UPX (Ultimate Packer for eXecutables)

Overview

UPX (Ultimate Packer for eXecutables) is a free, open-source executable packer and compressor that reduces the size of executable files and libraries. It supports a wide range of platforms including Windows PE files, Linux ELF binaries, macOS Mach-O files, and many others. UPX achieves compression ratios of 30-70% while preserving full functionality of the original executable. Security professionals use UPX for reverse engineering analysis, malware unpacking, and understanding executable compression techniques.

Note: UPX can be used to pack or unpack executables. Always ensure you have authorization to modify or analyze binaries.

Installation

Linux Installation

# Debian/Ubuntu
sudo apt-get update
sudo apt-get install upx

# From source
git clone https://github.com/upx/upx.git
cd upx
make
sudo make install

# Verify installation
upx --version

macOS Installation

# Homebrew
brew install upx

# Verify
upx --version

Windows Installation

# Download from official repository
https://github.com/upx/upx/releases

# Extract and add to PATH
# Or use via package manager
choco install upx

# Verify
upx --version

Build from Source

# Clone repository
git clone https://github.com/upx/upx.git
cd upx

# Install dependencies
sudo apt-get install build-essential libucl-dev

# Build
make
./upx --version

# Install
sudo make install

Basic Usage

Command	Description
upx file	Compress executable file
upx -d file	Decompress packed executable
upx -l file	List packed executable info
upx -t file	Test packed executable
upx --best file	Maximum compression
upx --brute file	Try all compression methods

Compression Operations

Basic Compression

# Compress executable (default settings)
upx program.exe
upx /bin/bash

# Compression output
# UPX 4.2.2 Copyright (C) 1996-2024
# File size        Ratio      Format      Name
# ----------       -----      ------      ----
# 2048000 ->  729000   35.6%   win32.pe   program.exe

# Verify compressed file
file program.exe

Advanced Compression Levels

# Fastest compression (least size reduction)
upx -1 program.exe

# Default compression (balanced)
upx -6 program.exe

# Maximum compression (slowest)
upx --best program.exe

# Extreme compression (test compatibility)
upx --best --extreme program.exe

Compression Methods

# Use brute force to find best method
upx --brute program.exe

# Test all compression levels
for level in 1 2 3 4 5 6 7 8 9; do
  upx -$level program.exe -o program_$level.exe
  ls -lh program_$level.exe
done

Decompression Operations

Unpacking Executables

# Decompress packed executable
upx -d program.exe -o program_unpacked.exe

# Verify decompression
file program_unpacked.exe
md5sum program.exe program_unpacked.exe

# Test unpacked executable
./program_unpacked.exe --version

In-Place Unpacking

# Create backup first
cp program.exe program.exe.bak

# Decompress in-place
upx -d program.exe

# Restore if needed
cp program.exe.bak program.exe

File Format Support

Windows Executables

# Pack Windows PE executable
upx program.exe

# Pack DLL library
upx library.dll

# Pack Windows 64-bit executable
upx --64 program64.exe

# Verify format
file program.exe

Linux ELF Binaries

# Compress Linux ELF binary
upx /usr/bin/bash
upx ./my_program

# Pack shared library
upx libc.so.6

# Verify ELF format
file /usr/bin/bash

macOS Mach-O Files

# Compress macOS executable
upx /Applications/MyApp.app/Contents/MacOS/MyApp

# Pack framework
upx MyFramework.framework/MyFramework

# Format verification
file /Applications/MyApp.app/Contents/MacOS/MyApp

Analysis and Inspection

Information Listing

# List packed executable information
upx -l program.exe

# Display detailed format info
upx -l -v program.exe

# Show all supported formats
upx --help-all

Compression Testing

# Test packed executable integrity
upx -t program.exe

# Test with verbose output
upx -t -v program.exe

# Create test report
upx -t program.exe > compression_test.txt

File Size Analysis

# Compare original vs compressed
ls -lh program.exe
upx program.exe
ls -lh program.exe

# Calculate compression ratio
original_size=2048000
compressed_size=729000
ratio=$((compressed_size * 100 / original_size))
echo "Compression: ${ratio}%"

# Batch size analysis
for file in *.exe; do
  size_before=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file")
  upx --quiet "$file"
  size_after=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file")
  ratio=$((size_after * 100 / size_before))
  echo "$file: ${ratio}%"
done

Advanced Options

Compression Tuning

# Ultra-aggressive compression
upx --best --extreme program.exe

# Optimize for memory (less stack/heap)
upx -9 program.exe

# Compress with best algorithm for format
upx --nrv2e program.exe  # NRV2E compression
upx --nrv2d program.exe  # NRV2D compression
upx --lzma program.exe   # LZMA compression

# Show available compressors
upx --help | grep -i compress

Output Control

# Verbose compression output
upx -v program.exe

# Super verbose (debugging)
upx -vv program.exe

# Quiet mode (minimal output)
upx --quiet program.exe

# Force output format
upx -o program_packed.exe program.exe

Malware Analysis Workflow

Unpacking Malware Samples

# Analyze packed malware (in isolated environment)
upx -t suspicious.exe

# Attempt unpacking
upx -d suspicious.exe -o suspicious_unpacked.exe

# Verify unpacking success
file suspicious_unpacked.exe
strings suspicious_unpacked.exe | head -20

Reverse Engineering Preparation

# Decompress for analysis
upx -d malware.exe -o malware_unpacked.exe

# Use with IDA Pro
# ida malware_unpacked.exe

# Use with Ghidra
# ghidra_analyzeHeadless . malware_unpacked.exe

# Use with radare2
radare2 malware_unpacked.exe

Batch Unpacking

#!/bin/bash
# Unpack multiple samples

SAMPLE_DIR="./samples"
OUTPUT_DIR="./unpacked"

mkdir -p "$OUTPUT_DIR"

for sample in "$SAMPLE_DIR"/*.exe; do
  if upx -t "$sample" > /dev/null 2>&1; then
    basename=$(basename "$sample")
    echo "Unpacking: $basename"
    upx -d "$sample" -o "$OUTPUT_DIR/$basename" -q
  fi
done

Binary Analysis

Size Optimization

# Find best compression for executable
upx --best program.exe

# Compare different methods
upx -1 program.exe -o test1.exe
upx -6 program.exe -o test6.exe
upx -9 program.exe -o test9.exe
ls -lh test*.exe

# Remove best compressed version
# Keep original for comparison

Compatibility Testing

# Test compressed executable on target
upx --best program.exe
./program.exe --version  # Verify functionality

# Performance comparison
time ./program_original.exe
time ./program.exe  # May be slower due to unpacking overhead

# Test across architectures
upx program_x86.exe
upx program_x64.exe

Debug Information Handling

# Strip debug info before compression
strip program.exe
upx program.exe

# Note: UPX preserves some debug information
# but may lose some symbols

# Compress with debug info
upx -v program.exe

Scripting and Automation

Batch Compression

#!/bin/bash
# Compress all executables in directory

for file in *.exe; do
  if [ -f "$file" ]; then
    echo "Compressing: $file"
    upx --best "$file"
    echo "Done."
  fi
done

Compression Report

#!/bin/bash
# Generate compression report

echo "=== UPX Compression Report ===" > compression_report.txt
echo "Date: $(date)" >> compression_report.txt
echo "" >> compression_report.txt

for file in *.exe *.elf; do
  if [ -f "$file" ]; then
    echo "File: $file" >> compression_report.txt
    upx -l "$file" >> compression_report.txt
    echo "" >> compression_report.txt
  fi
done

cat compression_report.txt

Automated Unpacking

#!/bin/bash
# Unpack all compressed files

for file in $1/*; do
  if [ -f "$file" ]; then
    if upx -t "$file" > /dev/null 2>&1; then
      echo "Unpacking: $file"
      upx -d "$file" --backup
    fi
  fi
done

Format-Specific Operations

Windows PE Specific

# Compress Windows executable
upx --best program.exe

# Preserve resources
upx program.exe -o compressed.exe

# Check for packed malware signature
upx -t -v malware.exe | grep "UPX"

# Compress console application
upx console_app.exe

# Compress GUI application
upx --best winapp.exe

Linux ELF Specific

# Compress dynamic linked binary
upx /usr/bin/ls

# Compress static linked binary
upx statically_linked_binary

# Handle position-independent code
upx pie_executable

# Compression limits for ELF
upx --best /bin/bash

Performance Considerations

Execution Overhead

# Original binary execution
time ./program_original > /dev/null

# Compressed binary execution
time ./program_compressed > /dev/null

# Note: First execution slower due to decompression
# Subsequent runs use decompressed memory image

Memory Usage

# Monitor memory during execution
/usr/bin/time -v ./program_original
/usr/bin/time -v ./program_compressed

# UPX adds decompression overhead
# Consider trade-off between size and performance

Troubleshooting

Compression Failures

# Check file format support
file program.exe
upx --help | grep "format"

# Diagnose compression issues
upx -vv program.exe

# Try different compression levels
upx -1 program.exe  # May work if -6 fails
upx --best program.exe  # Might fail

Decompression Errors

# Verify compressed file integrity
upx -t program.exe

# Force decompression with backup
upx -d -b program.exe  # Creates .bak file

# Check file format compatibility
file program.exe
hexdump -C program.exe | head -5

Platform-Specific Issues

# Windows: Handle file permissions
icacls program.exe /grant Everyone:F

# Linux: Handle permissions
chmod +x program.exe

# macOS: Code signing issues
codesign -s - program.exe  # Self-sign after unpacking

Security Considerations

Legitimate Uses

• Reducing distribution size
• Protecting intellectual property
• Optimizing embedded systems
• Malware analysis and research

Security Risks

• Packing can hide malicious code
• Compressed executables may trigger antivirus alerts
• Some enterprise policies forbid packed executables
• Performance overhead in resource-constrained environments

Legal and Ethical Use

UPX is a legitimate security tool for:

• Compressing legitimate applications for distribution
• Analyzing packed executables in controlled environments
• Reverse engineering for authorized security research
• Binary optimization for embedded systems

Always ensure:

• You own or have authorization to modify binaries
• Analysis is conducted in isolated environments
• Packed executables comply with enterprise security policies
• Licensed software licensing agreements are respected

Best Practices

Pre-Compression Verification

# Verify original executable functionality
./program.exe --version
./program.exe --help

# Create backup
cp program.exe program.exe.original

# Note file size
ls -lh program.exe

Post-Compression Testing

# Test compressed version
./program.exe --version

# Verify file integrity
md5sum program.exe.original
upx -t program.exe

# Performance validation
time ./program.exe.original > /dev/null
time ./program.exe > /dev/null

Documentation

# Record compression parameters
echo "Original: $(ls -lh program.exe.original)"
echo "Compressed: $(ls -lh program.exe)"
echo "Method: upx --best"
echo "Date: $(date)" > compression.log

# Archive uncompressed version
tar -czf program.tar.gz program.exe.original