas : begin nop, trap, 'a', sequence NTAS : same as above, but at the end .It Fl P Ar size Prepend debruijn sequence of given length .It Fl q Ar fragment Debruijn pattern offset .It Fl r Show raw bytes instead of hexpairs .It Fl s Show assembler .It Fl S Ar string Append a string .It Fl v Show version information .It Fl w Ar off:hex Patch hexpairs at given offset .It Fl x Execute .It Fl X Ar hexpairs Execute rop chain, using the stack provided .It Fl z Output in C string syntax .El .Sh EXAMPLE .Pp $ cat hi.r /* hello world in RzEgg */ write@syscall(4); //x64 write@syscall(1); exit@syscall(1); //x64 exit@syscall(60); .Pp main@global(128) { .var0 = "hi!\\n"; write(1,.var0, 4); exit(0); } $ rz-gg \-O \-F hi.r $ ./hi hi! .Pp # With C file : $ cat hi.c main() { write(1, "Hello\\n", 6); exit(0); } $ rz-gg -O -F hi.c .Pp $ ./hi Hello .Pp # Linked into a tiny binary. This is 165 bytes $ wc \-c < hi 165 .Pp # The compiled shellcode has zeroes $ rz-gg hi.c | tail -1 eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010 000000f0531ffb83c0000000f0531c0c3 .Pp # Use a xor encoder with key 64 to bypass $ rz-gg \-e xor \-c key=64 \-B $(rz-gg hi.c | tail -1) 6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252 c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45 71bff87c4040404f45718083 .Sh SEE ALSO .Pp .Xr rizin(1) , .Xr rz-hash(1) , .Xr rz-find(1) , .Xr rz-bin(1) , .Xr rz-find(1) , .Xr rz-diff(1) , .Xr rz-asm(1) , .Sh AUTHORS .Pp pancake .Pp byteninjaa0