Install Now
ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
Contents
Description
ragg2 is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and
integrated with r_asm and r_bin.
Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary
file.
Since the ragg2-cc merge, ragg2 can now generate shellcodes from C code. The final code can be linked
with rabin2 and it is relocatable, so it can be used to inject it on any remote process. This feature is
conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.
Directives
The rr2 (ragg2) configuration file accepts the following directives, described as key=value entries and
comments defined as lines starting with '#'.
-aarch set architecture x86, arm
-bbits 32 or 64
-kkernel windows, linux or osx
-fformat output format (raw, c, pe, elf, mach0, python, javascript)
-ofile output file to write result of compilation
-ishellcode
specify shellcode name to be used (see -L)
-eencoder pass egg program as argument instead of in a file
-Eencoder specify encoder name to be used (see -L)
-Bhexpair specify shellcode as hexpairs
-ck=v set configure option for the shellcode encoder. The argument must be key=value.
-Cfile include contents of file
-doff:dword
Patch final buffer with given dword at specified offset
-Doff:qword
Patch final buffer with given qword at specified offset
-woff:hexpairs
Patch final buffer with given hexpairs at specified offset
-nnum32 Append a 32bit number in little endian
-Nnum64 Append a 64bit number in little endian
-ppadding Specify generic paddings with a format string. Use lowercase letters to prefix, and uppercase
to suffix, keychars are: 'n' for nop, 't' for trap, 'a' for sequence and 's' for zero.
-Psize Prepend debruijn sequence of given length.
-qfragment
Output offset of debruijn sequence fragment.
-F autodetect native file format (osx=mach0, linux=elf, ..)
-O use default output file (filename without extension or a.out)
-Ipath add include path
-s show assembler code
-S append a string
-r show raw bytes instead of hexpairs
-x execute (just-in-time)
-X execute rop chain
-L list all plugins (shellcodes and encoders)
-h show this help
-z output in C string syntax
-v show version
Example
$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ ragg2 -O -F hi.r
$ ./hi
hi!
# With C file :
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ ragg2 -O -F hi.c
$ ./hi
Hello
# Linked into a tiny binary. This is 165 bytes
$ wc -c < hi
165
# The compiled shellcode has zeroes
$ ragg2 hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3
# Use a xor encoder with key 64 to bypass
$ ragg2 -e xor -c key=64 -B $(ragg2 hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083
Name
ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
See Also
radare2(1)Synopsis
ragg2 [-aarch] [-bbits] [-kkernel] [-fformat] [-ofile] [-ishellcode] [-Ipath] [-eeggstr]
[-Eencoder] [-Bhexpairs] [-ck=v] [-Cfile] [-nnum32] [-Nnum64] [-doff:dword] [-Doff:qword]
[-woff:hexpair] [-ppadding] [-Ppattern] [-qfragment] [-FOLsrxvhz]
SVG Icons
PNG Icons
