gem.intro.hu

 

Demos

Executable Packing

Dropper

Dropper 2.0 documentation

CAB Dropping

CAB Dropper example

Executable Packing Methods

About Me

  

Dropper 2.0 documentation

This is the online version of the Dropper 2.0 documentation that is also included in the Dropper 2.0 zip archive.
4th August 2004

 

Dropper 2.0
Executable optimizer tool
(C) 1999-2004 by

Overview

Dropper is analyst and optimizer tool for Windows programs. It can handle the so-called 'PE executables', that is, EXE and DLL files made for Windows.

Optimization
Optimization is the removal of unnecessary data from the file and the modification of the program layout. The goal of this feature can be to reduce the size of the file, to make it compress better with executable compression tools or to make Windows load it faster.

Compression
Dropper can now also compress executables. Dropper's compression features are optimized for very small executables (typically a few kilobytes of size). Actually, compression at this file size is not a rational economizing with drive space or bandwidth, but is simply for technical curiosity. This feature is typically used for 4k intros (entries to tiny-executable competitions).

Analysis
Analysis means listing the details of header data, directories, segments, exports, imports, etc. Dropper has powerful analysis capabilities. In certain cases it can proceed where other tools, debuggers, disassemblers do not recognize the file structure. It can handle some uncommon but possible tweaks and it can often find and correct errors in the executable layout. Typical use of this feature: inspecting own programs, cracking third-party programs, virus analysis, analysis of Windows system DLLs.

New Features

This version of Dropper introduces two new concepts: CAB dropping and Headers-Sections Merging.

Cabinet Dropping is a technique that compresses the program into a MS Cabinet (.CAB) and depacks it runtime with a batch/command file. This allows a radically better compression for 4k intros than any other currently available solution.

Headers-Sections Merging: by exploiting a strange logic of the Windows XP executable loader, it is possible to completely merge headers and sections into one continuous block. This way there is no need for any space consuming padding, neither after the headers, nor between sections.

Another new addition to Dropper is the conversion to Ordinal Importing, which is a method supported by all Windows versions. This radically reduces the space occupied by functions imported from DLLs, at the cost of giving up OS independece.

Besides these new features, all previously existing options (analysis, header optimization, COM Dropping) have been improved. Steps have been taken to make the tool and the documentation more user-friendly (just a few steps, actually).

COM dropping

An example:

dropper.exe /c stuff.exe

Dropper will save your program as stuff.com. This file will function almost exactly as stuff.exe. But why is this good for you? Because an executable packer (eg. UPX or Apack) can compress this com much better than the original exe.

How does this work? This com is made up of two parts: firstly, a small DOS COM program called COM stub; secondly, it contains the whole exe file as binary data. When the com is started, the stub saves the exe to the hard drive and executes it. When the exe terminates, the stub deletes it and returns to the OS.

Notes:

  • COM dropping is supported by every Windows version, though you can usually make the file a few bytes smaller by giving up OS independence. You can choose the stub by typing the chosen number after /c.
  • The command line is not passed to your exe.
  • Your exe has to be small, at most 60-63 kilobytes.
  • A temporary file is written to the hard drive. You can choose the location of this file by typing the right number after /c. Note that if you start the intro from a cd, it can not write to the current directory, and the program might not have access to the drive c: in a network.

COM dropping is supported since the first version of Dropper; the recently added CAB dropping is better than COM dropping in most cases.

CAB dropping

An example:

dropper.exe /b stuff.exe

CAB dropping includes compression, so there is no need to use any external packer (UPX or Apack). Compression is done by the Microsoft Cabinet's LZX packer, which is a built in Windows feature, and this LZX compression is usually better than UPX or Apack. Generally, an intro gets smaller with CAB dropping than with COM dropping and post-packing with UPX or Apack.

Notes:

  • The CAB dropper works under Windows XP only.
  • The command line is not passed to your exe.
  • There is no limitation to the exe size; eg. it can contain several hundreds of kilobytes of data set to zero.
  • A temporary file is written to the hard drive. You can choose the location of this file by typing the right number after /b. Note that the program might not have access to the drive c: in a network. Output to the system temp directory needs the %tmp% environment variable defined (which is present by default on all Windows versions), and is a few bytes larger than saving to current directory.

Ordinal importing

Ordinal Importing is a method supported by all Windows versions. This radically reduces the space occupied by functions imported from DLLs, at the cost of giving up OS independece.

The regular Hint-Name importing means that every imported function is described by an ASCII string, eg. if you use MessageBox(), the string "MessageBoxA",0 is put to the exe. Ordinal imports contain only one number per function, eg. 477 for MessageBox(), because it is the 477th function in USER32.DLL. When Microsoft updates the DLL, some functions might be removed and some newer might be added, so the ordinal number can change. Eg. MessageBox() becomes the 410th and RegisterClass() becomes the 477th. In this case, your exe will mistakenly load RegisterClass() instead of MessageBox(). This incompatibility is a serious problem, use ordinal imports only in the last resort when you run out of space.

When converted to ordinal imports, your program will only work on the very same OS that you use. Even minor changes (eg. a newer DirectX version if your program uses DirectX) could make your program fail.

Tips on usage - 4k intros: competition and release versions

If you make a 4k intro, I recommend that you made two versions of your intro: a small competition version and compatible release version. If your goal is that other people would watch your intro, you should not forget the latter. I suggest that the release version be fully uncompressed, neither optimized by Dropper, nor packed with UPX, FSG, or any other tool. This might make a chance of survival for your work for several years of time. The competition version should be for Windows XP only (of course, make sure that the competition PC has XP, but this is most likely these days). Windows XP allows quite a few tricks for Dropper that other Windows versions do not. I don't think you should use ordinal importing, unless you have the chance to test your intro on the competition PC (if it does not work and you still need ordinal imports to fit in 4k, pack your intro with Dropper on the compo PC itself). As for the final format, I recommend that you don't use COM dropping anymore, CAB dropping (that is, BAT output) is better in several ways. The Assembly 2004 rules state that your intro should save temporary files to the system temp directory. It would have been too much overhead to comply to this rule with a COM dropper, but the overhead is acceptable with CAB dropping. Generally, the COM dropper post-packed with Apack or UPX makes larger files than the CAB dropper. The limitation of CAB dropping is that it is Windows XP only. This is not a problem if you include an OS independent release version.

Tips on usage - Removal of relocations is safe

Relocations are not required to execute a program anymore, not even in Windows 95. In case your linker still adds them, you can safely remove them. Now even Microsoft's own linker has fixed base address (no relocations included) by default.

Tips on usage - Add relocations for better optimization

Relocations contain information needed to completely change the layout of the program, thus making it smaller or more compressible. Adding relocations will certainly increase the original executable size of the program, but Dropper can completely remove them after using them.

How to force including relocations:

  • Visual C/C++ linker: /FIXED:NO command line option.
  • Visual Studio .NET: Projects >> [ProjectName] Properties >> Linker >> Advanced >> Fixed base address: Generate a relocation section

Again, relocations are not needed to run a program. The linker adds relocations, Dropper uses and removes them. Thus the final executable will not contain relocations, even though you force the linker to include them.

Tips on usage - About merging sections

Dropper can merge sections itself. You should better leave this task to Dropper, but below are a few guidelines if you decide to do it on your own.

If you force your compiler to merge the sections, you will see that the file size drops, since you get rid of one section alignment. However, if the imports section and the code section are merged together, Dropper is unable to rebuild the imports (even if relocations are present, they won't include information about how the code uses the imports). This might mean a loss of some bytes.

How to set options about merge sections:

  • Visual C/C++ linker: /MERGE command line option.
  • Visual Studio .NET: Projects >> [ProjectName] Properties >> Linker >> Advanced >> Merge Sections
  • merge code and imports: /MERGE:.text=.rdata (usually bad)
  • merge code and data: /MERGE:.text=.data (usually good)

To sum it up, it's better to leave this option blank if you use Dropper; but trying a different setting might decrease the final filesize in some cases.

Tips on usage - Notes on COM dropper

As described before, the point in COM dropping is to make your program compress better with an executable packer. The process will look like this:

dropper.exe /oc myintro.exe
upx.exe -9 myintro.com

Recommended packers:

About the packers:

  • Apack usually compresses better than UPX if the output file is around 4k or less. If it is larger, UPX wins.
  • Apack does not reset the registers to their standard values, that is why Apack is incompatible with Dropper in certain cases. If the com compressed with Apack fails, try UPX or another packer.
  • Don't use UPX 1.9x, it is unstable.

The com stub is the small program that saves the exe to the disk, starts it and deletes it after it has finished. You can choose from several com stubs (command line options /c?).

Option /c (eqivalent to /c1) is a rather small stub which is suitable for all Windows versions and can be executed from a CD, too. Use the others only if you must make the file a few bytes even smaller.

Win98 stubs: The main difference between Win98 stubs is that the standard stub (/c4) uses the root directory of drive c: as a temporary storage of the exe, while the other two (/c5 and /c6) use the current directory. The latter two are identical in operation but compress differently with different executable packers. (Dropper can't automatically choose the better of these two stubs, since you use an external packer). Alink tends to prefer the "small stub" (/c5), UPX slightly prefers the "alternative stub" (/c6).

Running incompatible COM dropper intros:

Saving the temporary exe to current directory might not be possible, eg. when the intro is ran from CD. However, current drive's current directory might differ from the place where the executable resides. So you can run it from your CD, too, you just have to start it from a writable drive. For example, your hard drive is "c:\", your CD drive is "d:\" and your intro is "d:\scene\intro.com". Then use this batch:

c:
d:\scene\intro.com

Saving to C: might fail in certain cases. Eg. access to that drive might be forbidden, or it might even happen that C: does not exist at all. In the latter case try

subst c: %tmp%
intro.com
subst c: /d

License

You can freely use and spread this program together with the included documentation in an unmodified form. There is no warranty whatsoever.

IMPORTANT -- PLEASE READ!

It is your task to thoroughly test your program modified by Dropper. Please test that the program works on all target operating systems of your choice (Windows 95, 98, NT, 2k, XP). Light optimizations (eg. relocations removal) are safe. However, if you choose to use a heavy compression/optimization feature (COM or BAT output, ordinal imports), please include a safe uncompressed version of your program along with the optimized version.

History

Dropper 2.0 - 08/2004

major update

  • option to completely rebuild the exe (Dropper works like a linker)
  • CAB dropping and CAB compression
  • option to merge headers and sections
  • conversion to ordinal importing
  • printing resources
  • minor fixes

Dropper 1.3 - 09/2003

updates

  • improved command line handling
  • relocation removal code bugfixed and improved
  • optimized stubs
  • improved WinXP compatibility
  • total: 40+ bytes decrease in size of compressed com

Dropper 1.2 - 08/2002

minor bugfixes

  • file alignment warning fix
  • directory warning changed
  • limited dll processing enabled (info only)
  • import address table optimization

Dropper 1.1 - 07/2002

complete rework. c++ / nasm

Dropper 1.0 - 04/1999

original version. tasm32

Contact

You can download the latest version of Dropper and related material from gem.intro.hu.

You can contact me at (Important: subject should be "Dropper"). Reports on bugs, compatibility issues, etc are welcome.

 

Release Date: 04th August 2004