Yaakov Selkowitz writes: >> Looking at the executable it seems that it is a very small (~66 kiB) >> stub that then proceeds to load the rest of the file after having >> started the runtime. The memory image seems simply bolted on (as an >> overlay?), and gets removed when the executable is stripped.
UPX says it found an overlay and doesn't compress it. > That sounds very similar to OCaml; if so, I would expect there to be > some sort of magic number in the binary that can be used to identify > this type of executable (just because file(1) doesn't know about it > doesn't mean it doesn't exist). If we can pinpoint that, cygport can be > patched to not strip them. That string is likely a good initial bet: 000107b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 |...............c| 000107c0 6c 69 73 70 00 69 31 38 6e 00 73 79 73 63 61 6c |lisp.i18n.syscal| 000107d0 6c 73 00 00 00 00 00 b4 fc d7 e7 03 00 00 00 50 |ls.............P| Or really, just check if the executable has an overlay and leave it alone if so, like UPX does. No magic required. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf microQ V2.22R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada