UPX

Last updated
Initial releaseMay 26, 1998;26 years ago (1998-05-26)
Stable release
4.2.2 / January 3, 2024;10 months ago (2024-01-03)
Repository
Written in C++, Assembly
Operating system Microsoft Windows, Linux, macOS, DOS, Atari TOS
Platform i386, MIPS, AMD64, ARM, PowerPC, m68k
Available in English
Type Executable compression
License GPL with exception for compressed executables, [1] proprietary for compression algorithm in binary distributions [2]
Website upx.github.io

UPX (Ultimate Packer for eXecutables) is a free and open source executable packer supporting a number of file formats from different operating systems. [3] [4]

Contents

Compression

UPX uses a data compression algorithm called UCL, [5] which is an open-source implementation of portions of the proprietary NRV (Not Really Vanished) [6] algorithm. [2]

UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred bytes of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.

UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use --lzma to force it on).

Starting with version 3.91, UPX also supports 64-Bit (x64) PE files on the Windows platform. [7] This feature is currently declared as experimental.

Decompression

UPX supports two mechanisms for decompression: an in-place technique and extraction to temporary file.

The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. It has the advantage of being more efficient in terms of memory, and that the environment set up by the OS remains correct.

The rest uses extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed. The extraction to temporary file method has several disadvantages:

Unmodified UPX packing is often detected and unpacked by antivirus software scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself.

Supported formats

UPX supports the following formats: [8]

UPX does not currently support PE files containing CIL code intended to run on the .NET Framework.

Notes

  1. 1 2 3 For the DOS targets, UPX supports a special option -8086 in order to force the embedded decompressor to become compatible with 8088/8086 processors, so that the compressed files can be executed and decompressed even on the earliest PCs running DOS.
  2. The facility to compress DOS .COM-style files can be utilized also to compress other binary executable files. Some FreeDOS and EDR-DOS kernel files are known to be UPX-compressible this way.
  3. The facility to compress DOS .COM-style files can be utilized also to compress non-executable binary data files, if the driver/application using these files has been enhanced to detect UPX-compressed files and jump to the decompressor embedded in the file. FreeDOS is known to utilize this for .CPX files, UPX-compressed .CPI font files.

Related Research Articles

The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems, and in UEFI environments. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS, MUI and other file types. The Unified Extensible Firmware Interface (UEFI) specification states that PE is the standard executable format in EFI environments.

RAR is a proprietary archive file format that supports data compression, error correction and file spanning. It was developed in 1993 by Russian software engineer Eugene Roshal and the software is licensed by win.rar GmbH. The name RAR stands for Roshal Archive.

Cabinet is an archive-file format for Microsoft Windows that supports lossless data compression and embedded digital certificates used for maintaining archive integrity. Cabinet files have .cab filename extensions and are recognized by their first four bytes MSCF. Cabinet files were known originally as Diamond files.

<span class="mw-page-title-main">7-Zip</span> Open-source file archiver

7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is developed by Igor Pavlov and was first released in 1999. 7-Zip has its own archive format called 7z, but can read and write several others.

The Lempel–Ziv–Markov chain algorithm (LZMA) is an algorithm used to perform lossless data compression. It has been under development since either 1996 or 1998 by Igor Pavlov and was first used in the 7z format of the 7-Zip archiver. This algorithm uses a dictionary compression scheme somewhat similar to the LZ77 algorithm published by Abraham Lempel and Jacob Ziv in 1977 and features a high compression ratio and a variable compression-dictionary size, while still maintaining decompression speed similar to other commonly used compression algorithms.

7z is a compressed archive file format that supports several different data compression, encryption and pre-processing algorithms. The 7z format initially appeared as implemented by the 7-Zip archiver. The 7-Zip program is publicly available under the terms of the GNU Lesser General Public License. The LZMA SDK 4.62 was placed in the public domain in December 2008. The latest stable version of 7-Zip and LZMA SDK is version 24.05.

<span class="mw-page-title-main">StuffIt Expander</span> File decompressor software utility

StuffIt Expander is a proprietary, freeware, closed source, decompression software utility developed by Allume Systems. It runs on the classic Mac OS, macOS, and Microsoft Windows. Prior to 2011, a Linux version had also been available for download.

For Microsoft Windows, OS/2, and DOS, .exe is the filename extension that denotes a file as being executable – a computer program – containing an entry point.

<span class="mw-page-title-main">COM file</span> Type of simple executable file

A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of Digital Research's CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

<span class="mw-page-title-main">WinRAR</span> File archiver

WinRAR is a trialware file archiver utility, developed by Eugene Roshal of win.rar GmbH. It can create and view archives in RAR or ZIP file formats, and unpack numerous archive file formats. To enable the user to test the integrity of archives, WinRAR embeds CRC32 or BLAKE2 checksums for each file in each archive. WinRAR supports creating encrypted, multi-part and self-extracting archives.

vmlinux Executable file containing the Linux kernel

vmlinux is a statically linked executable file that contains the Linux kernel in one of the object file formats supported by Linux, which includes Executable and Linkable Format (ELF) and Common Object File Format (COFF). The vmlinux file might be required for kernel debugging, symbol table generation or other operations, but must be made bootable before being used as an operating system kernel by adding a multiboot header, bootsector and setup routines.

The Microsoft Macro Assembler (MASM) is an x86 assembler that uses the Intel syntax for MS-DOS and Microsoft Windows. Beginning with MASM 8.0, there are two versions of the assembler: One for 16-bit & 32-bit assembly sources, and another (ML64) for 64-bit sources only.

PAQ is a series of lossless data compression archivers that have gone through collaborative development to top rankings on several benchmarks measuring compression ratio. Specialized versions of PAQ have won the Hutter Prize and the Calgary Challenge. PAQ is free software distributed under the GNU General Public License.

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. Executable compressors are often referred to as executable packers, runtime packers, software packers, software protectors, or even "polymorphic packers" and "obfuscating tools".

<span class="mw-page-title-main">Self-extracting archive</span> Computer executable program

A self-extracting archive is a computer executable program which combines compressed data in an archive file with machine-executable code to extract the information. Running on a compatible operating system, it does not need a suitable extractor in the target computer to extract the data. The executable part of the file is known as a decompressor stub.

<span class="mw-page-title-main">PeaZip</span> File archive computer program

PeaZip is a free and open-source file manager and file archiver for Microsoft Windows, ReactOS, Linux, MacOS and BSD by Giorgio Tani. It supports its native PEA archive format and other mainstream formats, with special focus on handling open formats. Version 9.4.0 supported 234 file extensions.

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used. XZ Utils started as a Unix port of Igor Pavlov's LZMA-SDK that has been adapted to fit seamlessly into Unix environments and their usual structure and behavior.

FreeArc is a free and open-source high-performance file archiver developed by Bulat Ziganshin. The project is presumably discontinued, since no information has been released by the developers since 2016 and the official website is down.

ZPAQ is an open source command line archiver for Windows and Linux. It uses a journaling or append-only format which can be rolled back to an earlier state to retrieve older versions of files and directories. It supports fast incremental update by adding only files whose last-modified date has changed since the previous update. It compresses using deduplication and several algorithms depending on the data type and the selected compression level. To preserve forward and backward compatibility between versions as the compression algorithm is improved, it stores the decompression algorithm in the archive. The ZPAQ source code includes a public domain API, libzpaq, which provides compression and decompression services to C++ applications. The format is believed to be unencumbered by patents.

lzip Data compression utility

lzip is a free, command-line tool for the compression of data; it employs the Lempel–Ziv–Markov chain algorithm (LZMA) with a user interface that is familiar to users of usual Unix compression tools, such as gzip and bzip2.

References

  1. "UPX License Agreement". Archived from the original on 2016-03-12. Retrieved 2016-09-14.
  2. 1 2 "The UPX Hacker's Guide". GitHub. 19 February 2022. Archived from the original on 14 May 2022. Retrieved 14 September 2016.
  3. Marak, Victor (2015). Windows Malware Analysis Essentials. Packt Publishing. p. 188. ISBN   978-1-78528-151-8. Archived from the original on May 14, 2022. Retrieved November 22, 2015. Packers such as Ultimate Packer for Executables (UPX) are more of executable compressors as size reduction is the primary goal, not obfuscation, which can be a byproduct ...
  4. Blunden, Bill (2013). The Rootkit Arsenal (Second ed.). Jones & Bartlett Learning. pp. 353–355. ISBN   978-1-4496-2636-5. Archived from the original on May 14, 2022. Retrieved November 22, 2015. One of the most prolific executable packers is UPX (the Ultimate Packer for executables). Not only does it handle dozens of different executable formats, but also its source code is available online.
  5. Markus Oberhumer. "UCL data compression library". oberhumer.com. Archived from the original on 2024-06-28. Retrieved 2022-01-11.
  6. Markus Oberhumer. "NRV Compression Library". Archived from the original on September 9, 2012.
  7. "UPX News". Archived from the original on 2018-01-04. Retrieved 2016-09-14.
  8. upx(1)    Linux General Commands Manual
  9. "dos extender rtm32 - fileformat of the stub? \ VOGONS". Archived from the original on 2022-01-11. Retrieved 2022-01-11.