UPX

From Wikipedia, the free encyclopedia
Jump to: navigation, search
UPX
Ultimate Packer for eXecutebles.png
Initial release May 26, 1998
Stable release 3.09.1 (aka. 3.91) / September 30, 2013 (2013-09-30)
Written in C++, Assembly
Operating system Microsoft Windows, Linux, Mac OS X, MS-DOS, Atari
Platform i386, MIPS, AMD64, ARM, PowerPC, m68k
Available in English
Type Executable compression
License GPL with exception for compressed executables[1]
Website upx.sf.net

UPX (ultimate packer for executables) is a free and open source executable packer supporting a number of file formats from different operating systems.

Compression[edit]

UPX uses a data compression algorithm called UCL,[2] which is an open source implementation of portions of the proprietary NRV (Not Really Vanished[3]) algorithm.[4]

UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred bytes of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.

UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use --lzma to force it on).

Starting with version 3.09.1, UPX also supports 64-Bit (x64) executable files on the Windows platform.[5] This feature is currently declared as experimental.

Decompression[edit]

UPX supports two mechanisms for decompression: an in-place technique and extraction to temporary file.

The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed. The executable is extracted to a temporary location, and then open() is used to obtain a file descriptor.

Once a file descriptor is obtained, the temporary file can be unlink()ed, the stub then uses execve() on the file handle (via /proc) to overwrite the stub with the executable image of the temporary file.

The extraction to temporary file method has several disadvantages:

  • special permissions are ignored, such as suid.
  • argv[0] will not be meaningful.[clarification needed]
  • applications will be unable to share common segments.

Unmodified UPX packing is often detected and unpacked by antivirus software scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself. The default license for the existing stubs explicitly forbids modification that prevent manual unpacking.[6] Most antivirus products will raise an alarm when UPX header is detected.[citation needed]

Supported formats[edit]

UPX does not currently support PE files containing CIL code intended to run on the .NET Framework.

References[edit]

External links[edit]