UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred bytes of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable requires no additional memory.
UPX (3.0) can use LZMA on 32/64-bit platforms.
The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed. The executable is extracted to a temporary location, and then
open() is used to obtain a file descriptor.
Once a file descriptor is obtained, the temporary file can be
unlink()ed, the stub then uses
execve() on the file handle (via
/proc) to overwrite the stub with the executable image of the temporary file.
The extraction to temporary file method has several disadvantages:
Unmodified UPX packing is often detected and unpacked by anti-virus scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself.