forked from radareorg/radare2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ragg2.1
129 lines (129 loc) · 3.32 KB
/
ragg2.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
.Dd Sep 30, 2014
.Dt RAGG2 1
.Sh NAME
.Nm ragg2
.Nd radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
.Sh SYNOPSIS
.Nm ragg2
.Op Fl a Ar arch
.Op Fl b Ar bits
.Op Fl k Ar kernel
.Op Fl f Ar format
.Op Fl o Ar file
.Op Fl i Ar shellcode
.Op Fl I Ar path
.Op Fl e Ar encoder
.Op Fl B Ar hexpairs
.Op Fl c Ar k=v
.Op Fl C Ar file
.Op Fl n Ar num32
.Op Fl N Ar num64
.Op Fl d Ar off:dword
.Op Fl D Ar off:qword
.Op Fl w Ar off:hexpair
.Op Fl p Ar padding
.Op Fl P Ar pattern
.Op Fl q Ar fragment
.Op Fl FOLsrxvhz
.Sh DESCRIPTION
ragg2 is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
.Pp
This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and integrated with r_asm and r_bin.
.Pp
Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary file.
.Pp
ragg2-cc is another tool that comes with r2 and it is used to generate shellcodes from C code. The final code can be linked with rabin2 and it is relocatable, so it can be used to inject it on any remote process.
.Pp
ragg2-cc is conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.
.Sh DIRECTIVES
.Pp
The rr2 (ragg2) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
.Bl -tag -width Fl
.It Fl a Ar arch
set architecture x86, arm
.It Fl b Ar bits
32 or 64
.It Fl k Ar kernel
windows, linux or osx
.It Fl f Ar format
select binary format (pe, elf, mach0)
.It Fl o Ar file
output file to write result of compilation
.It Fl i Ar shellcode
specify shellcode name to be used (see \-L)
.It Fl e Ar encoder
specify encoder name to be used (see \-L)
.It Fl B Ar hexpair
specify shellcode as hexpairs
.It Fl c Ar k=v
set configure option for the shellcode encoder. The argument must be key=value.
.It Fl C Ar file
include contents of file
.It Fl d Ar off:dword
Patch final buffer with given dword at specified offset
.It Fl D Ar off:qword
Patch final buffer with given qword at specified offset
.It Fl w Ar off:hexpairs
Patch final buffer with given hexpairs at specified offset
.It Fl n Ar num32
Append a 32bit number in little endian
.It Fl N Ar num64
Append a 64bit number in little endian
.It Fl p Ar padding
Specify generic paddings with a format string.
.It Fl P Ar size
Prepend debruijn sequence of given length.
.It Fl q Ar fragment
Output offset of debruijn sequence fragment.
.It Fl F
autodetect native file format (osx=mach0, linux=elf, ..)
.It Fl O
use default output file (filename without extension or a.out)
.It Fl I Ar path
add include path
.It Fl s
show assembler code
.It Fl r
show raw bytes instead of hexpairs
.It Fl x
execute (just-in-time)
.It Fl z
output in C string syntax
.El
.Sh EXAMPLE
.Pp
$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
.Pp
main@global(128) {
.var0 = "hi!\\n";
write(1,.var0, 4);
exit(0);
}
$ ragg2 \-O \-F hi.r
$ ./hi
hi!
.Pp
.Pp
$ cat hi.c
main() {
write(1, "Hello\n", 6);
exit(0);
}
$ ragg2 hi.c
$ ./hi.c.bin
Hello
.Sh SEE ALSO
.Pp
.Xr radare2(1) ,
.Xr rahash2(1) ,
.Xr rafind2(1) ,
.Xr rabin2(1) ,
.Xr rafind2(1) ,
.Xr radiff2(1) ,
.Xr rasm2(1) ,
.Sh AUTHORS
.Pp
Written by pancake <[email protected]>.