Suvarna Garge (Editor)

UPX

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Written in
  
C++, Assembly

Available in
  
English

UPX

Initial release
  
May 26, 1998; 18 years ago (1998-05-26)

Stable release
  
3.93 / January 29, 2017; 56 days ago (2017-01-29)

Operating system
  
Microsoft Windows, Linux, macOS, DOS, Atari TOS

Platform
  
i386, MIPS, AMD64, ARM, PowerPC, m68k

UPX (Ultimate Packer for Executables) is a free and open source executable packer supporting a number of file formats from different operating systems.

Contents

Compression

UPX uses a data compression algorithm called UCL, which is an open source implementation of portions of the proprietary NRV (Not Really Vanished) algorithm.

UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred bytes of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.

UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use --lzma to force it on).

Starting with version 3.91, UPX also supports 64-Bit (x64) executable files on the Windows platform. This feature is currently declared as experimental.

Decompression

UPX supports two mechanisms for decompression: an in-place technique and extraction to temporary file.

The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed.

The extraction to temporary file method has several disadvantages:

  • Special permissions are ignored, such as suid.
  • argv[0] will not be meaningful.
  • Multiple running instances of the executable are unable to share common segments.

    • Unmodified UPX packing is often detected and unpacked by antivirus software scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself. The default license for the existing stubs explicitly forbids modification that prevent manual unpacking. Most antivirus products will raise an alarm when UPX header is detected.

    Supported formats

  • ARM/PE
  • Atari/TOS
  • *BSD/i386
  • DJGPP2/COFF
  • DOS/COM (including some binary images)
  • DOS/EXE
  • DOS/SYS
  • Linux/i386 a.out
  • Linux/ELF on i386, x86-64, ARM, PowerPC
  • Linux/kernel on i386, x86-64 and ARM
  • Mach-O/ppc32, Mach-O/i386 (even produced by Google Go since 3.09)
  • rtm32/PE (as generated by Borland C/Pascal compilers)
  • tmt/adam (as generated by the TMT Pascal compiler)
  • PlayStation1/EXE
  • Watcom/LE (DOS4G, PMODE/W, DOS32A and CauseWay)
  • Windows/PE EXE files containing native x86 (32-Bit) code
  • Windows/PE EXE files containing native AMD64 (64-Bit) code – still experimental

    • UPX does not currently support PE files containing CIL code intended to run on the .NET Framework.

    References

    UPX Wikipedia
    (Text) CC BY-SA