Is there a way to identify UPX'd exe files?

Discuss anything related to portable freeware here.
Post Reply
Message
Author
User avatar
grannyGeek
Posts: 218
Joined: Mon Mar 26, 2007 10:54 pm

Is there a way to identify UPX'd exe files?

#1 Post by grannyGeek » Tue Sep 18, 2007 11:22 pm

Kind of an odd question I know, but ---

I know some developers pack their files to optimize file size.

I just stubbed my toes on something while using JauntePE, and am hoping someone can tell me a way to identify files that have been packed with UPX or other exe "packers".

thanks in advance for any input.

grannyGeek
Antique Newb

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

#2 Post by m^(2) » Wed Sep 19, 2007 1:36 am

Google peid.
Image

M@tty
Posts: 192
Joined: Wed May 02, 2007 9:32 am
Contact:

#3 Post by M@tty » Wed Sep 19, 2007 1:36 am

Try to use Universal Extractor, it will tell you it can not be extracted but ask if you would like to unpack it.

Alternatively, try to unpack it using UPX (or one of the GUIs for it) directly, and see if it throws an error or not.

EDIT: Or as m^(2) said (1 second post time difference :P), PEID. This is actually the tool that universal extractor uses to determine the type of executable, but Universal Extractor does the work for you. Your choice really.

User avatar
grannyGeek
Posts: 218
Joined: Mon Mar 26, 2007 10:54 pm

#4 Post by grannyGeek » Wed Sep 19, 2007 2:46 am

thanks, guys.
that will get me back on the right track.

zikarus
Posts: 37
Joined: Thu Jul 19, 2007 4:17 am

#5 Post by zikarus » Wed Sep 19, 2007 6:47 am

In addition to what has already been said:

Or you may simply try to UPX a file - if it does not change in size it most likely has been UPXed before (or cannot be UPXed):-)

M@tty
Posts: 192
Joined: Wed May 02, 2007 9:32 am
Contact:

#6 Post by M@tty » Wed Sep 19, 2007 7:42 am

zikarus wrote:Or you may simply try to UPX a file - if it does not change in size it most likely has been UPXed before (or cannot be UPXed):-)
Trying to unpack it using UPX is a more surefire hit than this, as it removes the "Cannot be UPXed" possibilty - such as Thinstall'ed executables.

redllar
Posts: 411
Joined: Thu Aug 03, 2006 7:52 pm
Contact:

#7 Post by redllar » Wed Sep 19, 2007 8:48 am

Two truly-geeky ways:

1) Open the executable with a hex editor, e.g. PSPad, scroll down a few lines, and you'll see UPX0 and UPX1 if it's upx'd, otherwise not.

2) Use a text extracting filter on the command line and then grep for 'UPX'.

Post Reply