Compression of executable program files
Under executable compression refers to the compression of the program data of an executable file and the combination of the compressed data with a decompression routine to a single executable file. The compressed data is automatically decompressed to its original size in the main memory by means of the decompression routine at runtime and the original program data is executed. Compressed executable program files are also known as packed program files.
aims
The goals of compressing executable files are to reduce file sizes in order to remain within the scope of the distribution medium (e.g. a floppy disk ), and usually shorter start times if the decompression takes place in memory. For some program authors, compressing executable files is about making reverse engineering more difficult by preventing direct disassembly , hiding strings , and changing signatures. In the case of malware , the goal is often to prevent detection by antivirus programs . The compression of executable program files is usually combined with other methods of obfuscation, such as encryption . However, packed programs without further obfuscation mechanisms are often recognized as such by antivirus programs, unpacked and checked. Some older antivirus programs generally classify packed program files as malware.
A packed program file can hardly be distinguished from its unpacked original at runtime for laypeople. As a rule, the packed files go straight to the main memory when they are started and do not require any free space in the file system to start. Depending on the properties of the operating system (especially support for the NX bit ), it is sometimes necessary for the unpacking programs to create temporary program files on the data carrier, which are then started. During execution, the original program file is automatically extracted and control is then transferred to you. With some packing programs, such as UPX with the UCL algorithm, the packed program files do not require more main memory than the unpacked program, even at runtime.
A packed program file requires less storage space on the data carrier, less time to be loaded over the network and transferred to main memory, but additional time to unpack the program data before it is executed. Due to the speed of today's processors and the associated fast decompression, the advantages of the smaller file size usually outweigh the advantages. The use of packed program files is declining, however, as the advantage of file size becomes less important nowadays with increasing storage capacities and faster networks.
The self-extracting archives represent a special case of packed executable files . Here, the packed files are also not extracted to the data carrier by an external decompression program, but internally by the preceding extraction routine. The goal of compression is usually a compact compilation of an installation package consisting of several files that are not necessarily executable . The unpacking process and the transfer of control to a setup program from the installation package are often recognizable to the user.
Binder ( wrapper programs) occupy another special position . These are application programs that compress several executable program files and combine them into one executable file. When this file is started, several program files that are contained in the file and that are unpacked during runtime can be executed at the same time. Binder programs are often used to connect user programs with malware so that when the user program is started, the malicious program is also started unnoticed.
Extreme examples of self-extracting program files can be found in the demo scene . Some compressors like MuCruncher, kkrunchy and 624 are designed for demos with a size limit (on the order of a few kilobytes ). The specialization of these compressors goes so far that they are unusable for much larger files due to the compression time and the memory consumption.