UPX
Encyclopedia
UPX, the Ultimate Packer for eXecutables, is a free and open source
executable packer
supporting a number of file formats from different operating systems.
algorithm
called UCL, which is an open source
implementation of portions of the proprietary NRV—Not Really Vanished—algorithm.
UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred byte
s of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.
UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use
.
The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed. The executable is extracted to a temporary location, and then
.
Once a file descriptor is obtained, the temporary file can be
) to overwrite the stub with the executable image of the temporary file.
The extraction to temporary file method has several disadvantages:
Unmodified UPX packing is often detected and unpacked by anti-virus
scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself. The default license for the existing stubs explicitly forbids modification that prevent manual unpacking / repacking with newer UPX versions.
Free and open source software
Free and open-source software or free/libre/open-source software is software that is liberally licensed to grant users the right to use, study, change, and improve its design through the availability of its source code...
executable packer
Executable compression
Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it...
supporting a number of file formats from different operating systems.
Compression
UPX uses a compressionData compression
In computer science and information theory, data compression, source coding or bit-rate reduction is the process of encoding information using fewer bits than the original representation would use....
algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
called UCL, which is an open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
implementation of portions of the proprietary NRV—Not Really Vanished—algorithm.
UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred byte
Byte
The byte is a unit of digital information in computing and telecommunications that most commonly consists of eight bits. Historically, a byte was the number of bits used to encode a single character of text in a computer and for this reason it is the basic addressable element in many computer...
s of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.
UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use
--lzma to force it on).Decompression
UPX supports two mechanisms for decompression - an in-place technique and extraction to temporary fileTemporary file
Temporary files may be created by computer programs for a variety of purposes; principally when a program cannot allocate enough memory for its tasks, when the program is working on data bigger than the architecture's address space, or as a primitive form of inter-process communication.- Auxiliary...
.
The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed. The executable is extracted to a temporary location, and then
open is used to obtain a file descriptorFile descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
.
Once a file descriptor is obtained, the temporary file can be
unlinked, the stub then uses execve on the file handle (via /procProcfs
procfs is a special filesystem in UNIX-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional...
) to overwrite the stub with the executable image of the temporary file.
The extraction to temporary file method has several disadvantages:
- special permissions are ignored, such as suidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
. - argv[0] will not be meaningful.
- applications will be unable to share common segments.
Unmodified UPX packing is often detected and unpacked by anti-virus
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself. The default license for the existing stubs explicitly forbids modification that prevent manual unpacking / repacking with newer UPX versions.
Supported formats
- ARMARM architectureARM is a 32-bit reduced instruction set computer instruction set architecture developed by ARM Holdings. It was named the Advanced RISC Machine, and before that, the Acorn RISC Machine. The ARM architecture is the most widely used 32-bit ISA in numbers produced...
/PEPortable ExecutableThe Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture... - AtariAtariAtari is a corporate and brand name owned by several entities since its inception in 1972. It is currently owned by Atari Interactive, a wholly owned subsidiary of the French publisher Atari, SA . The original Atari, Inc. was founded in 1972 by Nolan Bushnell and Ted Dabney. It was a pioneer in...
/tos - *BSD/i386
- djgpp2DJGPPDJGPP is a development suite for 386+ IBM PC compatibles which supports DOS-enabled operating systems. It is guided by DJ Delorie, who began the project in 1989. It is a port of the popular GCC compiler, as well as mostly GNU utilities such as bash, find, tar, ls, awk, sed, and ld to DPMI...
/COFFCOFFThe Common Object File Format is a specification of a format for executable, object code, and shared library computer files used on Unix systems... - dos/comCOM fileIn many computer operating systems, a COM file is a type of executable file; the name is derived from the file name extension .COM. Originally, the term stood for "Command file", a text file containing commands to be issued to the operating system , on many of the Digital Equipment Corporation mini...
- dos/exeEXEEXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
- dos/sys
- LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
/i386 a.outA.out (file format)a.out is a file format used in older versions of Unix-like computer operating systems for executables, object code, and, in later systems, shared libraries... - Linux/ELFExecutable and Linkable FormatIn computing, the Executable and Linkable Format is a common standard file format for executables, object code, shared libraries, and core dumps. First published in the System V Application Binary Interface specification, and later in the Tool Interface Standard, it was quickly accepted among...
on i386, x86-64X86-64x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
, ARMARM architectureARM is a 32-bit reduced instruction set computer instruction set architecture developed by ARM Holdings. It was named the Advanced RISC Machine, and before that, the Acorn RISC Machine. The ARM architecture is the most widely used 32-bit ISA in numbers produced...
, PowerPCPowerPCPowerPC is a RISC architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM... - Linux/kernel on i386, x86-64 and ARM
- Mach-OMach-OMach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps. A replacement for the a.out format, Mach-O offered more extensibility and faster access to information in the symbol table.Mach-O was once used by...
/ppc32, Mach-O/i386 - rtm32/PE
- tmt/adam
- PlayStationPlayStationThe is a 32-bit fifth-generation video game console first released by Sony Computer Entertainment in Japan on December 3, .The PlayStation was the first of the PlayStation series of consoles and handheld game devices. The PlayStation 2 was the console's successor in 2000...
1/exe - WatcomWatcomWatcom International Corporation was founded in 1981 by three former employees of the Computer Systems Group at the University of Waterloo, in Waterloo, Ontario, Canada...
/le - Win32/PE (excluding files built using the .NET Framework)