Provided by: radare2_3.2.1+dfsg-5build1_amd64 bug


     ragg2 — radare2 frontend for r_egg, compile programs into tiny binaries for x86-32/64 and


     ragg2 [-a arch] [-b bits] [-k kernel] [-f format] [-o file] [-i shellcode] [-I path]
           [-e encoder] [-B hexpairs] [-c k=v] [-C file] [-n num32] [-N num64] [-d off:dword]
           [-D off:qword] [-w off:hexpair] [-p padding] [-P pattern] [-q fragment] [-FOLsrxvhz]


     ragg2 is a frontend for r_egg, compile programs into tiny binaries for x86-32/64 and arm.

     This tool is experimental and it is a rewrite of the old rarc2 and rarc2-tool programs as a
     library and integrated with r_asm and r_bin.

     Programs generated by r_egg are relocatable and can be injected in a running process or on-
     disk binary file.

     Since the ragg2-cc merge, ragg2 can now generate shellcodes from C code. The final code can
     be linked with rabin2 and it is relocatable, so it can be used to inject it on any remote
     process. This feature is conceptually based on shellforge4, but only linux/osx x86-32/64
     platforms are supported.


     The rr2 (ragg2) configuration file accepts the following directives, described as key=value
     entries and comments defined as lines starting with '#'.

     -a arch     set architecture x86, arm

     -b bits     32 or 64

     -k kernel   windows, linux or osx

     -f format   output format (raw, c, pe, elf, mach0, python, javascript)

     -o file     output file to write result of compilation

     -i shellcode
                 specify shellcode name to be used (see -L)

     -e encoder  specify encoder name to be used (see -L)

     -B hexpair  specify shellcode as hexpairs

     -c k=v      set configure option for the shellcode encoder. The argument must be key=value.

     -C file     include contents of file

     -d off:dword
                 Patch final buffer with given dword at specified offset

     -D off:qword
                 Patch final buffer with given qword at specified offset

     -w off:hexpairs
                 Patch final buffer with given hexpairs at specified offset

     -n num32    Append a 32bit number in little endian

     -N num64    Append a 64bit number in little endian

     -p padding  Specify generic paddings with a format string. Use lowercase letters to prefix,
                 and uppercase to suffix, keychars are. 'n' for nop, 't' for trap, 'a' for
                 sequence and 's' for zero.

     -P size     Prepend debruijn sequence of given length.

     -q fragment
                 Output offset of debruijn sequence fragment.

     -F          autodetect native file format (osx=mach0, linux=elf, ..)

     -O          use default output file (filename without extension or a.out)

     -I path     add include path

     -s          show assembler code

     -r          show raw bytes instead of hexpairs

     -x          execute (just-in-time)

     -z          output in C string syntax


       $ cat hi.r
       /* hello world in r_egg */
       write@syscall(4); //x64 write@syscall(1);
       exit@syscall(1); //x64 exit@syscall(60);

       main@global(128) {
         .var0 = "hi!\n";
         write(1,.var0, 4);
       $ ragg2 -O -F hi.r
       $ ./hi

       # With C file :
       $ cat hi.c
       main() {
         write(1, "Hello\n", 6);
       $ ragg2 -O -F hi.c

       $ ./hi

       # Linked into a tiny binary. This is 165 bytes
       $ wc -c < hi

       # The compiled shellcode has zeroes
       $ ragg2 hi.c | tail -1

       # Use a xor encoder with key 64 to bypass
       $ ragg2 -e xor -c key=64 -B $(ragg2 hi.c | tail -1)


     radare2(1), rahash2(1), rafind2(1), rabin2(1), rafind2(1), radiff2(1), rasm2(1),


     Written by pancake <>.

                                           Sep 30, 2014