Is there a way to identify UPX'd exe files?

Message

grannyGeek · #1 Post by **grannyGeek** » Tue Sep 18, 2007 11:22 pm

Kind of an odd question I know, but ---

I know some developers pack their files to optimize file size.

I just stubbed my toes on something while using JauntePE, and am hoping someone can tell me a way to identify files that have been packed with UPX or other exe "packers".

thanks in advance for any input.

grannyGeek
Antique Newb

m^(2) · #2 Post by **m^(2)** » Wed Sep 19, 2007 1:36 am

Google peid.

M@tty · #3 Post by **M@tty** » Wed Sep 19, 2007 1:36 am

Try to use Universal Extractor, it will tell you it can not be extracted but ask if you would like to unpack it.

Alternatively, try to unpack it using UPX (or one of the GUIs for it) directly, and see if it throws an error or not.

EDIT: Or as m^(2) said (1 second post time difference

), PEID. This is actually the tool that universal extractor uses to determine the type of executable, but Universal Extractor does the work for you. Your choice really.

grannyGeek · #4 Post by **grannyGeek** » Wed Sep 19, 2007 2:46 am

thanks, guys.
that will get me back on the right track.

zikarus · #5 Post by **zikarus** » Wed Sep 19, 2007 6:47 am

In addition to what has already been said:

Or you may simply try to UPX a file - if it does not change in size it most likely has been UPXed before (or cannot be UPXed):-)

M@tty · #6 Post by **M@tty** » Wed Sep 19, 2007 7:42 am

zikarus wrote:Or you may simply try to UPX a file - if it does not change in size it most likely has been UPXed before (or cannot be UPXed):-)

Trying to unpack it using UPX is a more surefire hit than this, as it removes the "Cannot be UPXed" possibilty - such as Thinstall'ed executables.

redllar · #7 Post by **redllar** » Wed Sep 19, 2007 8:48 am

Two truly-geeky ways:

1) Open the executable with a hex editor, e.g. PSPad, scroll down a few lines, and you'll see UPX0 and UPX1 if it's upx'd, otherwise not.

2) Use a text extracting filter on the command line and then grep for 'UPX'.