Language

The code of r_egg is compiled as in a flow. It is a one-pass compiler;

this means that you have to define the proper stackframe size at the

beginning of the function, and you have to define the functions in

order to avoid getting compilation errors.

The compiler generates assembly code for x86-{32,64} and arm. But it aims

to support more platforms. This code is the compiled with r_asm and

injected into a tiny binary with r_bin.

You may like to use r_egg to create standalone binaries, position-

independent raw eggs to be injected on running processes or to patch

on-disk binaries.

The generated code is not yet optimized, but it's safe to be executed

at any place in the code.

Preprocessor

Aliases

Sometimes you just need to replace at compile time a single entity on

multiple places. Aliases are translated into 'equ' statements in assembly

language. This is just an assembler-level keyword redefinition.

AF_INET@alias(2);

printf@alias(0x8053940);

Includes

Use cat(1) or the preprocessor to concatenate multiple files to be compiled.

INCDIR@alias("/usr/include/ragg2");

sys-osx.r@include(INCDIR);

Hashbang

eggs can use a hashbang to make them executable.

$ head -n1 hello.r

#!/usr/bin/ragg2 -X

$ ./hello.r

Hello World!

Main

The execution of the code is done as in a flow. The first function to be

defined will be the first one to be executed. If you want to run main()

just do like this:

#!/usr/bin/ragg2 -X

main();

...

main@global(128,64) {

...

Function definition

You may like to split up your code into several code blocks. Those blocks

are bound to a label followed by root brackets '{ ... }'

Function signatures

name@type(stackframesize,staticframesize) { body }

name : name of the function to define

type : see function types below

stackframesize : get space from stack to store local variables

staticframesize : get space from stack to store static variables (strings)

body : code of the function

Function types

alias Used to create aliases

data ; the body of the block is defined in .data

inline ; the function body is inlined when called

global ; make the symbol global

fastcall ; function that is called using the fast calling convention

syscall ; define syscall calling convention signature

Syscalls

r_egg offers a syntax sugar for defining syscalls. The syntax is like this:

exit@syscall(1);

@syscall() {

` : mov eax,.arg```

: int 0x80

}

main@global() {

exit (0);

}

Libraries

At the moment there is no support for linking r_egg programs to system

libraries. but if you inject the code into a program (disk/memory) you

can define the address of each function using the @alias syntax.

Core library

There's a work-in-progress libc-like library written completely in r_egg

Variables

.arg

.arg0

.arg1

.arg2

.var0

.var2

.fix

.ret ; eax for x86, r0 for arm

.bp

.pc

.sp

Attention: All the numbers after .var and .arg mean the offset with the

top of stack, not variable symbols.

Arrays

Supported as raw pointers. TODO: enhance this feature

Tracing

Sometimes r_egg programs will break or just not work as expected. Use the

'trace' architecture to get a arch-backend call trace:

$ ragg2 -a trace -s yourprogram.r

Pointers

TODO: Theorically '*' is used to get contents of a memory pointer.

Virtual registers

TODO: a0, a1, a2, a3, sp, fp, bp, pc

Math operations

Ragg2 supports local variables assignment by math operating, including

the following operators:

+ - * / & | ^

Return values

The return value is stored in the a0 register, this register is set when

calling a function or when typing a variable name without assignment.

$ cat test.r
add@global(4) {
    .var0 = .arg0 + .arg1;
    .var0;
}

main@global() {
    add (3,4);
}

$ ragg2 -F -o test test.r
$ ./test
$ echo $?
7

Traps

Each architecture have a different instruction to break the execution of

the program. REgg language captures calls to 'break()' to run the emit_trap

callback of the selected arch. The

break(); --> compiles into 'int3' on x86

break; --> compiles into 'int3' on x86

Inline assembly

Lines prefixed with ':' char are just inlined in the output assembly.

: jmp 0x8048400

: .byte 33,44

Labels

You can define labels using the : keyword like this:

:label_name:

/* loop forever */

goto(label_name)

Control flow

goto (addr) -- branch execution

while (cond)

if (cond)

if (cond) { body } else { body }

break () -- executes a trap instruction

Comments

Supported syntax for comments are:

/* multiline comment */'

// single line comment

# single line comment

最后更新于4年前

这有帮助吗？

Language

The code of r_egg is compiled as in a flow. It is a one-pass compiler;

this means that you have to define the proper stackframe size at the

beginning of the function, and you have to define the functions in

order to avoid getting compilation errors.

The compiler generates assembly code for x86-{32,64} and arm. But it aims

to support more platforms. This code is the compiled with r_asm and

injected into a tiny binary with r_bin.

You may like to use r_egg to create standalone binaries, position-

independent raw eggs to be injected on running processes or to patch

on-disk binaries.

The generated code is not yet optimized, but it's safe to be executed

at any place in the code.

Preprocessor

Aliases

Sometimes you just need to replace at compile time a single entity on

multiple places. Aliases are translated into 'equ' statements in assembly

language. This is just an assembler-level keyword redefinition.

AF_INET@alias(2);

printf@alias(0x8053940);

Includes

Use cat(1) or the preprocessor to concatenate multiple files to be compiled.

INCDIR@alias("/usr/include/ragg2");

sys-osx.r@include(INCDIR);

Hashbang

eggs can use a hashbang to make them executable.

$ head -n1 hello.r

#!/usr/bin/ragg2 -X

$ ./hello.r

Hello World!

Main

The execution of the code is done as in a flow. The first function to be

defined will be the first one to be executed. If you want to run main()

just do like this:

#!/usr/bin/ragg2 -X

main();

...

main@global(128,64) {

...

Function definition

You may like to split up your code into several code blocks. Those blocks

are bound to a label followed by root brackets '{ ... }'

Function signatures

name@type(stackframesize,staticframesize) { body }

name : name of the function to define

type : see function types below

stackframesize : get space from stack to store local variables

staticframesize : get space from stack to store static variables (strings)

body : code of the function

Function types

alias Used to create aliases

data ; the body of the block is defined in .data

inline ; the function body is inlined when called

global ; make the symbol global

fastcall ; function that is called using the fast calling convention

syscall ; define syscall calling convention signature

Syscalls

r_egg offers a syntax sugar for defining syscalls. The syntax is like this:

exit@syscall(1);

@syscall() {

` : mov eax,.arg```

: int 0x80

}

main@global() {

exit (0);

}

Libraries

At the moment there is no support for linking r_egg programs to system

libraries. but if you inject the code into a program (disk/memory) you

can define the address of each function using the @alias syntax.

Core library

There's a work-in-progress libc-like library written completely in r_egg

Variables

.arg

.arg0

.arg1

.arg2

.var0

.var2

.fix

.ret ; eax for x86, r0 for arm

.bp

.pc

.sp

Attention: All the numbers after .var and .arg mean the offset with the

top of stack, not variable symbols.

Arrays

Supported as raw pointers. TODO: enhance this feature

Tracing

Sometimes r_egg programs will break or just not work as expected. Use the

'trace' architecture to get a arch-backend call trace:

$ ragg2 -a trace -s yourprogram.r

Pointers

TODO: Theorically '*' is used to get contents of a memory pointer.

Virtual registers

TODO: a0, a1, a2, a3, sp, fp, bp, pc

Math operations

Ragg2 supports local variables assignment by math operating, including

the following operators:

+ - * / & | ^

Return values

The return value is stored in the a0 register, this register is set when

calling a function or when typing a variable name without assignment.

$ cat test.r
add@global(4) {
    .var0 = .arg0 + .arg1;
    .var0;
}

main@global() {
    add (3,4);
}

$ ragg2 -F -o test test.r
$ ./test
$ echo $?
7

Traps

Each architecture have a different instruction to break the execution of

the program. REgg language captures calls to 'break()' to run the emit_trap

callback of the selected arch. The

break(); --> compiles into 'int3' on x86

break; --> compiles into 'int3' on x86

Inline assembly

Lines prefixed with ':' char are just inlined in the output assembly.

: jmp 0x8048400

: .byte 33,44

Labels

You can define labels using the : keyword like this:

:label_name:

/* loop forever */

goto(label_name)

Control flow

goto (addr) -- branch execution

while (cond)

if (cond)

if (cond) { body } else { body }

break () -- executes a trap instruction

Comments

Supported syntax for comments are:

/* multiline comment */'

// single line comment

# single line comment

最后更新于4年前

这有帮助吗？