upx.doc

Cracker终结者——提供最优秀的软件保护技术

    First of all, it is recommended to use UPX *instead* of strip.
    strip has the very bad habit of replacing your stub with its own
    (outdated) version. Additionally UPX corrects a bug/feature in
    strip v2.8.x: it will fix the 4 KByte aligment of the stub.

    UPX includes the full functionality of stubify. This means it
    will automatically stubify your COFF files. Use the option --
    coff to disable this behaviour (see below).

    UPX automatically handles Allegro packfiles.

    The DLM format (a rather exotic shared library extension) is not
    supported.

    Packed programs will be byte-identical to the original after
    uncompression. All debug information and trailing garbage will
    be stripped, though.

    BTW, UPX is the successor of the DJP executable packer.

    Extra options available for this executable format:

      --coff              Produce COFF output instead of EXE. By default
                          UPX keeps your current stub.

  NOTES FOR LINUX/i386

    How it works:

      Because Linux is a real operating system, the in-place in-memory
      decompression scheme used in the other executable formats doesn't
      work here.

      Instead we must use temporary decompression to disk. Interestingly -
      because of the good memory management of the Linux kernel - this
      often does not introduce a noticable delay, and in fact there
      will be no disk access at all if you have enough free memory as
      the entire process takes places within the filesystem buffers.

      A compressed executable consists of the UPX stub and an overlay
      which contains the original program in a compressed form.

      The UPX stub is a statically linked ELF executable and does
      the following at program startup:

        1) decompress the overlay to a temporary location in /tmp
        2) open the temporary file for reading
        3) try to delete the temporary file and start (execve)
           the uncompressed program in /tmp using /proc/<pid>/fd/X as
           attained by step 2)
        4) if that fails, fork off a subprocess to clean up and
           start the program in /tmp in the meantime

      The UPX stub is about 1700 bytes long, partly written in assembler
      and only uses kernel syscalls. It is not linked against any libc.

    Benefits:

      - UPX can compress all executables, be it AOUT, ELF, libc4, libc5,
        libc6, Shell/Perl/Python/... scripts, standalone Java .class
        binaries, or whatever...
        All scripts and programs will work just as before.

      - Compressed programs are completely self-contained. No need for
        any external program.

      - UPX keeps your original program untouched. This means that
        after decompression you will have a byte-identical version,
        and you can use UPX as a file compressor just like gzip.
        [ Note that UPX maintains a checksum of the file internally,
          so it is indeed a reliable alternative. ]

      - As the stub only uses syscalls and isn't linked against libc it
        should run under any Linux configuration that can run ELF
        binaries and has working /proc support.

      - For the same reason compressed executables should run under
        FreeBSD and other systems which can run Linux binaries.
        [ Please send feedback on this topic ]

    Drawbacks:

      - You need additional free disk space for the uncompressed program
        in your /tmp directory. This program is deleted immediately after
        decompression, but you still need it for the full execution time
        of the program.

      - You must have /proc filesystem support as the stub wants to open
        /proc/<pid>/exe and needs /proc/<pid>/fd/X. This also means that you
        cannot compress programs that are used during the boot sequence
        before /proc is mounted.

      - `ldd' and `size' won't show anything useful because all they
        see is the statically linked stub (since version 0.82 the section
        headers are stripped from the UPX stub and `size' doesn't even
        recognize the file format any longer - looks like a binutils bug).

      - Utilities like `top' will display numerical values in the process
        name field. This is because Linux computes the process name from
        the first argument of the last execve syscall (which is typically
        something like /proc/<pid>/fd/3).

      - To reduce memory requirements during uncompression UPX splits the
        original file into blocks, so the compression ratio is a little bit
        worse than with the other executable formats (but still quite nice).
        [ Advise from kernel experts which can tell me more about the
          execve memory semantics is welcome. Maybe this shortcoming
          could be removed. ]

      - Because of temporary decompression to disk the decompression speed
        is not as fast as with the other executable formats. Still, I can see
        no noticable delay when starting programs like my ~3 MB emacs (which
        is less than 1 MB when compressed :-).

    Notes:

      - As UPX leaves your original program untouched it is advantageous
        to strip it before compression.

      - It is not advisable to compress programs which usually have many
        instances running (like `make') because the common segments of
        compressed programs won't be shared any longer between different
        processes.

      - If you compress a script you will lose platform independence -
        this could be a problem if you are using NFS mounted disks.

      - Compression of suid, guid and sticky-bit programs is rejected
        because of possible security implications.

      - For the same reason there is no sense in making any compressed
        program suid.

      - Obviously UPX won't work with executables that want to read data
        from themselves. E.g., this might be a problem for Perl scripts
        which access their __DATA__ lines.

      - In case of internal errors the stub will abort with exitcode 127.
        Typical reasons for this to happen are that the program has somehow
        been modified after compression, you have run out of disk space
        or your /proc filesystem is not yet mounted.
        Running `strace -o strace.log compressed_exe' will tell you more.

    Extra options available for this executable format:

      (none)

  NOTES FOR RTM32/PE

    Same as win32/pe.

  NOTES FOR TMT/ADAM

    This format is used by the TMT Pascal compiler - see
    http://www.tmt.com/ .

    Extra options available for this executable format:

      (none)

  NOTES FOR WATCOM/LE

    UPX has been successfully tested with the following extenders:
    DOS4G, DOS4GW, PMODE/W, DOS32a, CauseWay. The WDOS/X extender is
    partly supported (for details see the file bugs BUGS).

    Yes, you can use your compressed executables with DOS4GW.

    The LX format is not yet supported.

    DLLs are not supported.

    Extra options available for this executable format:

      --le                Produce an unbound LE output instead of
                          keeping the current stub.

  NOTES FOR WIN32/PE

    The PE support in UPX is quite stable now, but definitely there
    are still some incompabilities with some files.

    Because of the way UPX (and other packers for this format)
    works, you can see increased memory usage of your compressed
    files. If you start several instances of huge compressed
    programs you're wasting memory because the common segements of
    the program won't get shared across the instances. On the other
    hand if you're compressing only smaller programs, or running
    only one instance of larger programs, then this penalty is
    smaller, but it's still there.

    If you're running executables from network, then compressed
    programs will load faster, and require less bandwidth during
    execution.

    DLLs are supported.

    Extra options available for this executable format:

     --compress-exports=0 Don't compress the export section.
                          Use this if you plan to run the compressed
                          program under Wine.
     --compress-exports=1 Compress the export section. [DEFAULT]
                          Compression of the export section can improve the
                          compression ratio quite a bit but may not work
                          with all programs (like winword.exe).
                          UPX never compresses the export section of a DLL
                          regardless of this option.

      --compress-icons=0  Don't compress any icons.
      --compress-icons=1  Compress all but the first icon.
      --compress-icons=2  Compress all icons which are not in the
                          first icon directory. [DEFAULT]

      --compress-resources=0  Don't compress any resources at all.

      --force             Force compression even when there is an
                          unexpected value in a header field.
                          Use with care.

      --strip-relocs=0    Don't strip relocation records.
      --strip-relocs=1    Strip relocation records. [DEFAULT]
                          This option only works on executables with base
                          address greater or equal to 0x400000. Usually the
                          compressed files becomes smaller, but some files
                          may become larger. Note that the resulting file will
                          not work under Win32s.
                          UPX never strips relocations from a DLL
                          regardless of this option.

DIAGNOSTICS
    Exit status is normally 0; if an error occurs, exit status is 1.
    If a warning occurs, exit status is 2.

    UPX's diagnostics are intended to be self-explanatory.

BUGS
    Please report all bugs immediately to the authors.

AUTHORS
     Markus F.X.J. Oberhumer <markus.oberhumer@jk.uni-linz.ac.at>
     http://wildsau.idv.uni-linz.ac.at/mfx/upx.html

     Laszlo Molnar <ml1050@cdata.tvnet.hu>
     http://www.nexus.hu/upx

COPYRIGHT
    Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
    Copyright (C) 1996-2000 Laszlo Molnar

    This program may be used freely, and you are welcome to
    redistribute it under certain conditions.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the UPX
    License Agreement for more details.

    You should have received a copy of the UPX License Agreement
    along with this program; see the file LICENSE. If not, visit the
    UPX home page.