gem.intro.hu

 

Demos

Executable Packing

Dropper

Dropper 2.0 documentation

CAB Dropping

CAB Dropper example

Executable Packing Methods

About Me

  

Executable Packing Methods

This a guide to executable packing on Windows and a selection of executable packing tools and related websites.

19th July 2005: initial
22nd July 2005: update
31st October 2005: update
19th March 2006: update

Recommended packers

The latest known version numbers in March 2006 are shown.

Large files (over 64kb)

UPX is the "industry standard" packer. The latest stable release of UPX is 1.25. UPX is a thoroughly tested tool and is also very fast in decompression. That is why UPX might be the best choice even if some other packers compress your file a bit more efficiently.

Tools

Notes

  • Don't use UPX 1.9x. It is not a stable release, but is public for testing purposes only.

Files around 64kb

MEW and Upack use LZMA. This compression algorithm is better than the UPX/NRV that was dominant for years.

Tools

Notes

  • Upack 0.39 is slightly more efficient than MEW 1.1, except for very small files (around 4kb).

Files around 4kb

  • Try Crinkler and MEW (ie. look at "EXE around 4kb") for an elegant and effective native EXE compression
  • CAB Dropping might compress better than the native EXE (eg. look at "BAT around 4kb")
  • If you are releasing a 4kb intro, always include an unpacked EXE version for compatibility. (Native EXE packers are the most compatible ones, but it is still not recommended to treat their output as unpacked. E.g. Crinkler files are for WinXP/Win2000 and are not recognized by Win98, Wine or possibly by future Windows versions.)

EXE around 4kb

It is possible to make a native Windows EXE of sizes around 4kb. This is generally more robust and compatible than COM/CAB dropping, but dropping (writing temporary EXE files to the hard drive) might be more efficient.

Tools

  • Crinkler 0.4 by Blueberry and Mentor
    http://www.crinkler.net/
    This linker/packer tool is designed for the 4kb range, uses context modelling for compression and is able to outperform CAB droppers.
  • MEW 1.1 SE 1.2 by Northfox
    http://northfox.uw.hu
    MEW 1.1 SE 1.2 by Northfox at SAC
    MEW 1.1 SE 1.2 by Northfox (own mirror)
    MEW is more efficient than Upack for small files (around 4kb).
  • 20to4 by Muhmac
    http://20to4.net
    20to4 has an option to make a native EXE file with contents packed with CAB. Currently it uses dropping (writing a temporary file to the disk) even though it is an EXE file. (Actually the cabinet.dll architecture would make it possible to avoid dropping in this case.)

BAT around 4kb

EXE to BAT conversion actually means that the EXE is packed into a standard Microsoft CAB archive (eg. the files on the Windows install CD are also stored in CAB files) and a small BAT depacker is added to it. This batch file decodes the EXE to a temporary file on the hard disk and executes it.

Tools

Notes

  • 20to4 by Muhmac was meant to integrate Dropper 1.2. Muhmac did not have time to work on it when I received requests to update Dropper, so this is why I re-started development and Dropper 1.3 came out. Later on, Muhmac finished 20to4, now these are two different tools.
  • If you have the time and dedication, you can do CAB packing on your own. The CAB Dropper Example is a good starting point.
  • MSZIP might be more efficient than LZX to pack very small files (under 1-2kb) into a CAB

COM around 4kb

If you are making a windows 4kb intro, don't use EXE to COM conversion anymore, use the more efficient EXE to BAT conversion instead. If you still decide to use COM, you should use an executable optimizer to make the EXE more compressible, convert the EXE to COM, and compress the COM with a packer. The first two steps can be done with Dropper, the last one with UPX or Apack.

Tools

Notes

  • Apack usually compresses better than UPX if the output file is around 4k or less. If it is larger, UPX wins.
  • Apack does not reset the registers to their standard values, that is why Apack is incompatible with Dropper in certain cases. If the COM compressed with Apack fails, try UPX or another packer.
  • Don't use UPX 1.9x. It is not a stable release, but is public for testing purposes only.

Algorithms

Compression

  • LZMA 7-zip.com used by Upack, MEW
  • NRV oberhumer.com used by UPX
  • APLib http://www.ibsensoftware.com used by FSG, Apack
  • LZX is supported by Microsoft CAB. LZX was first introduced by the LZX packer on Amiga and later integrated into the Microsoft CAB format on PC Windows. LZX is the typical compression scheme of BAT files created by a CAB Dropper tool. CABSDK contains source code that uses the system DLLs for compression and decompression, cabextract is an open source CAB (LZX and MSZIP) depacker.
  • MSZIP is supported by Microsoft CAB. MSZIP compression is usually worse than LZX, except for very small files (1-2kb compressed).

Header optimization

Windows executables have very large headers containing information about the used DLLs, imported functions, etc. This is why even the best compression algorithm might be less than enough, unless combined with a method to shrink header data besides compressing the content. All tools like UPX, Ulink, etc. use some algorithm to shrink the headers.

To reach the best results, there is an option not to optimize the existing headers, but to build the headers and the file/memory layout from scratch. (Dropper 2.0 works as a linker internally.) The most efficient way is to create an optimizing linker: avoid the usage of a general linker (like the one that comes with Visual C++), and build the EXE file from ASM or OBJ files directly. The drawback of this is that the source or object files are needed to be present, ie. this method is not suitable for packing third-party executables.

Dropping

Dropping means writing a temporary EXE file to the hard drive. With COM and CAB dropping, the whole executable headers are packed as binary data. This is more efficient than just optimizing the headers. There are compatibility problems with this approach so these algorithms have a very limited usability.

  • COM dropping: used by Dropper, 20to4, BGDrop, UPAC
  • CAB dropping: used by Dropper, 20to4, BGDrop

Further Links