A Python script to detect and/or remove UPX strings from packed binary executables with comprehensive logging and error handling.
- Detection: 28+ UPX strings/artifacts (magic bytes, section names, URLs, metadata, version strings)
- Smart Binary Detection: Automatically identifies binary files and skips text files to prevent corruption
- Obfuscation: Mixed padding strategies (valid x86-looking bytes, structured noise, true randomness)
- Backups: Auto backup folder, hashed filenames, comprehensive
operation.log, rollback-friendly - Logging: Optional file logging with debug information for better troubleshooting
- CLI: File/dir support,
--dry-run,--verbose,--log, built-in help
chmod +x noMoreUPX.py
sudo cp noMoreUPX.py /usr/local/bin/nomoreupx # optionalRequirements: Python 3.6+ (stdlib only)
# Single file
python3 noMoreUPX.py suspicious.exe
# Directory (recursive)
python3 noMoreUPX.py ./samples/
# Scan only (dry run)
python3 noMoreUPX.py target.bin --dry-run
# Verbose output
python3 noMoreUPX.py ./samples/ --verbose
# With debug logging
python3 noMoreUPX.py target.bin --log debug.log
# Combined options
python3 noMoreUPX.py ./samples/ --dry-run --verbose --log scan.logpositional arguments:
target File or directory to process
optional arguments:
-h, --help Show help message and exit
-d, --dry-run Scan for UPX patterns without modifying files
-v, --verbose Show detailed information during processing
-l, --log FILE Write debug log to specified file
- Detects common UPX markers (strings/sections/URLs/etc.)
- Creates backups in a timestamped folder (with hashed names + comprehensive log)
- Replaces detected markers with realistic, high-entropy padding (unique per hit)
- Logs all operations with detailed information for debugging
The tool automatically detects binary files by:
- Sampling the first 8KB of each file
- Checking for null bytes and binary indicators
- Analyzing ASCII printability ratios
- Preventing accidental modification of text files
Enable debug logging with the --log option:
python3 noMoreUPX.py ./samples/ --log operation_debug.logThis creates a detailed log file with:
- Timestamp information
- All operations performed
- Errors and warnings
- Debug messages for troubleshooting
The tool includes robust error handling for:
- Permission denied scenarios
- Out of memory conditions
- Corrupted files
- Interrupted operations
==============================================================
PROCESSING SUMMARY
==============================================================
Files processed: 15
Files modified: 3
UPX patterns found: 5
Total replacements: 8
Backup location: /path/to/backup_samples_20260122_143022
Operation log: /path/to/backup_samples_20260122_143022/operation.log
==============================================================
The operation.log file in the backup directory contains:
- Date and time of operation
- Target path processed
- Summary statistics
- Per-file details including patterns found and replacements made
- Error information for failed files
- Always run
--dry-runfirst and test on copies - Check
operation.loginside the backup directory for detailed results - Use
--logoption for debugging in case of issues - Large files (>100MB) are automatically skipped
- Backups are automatically created before modification
- v2.0 (Current) - Added logging, type hints, binary detection, enhanced error handling
- v1.0 - Initial release with core functionality
Educational use only. Use responsibly and only with proper authorization.
Author: Syn • Version: 2.0 (Improved) • Build: 2026-01-09