Executable Packing Methods
This a guide to executable packing on Windows
and a selection of executable packing tools and related websites.
Recommended packers
The latest known version numbers in March 2006 are shown.
Large files (over 64kb)
UPX is the "industry standard" packer. The latest stable release of UPX is
1.25. UPX is a thoroughly tested tool and is also very fast
in decompression. That is why UPX might be the best choice even if some other
packers compress your file a bit more efficiently.
Tools
Notes
- Don't use UPX 1.9x. It is not a stable release, but is public for testing purposes only.
Files around 64kb
MEW and Upack use LZMA. This compression algorithm is better than
the UPX/NRV that was dominant for years.
Tools
Notes
- Upack 0.39 is slightly more efficient than MEW 1.1, except for very small files (around 4kb).
Files around 4kb
- Try Crinkler and MEW (ie. look at "EXE around 4kb") for an elegant and effective native EXE compression
- CAB Dropping might compress better than the native EXE (eg. look at "BAT around 4kb")
- If you are releasing a 4kb intro, always include an unpacked EXE version for compatibility.
(Native EXE packers are the most compatible ones, but it is still not recommended to treat their output as unpacked. E.g. Crinkler files are for WinXP/Win2000 and are not recognized by Win98, Wine or possibly by future Windows versions.)
EXE around 4kb
It is possible to make a native Windows EXE of sizes around 4kb.
This is generally more robust and compatible than COM/CAB dropping, but
dropping (writing temporary EXE files to the hard drive) might be more efficient.
Tools
- Crinkler 0.4 by Blueberry and Mentor
http://www.crinkler.net/
This linker/packer tool is designed for the 4kb range, uses context modelling
for compression and is able to outperform CAB droppers.
- MEW 1.1 SE 1.2 by Northfox
http://northfox.uw.hu
MEW 1.1 SE 1.2 by Northfox at SAC
MEW 1.1 SE 1.2 by Northfox (own mirror)
MEW is more efficient than Upack for small files (around 4kb).
- 20to4 by Muhmac
http://20to4.net
20to4 has an option to make a native EXE file with contents packed with CAB. Currently
it uses dropping (writing a temporary file to the disk) even though it is an EXE file.
(Actually the cabinet.dll architecture would make it possible to avoid dropping in this case.)
BAT around 4kb
EXE to BAT conversion actually means that the EXE is packed into a standard
Microsoft CAB archive (eg. the files on the Windows install CD are also stored
in CAB files) and a small BAT depacker is added to it. This batch file decodes
the EXE to a temporary file on the hard disk and executes it.
Tools
Notes
- 20to4 by Muhmac was meant to integrate Dropper 1.2.
Muhmac did not have time to work on it when I received requests to update Dropper,
so this is why I re-started development and Dropper 1.3 came out.
Later on, Muhmac finished 20to4, now these are two different tools.
- If you have the time and dedication, you can do CAB packing on your own. The
CAB Dropper Example is a good starting point.
- MSZIP might be more efficient than LZX to pack very small files (under 1-2kb) into a CAB
COM around 4kb
If you are making a windows 4kb intro, don't use EXE to COM conversion anymore,
use the more efficient EXE to BAT conversion instead. If you still decide to use COM,
you should use an executable optimizer to make the EXE more compressible,
convert the EXE to COM, and compress the COM with a packer.
The first two steps can be done with
Dropper,
the last one with UPX or Apack.
Tools
Notes
- Apack usually compresses better than UPX if the output file is around 4k or less. If it is larger, UPX wins.
- Apack does not reset the registers to their standard values, that is why Apack is incompatible with Dropper in certain cases.
If the COM compressed with Apack fails, try UPX or another packer.
- Don't use UPX 1.9x. It is not a stable release, but is public for testing purposes only.
Algorithms
Compression
- LZMA 7-zip.com used by Upack, MEW
- NRV oberhumer.com used by UPX
- APLib http://www.ibsensoftware.com used by FSG, Apack
- LZX is supported by Microsoft CAB.
LZX was first introduced by the LZX packer on Amiga and later integrated into the Microsoft CAB format on PC Windows.
LZX is the typical compression scheme of BAT files created by a CAB Dropper tool.
CABSDK
contains source code that uses the system DLLs for compression and decompression,
cabextract
is an open source CAB (LZX and MSZIP) depacker.
- MSZIP is supported by Microsoft CAB. MSZIP compression
is usually worse than LZX, except for very small files (1-2kb compressed).
Header optimization
Windows executables have very large headers containing
information about the used DLLs, imported functions, etc.
This is why even the best compression algorithm might be less than enough, unless
combined with a method to shrink header data besides compressing the content.
All tools like UPX, Ulink, etc. use some algorithm to shrink the headers.
To reach the best results, there is an option not to optimize the existing headers,
but to build the headers and the file/memory layout from scratch. (Dropper 2.0
works as a linker internally.) The most efficient way is to create an optimizing
linker: avoid the usage of a general linker (like the one that comes with Visual C++),
and build the EXE file from ASM or OBJ files directly.
The drawback of this is that the source or object files are needed to be present,
ie. this method is not suitable for packing third-party executables.
Dropping
Dropping means writing a temporary EXE file to the hard drive.
With COM and CAB dropping, the whole executable headers are packed as binary data.
This is more efficient than just optimizing the headers.
There are compatibility problems with this approach so these algorithms have a very
limited usability.
- COM dropping: used by Dropper, 20to4, BGDrop, UPAC
- CAB dropping: used by Dropper, 20to4, BGDrop
Further Links
|