2014-09-30 09:01:45 +00:00
.Dd Sep 30 , 2014
.Dt RAGG2 1
2014-09-30 09:37:26 +00:00
.Sh NAME
.Nm ragg2
2015-04-28 03:15:39 +00:00
.Nd radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
2011-10-12 01:24:19 +00:00
.Sh SYNOPSIS
.Nm ragg2
.Op Fl a Ar arch
.Op Fl b Ar bits
.Op Fl k Ar kernel
.Op Fl f Ar format
.Op Fl o Ar file
2011-11-30 19:59:58 +00:00
.Op Fl i Ar shellcode
.Op Fl I Ar path
.Op Fl e Ar encoder
.Op Fl B Ar hexpairs
.Op Fl c Ar k=v
.Op Fl C Ar file
2014-10-29 01:44:21 +00:00
.Op Fl n Ar num32
.Op Fl N Ar num64
2011-11-30 19:59:58 +00:00
.Op Fl d Ar off:dword
.Op Fl D Ar off:qword
.Op Fl w Ar off:hexpair
.Op Fl p Ar padding
2014-09-05 14:03:40 +00:00
.Op Fl P Ar pattern
2015-12-13 16:51:32 +00:00
.Op Fl q Ar fragment
2014-10-20 00:14:19 +00:00
.Op Fl FOLsrxvhz
2011-10-12 01:24:19 +00:00
.Sh DESCRIPTION
2011-10-12 23:00:07 +00:00
ragg2 is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
2011-10-12 01:24:19 +00:00
.Pp
This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and integrated with r_asm and r_bin.
.Pp
Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary file.
2011-11-30 19:59:58 +00:00
.Pp
2018-05-02 18:34:30 +00:00
Since the ragg2-cc merge, ragg2 can now generate shellcodes from C code. The final code can be linked with rabin2 and it is relocatable, so it can be used to inject it on any remote process. This feature is conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.
2011-10-12 01:24:19 +00:00
.Sh DIRECTIVES
.Pp
The rr2 (ragg2) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
.Bl -tag -width Fl
.It Fl a Ar arch
set architecture x86, arm
.It Fl b Ar bits
32 or 64
.It Fl k Ar kernel
windows, linux or osx
.It Fl f Ar format
2018-09-15 17:52:38 +00:00
output format (raw, c, pe, elf, mach0, python, javascript)
2011-10-12 01:24:19 +00:00
.It Fl o Ar file
output file to write result of compilation
2011-11-30 19:59:58 +00:00
.It Fl i Ar shellcode
2011-12-05 01:42:06 +00:00
specify shellcode name to be used (see \- L)
2011-11-30 19:59:58 +00:00
.It Fl e Ar encoder
2011-12-05 01:42:06 +00:00
specify encoder name to be used (see \- L)
2011-11-30 19:59:58 +00:00
.It Fl B Ar hexpair
specify shellcode as hexpairs
.It Fl c Ar k=v
set configure option for the shellcode encoder. The argument must be key=value.
.It Fl C Ar file
include contents of file
.It Fl d Ar off:dword
Patch final buffer with given dword at specified offset
.It Fl D Ar off:qword
Patch final buffer with given qword at specified offset
.It Fl w Ar off:hexpairs
Patch final buffer with given hexpairs at specified offset
2014-10-29 01:44:21 +00:00
.It Fl n Ar num32
Append a 32bit number in little endian
.It Fl N Ar num64
Append a 64bit number in little endian
2011-11-30 19:59:58 +00:00
.It Fl p Ar padding
2017-08-31 13:22:43 +00:00
Specify generic paddings with a format string. Use lowercase letters to prefix, and uppercase to suffix, keychars are. 'n' for nop, 't' for trap, 'a' for sequence and 's' for zero.
2014-09-05 14:03:40 +00:00
.It Fl P Ar size
Prepend debruijn sequence of given length.
2015-07-22 06:39:00 +00:00
.It Fl q Ar fragment
Output offset of debruijn sequence fragment.
2011-10-12 01:24:19 +00:00
.It Fl F
autodetect native file format (osx=mach0, linux=elf, ..)
.It Fl O
use default output file (filename without extension or a.out)
2011-11-30 19:59:58 +00:00
.It Fl I Ar path
2011-10-12 01:24:19 +00:00
add include path
.It Fl s
show assembler code
2019-02-10 00:28:35 +00:00
.It Fl S
append a string
2015-05-28 15:04:00 +00:00
.It Fl r
show raw bytes instead of hexpairs
2011-10-12 01:24:19 +00:00
.It Fl x
execute (just-in-time)
2019-08-17 23:55:38 +00:00
.It Fl X
execute rop chain
2019-02-10 00:28:35 +00:00
.It Fl L
list all plugins (shellcodes and encoders)
.It Fl h
show this help
2014-10-20 00:14:19 +00:00
.It Fl z
output in C string syntax
2019-02-10 00:28:35 +00:00
.It Fl v
show version
2011-10-12 01:24:19 +00:00
.El
.Sh EXAMPLE
.Pp
$ cat hi.r
/* hello world in r_egg */
2015-06-01 14:34:51 +00:00
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
2014-01-01 07:52:46 +00:00
.Pp
2011-10-12 01:24:19 +00:00
main@global(128) {
2012-07-01 22:38:02 +00:00
.var0 = "hi!\\ n";
2011-10-12 01:24:19 +00:00
write(1,.var0, 4);
exit(0);
}
2011-10-12 23:00:07 +00:00
$ ragg2 \- O \- F hi.r
2011-10-12 01:24:19 +00:00
$ ./hi
hi!
.Pp
2018-05-02 18:34:30 +00:00
# With C file :
2011-11-30 19:59:58 +00:00
$ cat hi.c
main() {
2018-05-02 18:34:30 +00:00
write(1, "Hello\\ n", 6);
2011-11-30 19:59:58 +00:00
exit(0);
}
2018-05-02 18:34:30 +00:00
$ ragg2 -O -F hi.c
.Pp
$ ./hi
2011-11-30 19:59:58 +00:00
Hello
2018-05-02 18:34:30 +00:00
.Pp
# Linked into a tiny binary. This is 165 bytes
$ wc \- c < hi
165
.Pp
# The compiled shellcode has zeroes
$ ragg2 hi.c | tail -1
eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
000000f0531ffb83c0000000f0531c0c3
.Pp
# Use a xor encoder with key 64 to bypass
$ ragg2 \- e xor \- c key=64 \- B $(ragg2 hi.c | tail -1)
6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
71bff87c4040404f45718083
2011-10-12 01:24:19 +00:00
.Sh SEE ALSO
.Pp
.Xr radare2(1) ,
.Xr rahash2(1) ,
.Xr rafind2(1) ,
.Xr rabin2(1) ,
2019-08-09 22:01:38 +00:00
.Xr rafind2(1) ,
2011-10-12 01:24:19 +00:00
.Xr radiff2(1) ,
.Xr rasm2(1) ,
.Sh AUTHORS
.Pp
2014-01-01 07:52:46 +00:00
Written by pancake <pancake@nopcode.org>.
