The MASM Forum Archive 2004 to 2012

I have a problem compressing my MASM projects with UPX. About 80% give me "NotCompressibleException"...

What im using:

Windows Vista SP1 (x64)
Microsoft (R) Macro Assembler Version 6.14.8444
Microsoft (R) Incremental Linker Version 5.12.8078
UPX 3.03w

How im using it:

c:\masm32\bin\ml /c /coff /Cp /Ic:\masm32\include Project.asm
c:\masm32\bin\Link /SUBSYSTEM:CONSOLE /LIBPATH:c:\masm32\lib Project.obj
c:\upx\upx Project.exe

Quote
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2008
UPX 3.03w       Markus Oberhumer, Laszlo Molnar & John Reiser   Apr 27th 2008

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: Project1.exe: NotCompressibleException

Packed 1 file: 0 ok, 1 error.

Same with "-f" or "--force" ... any ideas?

Unless UPX has improved a lot recently, I would advise that you use PEcompact instead. It is DEP safe and over a minimum threashold delivers very good results once the exe gets above about 10k.

Mmm seems that files under 4k cant be compressed with UPX.

Compressing a 2.560 bytes file with pecompact grows to 4.608 bytes  :lol

Anyways the license for freeware uses says:

"Compressed applications may be distributed freely as long as they are done so without any form of compensation"

I think this includes "donations" (via paypal, etc)  :(

is there any link option to round up the size to 4.096 bytes ?

I dumped UPX years ago because of its sh*tty licence, it is finally an exe compressor and that does not buy its author the right to dictate to its users how they will use their programs. PE compact is a much better proposition without the restrictions.

As far as a minimum size that can be compressed, the size is dictated by the decompression stub size which must be there to decompress the exe into a runnable form. When you get under a certain size the exe grows larger as it holds the decompression stub but the ratio of compression cannot make up the stub size difference.

the license its from pecompact:

http://www.bitsum.com/pecompact_purchase.php

Maybe i can use the Pelle's linker Polink:

\masm32\bin\polink /SUBSYSTEM:WINDOWS /MERGE:.data=.text Test.obj

I only want to compress to prevents non technical people from changing copyright with a hex editor or something like that ;)

Quote
I only want to compress to prevents non technical people from changing copyright with a hex editor or something like that ;)

Ha ha ha...

How does a "non technical" people use an hex editor to change a binary file?

Non technical people I saw are unaware that files even exist, they think there are 4 icons you have to click: Messenger, Internet, Word, and Excel.

Besides UPX himself does unpack UPX packed files ;)
At least PE compact does not unpack his own packed files.

You are way better by using your own simple XOR encryption for that task. Write a program that will XOR your strings area with a constant key after your executable is build. AT runtime the first action would be to again XOR that strings area with the very same constant key and you are done.

Of course this is very easy to bypass... but not by "non technical" people ;)

I think there is a line between people who can use a hex editor and people who knows who to manually unpack/debug/disam a file.


As you may know with a very simply modification in the packed file you can make UPX not able to unpack his own packed files ;) Of course you can restore the modified bytes... but again... the non technical people ;)

I dont try to hide anything bad,i can write my own encryptor with an easy algorithm like TEA plus 3 or 4 antidebug/disam/emulation tricks  if i want so. It will protect the "bad" program from AVs at least until they get a sample and update their engines to decrypt it. And, of course, i wont care about the licenses ...

As i said, i only want to "ofuscate" a little my projects... so im not looking for a protector but a compressor.

I find other freeware packers like: npack, mpress ...

take a look at this from MPRESS packer:

Quote
[5]  Why MPRESS does not have decompression option?

...
Most peaples are using packers not only to compress the application, but to protect their properties against decompilation and reverce engenering.
...

[6]  Can MPRESS protect my program against crackers?

A. MPRESS is not an envelope-protector, it is only a packer. But MPRESS is a good defense against non-professional hacker or reverce engeneres.

non professional !! ;)

Just tried that mpress packer and I'm really not mpressed.

It's as easy to manually unpack as ... upx. Also the compression isn't good enough for my taste (I prefer upack for the absolutely ultimate compression)

My exes compress nicely with upx 3.03. I use latest polink.

And my upx batch-options are aggressive :   -i --ultra-brute  --compress-icons=1 --compress-exports=0 --overlay=strip

I've had difficulty with UPX also.

I suggest, write your own PE compressor. Use Jeremy Collake's compression lib or something else (the more obscure, the better.) XOR each compressed byte with digits of PI or something (so it can't be brute-decompressed.) If you're really worried about someone debugging to bypass the packer, throw an IsDebuggerPresent routine in the middle of the decompression algorithm. If being debugged, alter the algorithm in a way which subtly alters the output... :bdg

Of course, the better a mousetrap someone builds, the harder the mice of the world plot and scheme to get to the cheese... I hear they are using night-vision goggles and virtual holographic projections these days...

IsDebuggerPresent for anti-cracking ??
What is this, 1999 ?    :cheekygreen: :cheekygreen: :cheekygreen:

Seriously, best solution is not to keep the strings in plain format, just xor them. Also pack with rlpack free edition with modest options and stop wasting any more of your time on this, it's a lose/lose situation    :toothy

EDIT : http://rlpack.jezgra.net/download.html

Hello !

UPXG (UPX Graphical) by Dirk Paehl can scramble your application. ;)

The scrambled app can't be unpacked !

My settings are:

- Reduce exe before compression
- Force compression of suspicous files
- UPX scramble
- Compression level: ultra-brutal

and under Options:

- Compress resources
- Create backup copy
- Strip relocations
- Compress exports
- Force compression

Is your exe smaller than ~ 16 kB then you cannot pack your app with UPX.

...

I'm using masm with RadAsm for writing asm-apps.

My project settings are for example:

Assemble: 3,O,$B\ML.EXE /c /coff /Cp /Gz /nologo /Sa /Sc /Sf /W2 /Zi /I"$I",2
Link: 5,O,$B\polink /SUBSYSTEM:WINDOWS /MACHINE:x86 /RELEASE /VERSION:5.1 /LIBPATH:"$L" /OUT:"$5",3,4
ASM-module: *.obj,O,$B\ML.EXE /c /coff /Cp /Gz /nologo /Sa /Sc /Sf /I"$I",*.asm


UPX packs applications very good. So good that the packed exe has the same size like an exe packed with "kkrunchy" from farbrausch (http://www.farbrausch.de/~fg/kkrunchy/).
But i don't know if "kkrunchy" scrambles the exe.

My-app without special settings linked: 289 kB
My-app with masm link and the switches above: 282 kB
My-app with polink and the switches above: 280 kB
My-app UPX-packed and scrambled: 69 kB
My-app kkrunchy-packed: 69 kB

Don't use /Merge:.text=.data ... etc. -> Your app will be recognized as virus by AntiVir like HEUR/Crypted !!!
Your exe may be 2 kB smaller with merging, but after packing it - it has the same size like the unmerged one, and your AntiVirus-app will force you to wipe or quarantine the app !

cul8'er.

@ FairLight
Just tested that upxg. Yeah, upx can't decompress a scrambled upx exe, but manual unpacking again took me 15 seconds.

And don't be impressed with the compression, winupack compresses a lot better than upx.

@BlackVortex: You are right !

Just tested WinUpack 0.39final and my exe is only 66 kB. ;)

But how can you unpack an upx-packed&scrambled file ?

Quote from: FairLight on September 03, 2008, 10:54:06 PM
@BlackVortex: You are right !

Just tested WinUpack 0.39final and my exe is only 66 kB. ;)

But how can you unpack an upx-packed&scrambled file ?

Err, manually, with a debugger etc. It's beside the point of this thread.

Winupack's compression is unmatched ! But some antiviruses famble with it and throw "generic threats"

A simple xor encryption is a very good answer to your problem. You can also encode\decode the bytes so that the ASCII is not visible in a Hex Editor. A simple method is as follows:


; Author: Jake Commander
; Copyright The GeneSys Development System

HexEncode proc uses edi esi ebx pBuff:dword,dwLen:dword,pOutBuff:dword
;---------------------------------------
    mov     ebx, dwLen
    mov     edi, pOutBuff
    test    ebx, ebx
    mov     esi, pBuff
    jz      @F
    .repeat
      movzx   eax, byte ptr [esi]
      mov     ecx, eax
      add     edi, 2
      shr     ecx, 4
      and     eax, 1111b
      and     ecx, 1111b
      cmp     eax, 10
      sbb     edx, edx
      adc     eax, 0
      lea     eax, [eax+edx*8+'7']
      cmp     ecx, 10
      sbb     edx, edx
      adc     ecx, 0
      shl     eax, 8
      lea     ecx, [ecx+edx*8+'7']
      or      eax, ecx
      inc     esi
      mov     [edi-2], ax
      dec     ebx
    .until ZERO?
@@: mov     eax, edi
    mov     byte ptr [edi], 0
    sub     eax, pOutBuff
    ret
;---------------------------------------
HexEncode endp

; Author: Jake Commander
; Copyright The GeneSys Development System

HexDecode proc uses esi edi ebx pHexStr:dword,pOutBuffer:dword
;---------------------------------------
    mov     esi, pHexStr
    mov     edi, pOutBuffer
    jmp     @1
@@: and     ebx, 0Fh
    add     eax, ebx
    mov     [edi], al
    inc     edi
@1: movzx   edx, byte ptr[esi]
    cmp     edx, 40h
    sbb     ebx, ebx
    sub     edx, 37h
    and     ebx, 7
    inc     esi
    add     ebx, edx
    js      @F
    mov     eax, ebx
    shl     eax, 4
    mov     [edi], al
    movzx   edx, byte ptr [esi]
    cmp     edx, 40h
    sbb     ebx, ebx
    sub     edx, 37h
    and     ebx, 7
    inc     esi
    add     ebx, edx
    jns     @B
@@: ret
;---------------------------------------
HexDecode endp


You develop the encoded data block in a separate program, migrate it into yours and run HexDecode on it at the beginning of your program. Everything is done in situ because when you encode it, it is half the size so we just encode it and terminate it with a zero. So when a person looks at it with a hex editor, they see garbage, when you run your program, you get text. There is nothing secure about this but it prevents someone from very easily changing your name for instance. Doing anything more copmplicated will just make your program a fun target for the crackers so just do that to keep out th jerks.

If you need an example, I can provide one.

-- Paul
-- Paul

I just had a play with WinUpack and the results are impressive but I don't know if it will run on a hardware DEP enabled machine. ( had problems with older packers some time ago that the DEP enabled OS versions would just shut the app down as many of the older packers did not maintain the distinction between data and code.

Has anyone tested it on a late OS version on hardware that supports DEP ?

I just tested it on my machine. I enabled DEP in boot.ini and rebooted, all seems to work fine. (on fully updated XP)

Note that some shitty antiviruses don't like it, upload something here to check some nice false alarms :
http://virusscan.jotti.org/

I know why it has problems with some of the crappy AV stuff, it starts with MZ but has no MZ header then starts the PE header at 10h. This will give the low end of heuristic scanning nightmares.  :bg