ragg2
Help
Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path]
[-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off]
[-q off] [-dDw off:hex] file|f.asm|-
-a [arch] select architecture (x86, mips, arm)
-b [bits] register size (32, 64, ..)
-B [hexpairs] append some hexpair bytes
-c [k=v] set configuration options
-C [file] append contents of file
-d [off:dword] patch dword (4 bytes) at given offset
-D [off:qword] patch qword (8 bytes) at given offset
-e [encoder] use specific encoder. see -L
-f [format] output format (raw, c, pe, elf, mach0, python, javascript)
-F output native format (osx=mach0, linux=elf, ..)
-h show this help
-i [shellcode] include shellcode plugin, uses options. see -L
-I [path] add include path
-k [os] operating system's kernel (linux,bsd,osx,w32)
-L list all plugins (shellcodes and encoders)
-n [dword] append 32bit number (4 bytes)
-N [dword] append 64bit number (8 bytes)
-o [file] output file
-O use default output file (filename without extension or a.out)
-p [padding] add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end
-P [size] prepend debruijn pattern
-q [fragment] debruijn pattern offset
-r show raw bytes instead of hexpairs
-s show assembler
-v show version
-w [off:hex] patch hexpairs at given offset
-x execute
-z output in C string syntax
ragg2 man page
RAGG2(1) BSD General Commands Manual RAGG2(1)
NAME
ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
SYNOPSIS
ragg2 [-a arch] [-b bits] [-k kernel] [-f format] [-o file] [-i shellcode] [-I path] [-e encoder] [-B hexpairs]
[-c k=v] [-C file] [-n num32] [-N num64] [-d off:dword] [-D off:qword] [-w off:hexpair] [-p padding]
[-P pattern] [-q fragment] [-FOLsrxvhz]
DESCRIPTION
ragg2 is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.
This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a library and inte‐
grated with r_asm and r_bin.
Programs generated by r_egg are relocatable and can be injected in a running process or on-disk binary file.
ragg2-cc is another tool that comes with r2 and it is used to generate shellcodes from C code. The final code
can be linked with rabin2 and it is relocatable, so it can be used to inject it on any remote process.
ragg2-cc is conceptually based on shellforge4, but only linux/osx x86-32/64 platforms are supported.
DIRECTIVES
The rr2 (ragg2) configuration file accepts the following directives, described as key=value entries and comments
defined as lines starting with '#'.
-a arch set architecture x86, arm
-b bits 32 or 64
-k kernel windows, linux or osx
-f format select binary format (pe, elf, mach0)
-o file output file to write result of compilation
-i shellcode
specify shellcode name to be used (see -L)
-e encoder specify encoder name to be used (see -L)
-B hexpair specify shellcode as hexpairs
-c k=v set configure option for the shellcode encoder. The argument must be key=value.
-C file include contents of file
-d off:dword
Patch final buffer with given dword at specified offset
-D off:qword
Patch final buffer with given qword at specified offset
-w off:hexpairs
Patch final buffer with given hexpairs at specified offset
-n num32 Append a 32bit number in little endian
-N num64 Append a 64bit number in little endian
-p padding Specify generic paddings with a format string. Use lowercase letters to prefix, and uppercase to
suffix, keychars are. 'n' for nop, 't' for trap, 'a' for sequence and 's' for zero.
-P size Prepend debruijn sequence of given length.
-q fragment
Output offset of debruijn sequence fragment.
-F autodetect native file format (osx=mach0, linux=elf, ..)
-O use default output file (filename without extension or a.out)
-I path add include path
-s show assembler code
-r show raw bytes instead of hexpairs
-x execute (just-in-time)
-z output in C string syntax
EXAMPLE
$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ ragg2 -O -F hi.r
$ ./hi
hi!
$ cat hi.c
main() {
write(1, "Hello0, 6);
exit(0);
}
$ ragg2 hi.c
$ ./hi.c.bin
Hello
SEE ALSO
radare2(1), rahash2(1), rafind2(1), rabin2(1), rafind2(1), radiff2(1), rasm2(1),
AUTHORS
Written by pancake <pancake@nopcode.org>.
Sep 30, 2014
Resources
Payloads in C · The Official Radare Blog