{"id":13845810,"url":"https://github.com/unipacker/unipacker","last_synced_at":"2026-04-18T18:40:52.120Z","repository":{"id":44905834,"uuid":"169604732","full_name":"unipacker/unipacker","owner":"unipacker","description":"Automatic and platform-independent unpacker for Windows binaries based on emulation","archived":false,"fork":false,"pushed_at":"2025-08-18T16:24:51.000Z","size":9001,"stargazers_count":748,"open_issues_count":28,"forks_count":93,"subscribers_count":32,"default_branch":"master","last_synced_at":"2026-04-09T04:53:24.837Z","etag":null,"topics":["debugger","dumper","emulation","packers","pefile","python","reverse-engineering","security","unicorn-engine","unpacker","windows"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unipacker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-02-07T16:39:41.000Z","updated_at":"2026-04-07T03:57:22.000Z","dependencies_parsed_at":"2024-05-19T17:31:32.453Z","dependency_job_id":"00f9abb0-51e3-49b5-9f79-728e1219a273","html_url":"https://github.com/unipacker/unipacker","commit_stats":{"total_commits":202,"total_committers":9,"mean_commits":"22.444444444444443","dds":0.4752475247524752,"last_synced_commit":"93eb262962eb23603bc64872e168e86522ee20f0"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/unipacker/unipacker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unipacker%2Funipacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unipacker%2Funipacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unipacker%2Funipacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unipacker%2Funipacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unipacker","download_url":"https://codeload.github.com/unipacker/unipacker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unipacker%2Funipacker/sbom","scorecard":{"id":910095,"data":{"date":"2025-08-11","repo":{"name":"github.com/unipacker/unipacker","commit":"df8c7d241c18d7ec1d0619b1a98e876209a87dee"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.6,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":2,"reason":"Found 6/24 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":0,"reason":"binaries present in source code","details":["Warn: binary detected: Sample/ASPack/lbop20_aspack.exe:1","Warn: binary detected: Sample/FSG/Lab18-02.exe:1","Warn: binary detected: Sample/FSG/unpackme- FSG 1.31 - dulek.exe:1","Warn: binary detected: Sample/FSG/unpackme- FSG 1.33 - dulek.exe:1","Warn: binary detected: Sample/MEW/lbop20_MEW.exe:1","Warn: binary detected: Sample/MPRESS/UnPackMe32_MPRESS.exe:1","Warn: binary detected: Sample/MPRESS/lbop20_MPRESS.exe:1","Warn: binary detected: Sample/PECompact/lbop20_PECompact.exe:1","Warn: binary detected: Sample/PEtite/lbop20_PEtite.exe:1","Warn: binary detected: Sample/UPX/Lab18-01.exe:1","Warn: binary detected: Sample/UPX/lbop20_UPX.exe:1","Warn: binary detected: Sample/VMProtect/UnPackMe_VMProtect_1.53.exe:1","Warn: binary detected: Sample/YZPack/UnPackMe_YZPack_1.1.exe:1","Warn: binary detected: Sample/YZPack/YZpack2.0Unpackme.exe:1","Warn: binary detected: Tests/UnpackedSample/ASPack/unpacked_lbop20_aspack.exe:1","Warn: binary detected: Tests/UnpackedSample/FSG/unpacked_unpackme- FSG 1.31 - dulek.exe:1","Warn: binary detected: Tests/UnpackedSample/FSG/unpacked_unpackme- FSG 1.33 - dulek.exe:1","Warn: binary detected: Tests/UnpackedSample/MEW/unpacked_lbop20_MEW.exe:1","Warn: binary detected: Tests/UnpackedSample/MPRESS/unpacked_UnPackMe32_MPRESS.exe:1","Warn: binary detected: Tests/UnpackedSample/MPRESS/unpacked_lbop20_MPRESS.exe:1","Warn: binary detected: Tests/UnpackedSample/PEtite/unpacked_lbop20_PEtite.exe:1","Warn: binary detected: Tests/UnpackedSample/UPX/unpacked_lbop20_UPX.exe:1","Warn: binary detected: Tests/UnpackedSample/YZPack/unpacked_UnPackMe_YZPack_1.1.exe:1","Warn: binary detected: unipacker/DLLs/KernelBase.dll:1","Warn: binary detected: unipacker/DLLs/KernelBase.ldll:1","Warn: binary detected: unipacker/DLLs/kernel32.dll:1","Warn: binary detected: unipacker/DLLs/kernel32.ldll:1","Warn: binary detected: unipacker/DLLs/ntdll.dll:1","Warn: binary detected: unipacker/DLLs/ntdll.ldll:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.0.8 not signed: https://api.github.com/repos/unipacker/unipacker/releases/156718710","Warn: release artifact 1.0.7 not signed: https://api.github.com/repos/unipacker/unipacker/releases/139137986","Warn: release artifact 1.0.6 not signed: https://api.github.com/repos/unipacker/unipacker/releases/39762262","Warn: release artifact 1.0.5 not signed: https://api.github.com/repos/unipacker/unipacker/releases/39466951","Warn: release artifact 1.0.4 not signed: https://api.github.com/repos/unipacker/unipacker/releases/39367359","Warn: release artifact 1.0.8 does not have provenance: https://api.github.com/repos/unipacker/unipacker/releases/156718710","Warn: release artifact 1.0.7 does not have provenance: https://api.github.com/repos/unipacker/unipacker/releases/139137986","Warn: release artifact 1.0.6 does not have provenance: https://api.github.com/repos/unipacker/unipacker/releases/39762262","Warn: release artifact 1.0.5 does not have provenance: https://api.github.com/repos/unipacker/unipacker/releases/39466951","Warn: release artifact 1.0.4 does not have provenance: https://api.github.com/repos/unipacker/unipacker/releases/39367359"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.13.2 to alpine:3.13.2@sha256:a75afd8b57e7f34e4dad8d65e2c7ba2e1975c795ce1ee22fa34f8cf46f96a3be","Warn: pipCommand not pinned by hash: Dockerfile:7","Warn: pipCommand not pinned by hash: Dockerfile:8","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-24T18:48:08.240Z","repository_id":44905834,"created_at":"2025-08-24T18:48:08.241Z","updated_at":"2025-08-24T18:48:08.241Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31980775,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T17:30:12.329Z","status":"ssl_error","status_checked_at":"2026-04-18T17:29:59.069Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugger","dumper","emulation","packers","pefile","python","reverse-engineering","security","unicorn-engine","unpacker","windows"],"created_at":"2024-08-04T17:03:36.847Z","updated_at":"2026-04-18T18:40:52.110Z","avatar_url":"https://github.com/unipacker.png","language":"Python","readme":"     _   _         __  _  __                    _\n    | | | |       / / (_) \\ \\                  | |\n    | | | |_ __  | |   _   | | _ __   __ _  ___| | _____ _ __\n    | | | | '_ \\/ /   | |   \\ \\ '_ \\ / _` |/ __| |/ / _ \\ '__|\n    | |_| | | | \\ \\   | |   / / |_) | (_| | (__|   \u003c  __/ |\n     \\___/|_| |_|| |  |_|  | || .__/ \\__,_|\\___|_|\\_\\___|_|\n                  \\_\\     /_/ | |\n                              |_|\n\n# Un{i}packer   [![PyPI: unipacker](https://badge.fury.io/py/unipacker.svg)](https://pypi.org/project/unipacker/) [![Docker Cloud Build Status](https://img.shields.io/docker/cloud/build/vfsrfs/unipacker.svg)](https://hub.docker.com/r/vfsrfs/unipacker) [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.4603157.svg)](https://doi.org/10.5281/zenodo.4603157)\n\n| | |\n|---|---|\n| Master  | [![Build Status](https://travis-ci.com/unipacker/unipacker.svg?branch=master)](https://travis-ci.com/github/unipacker/unipacker) |\n| Dev  | [![Build Status](https://travis-ci.com/unipacker/unipacker.svg?branch=dev)](https://travis-ci.com/github/unipacker/unipacker) |\n\n## Unpacking PE files using Unicorn Engine\n\nThe usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis.\nFurthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures\nor hashes alone.\n\nIn order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually this means,\nthat the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg).\nThere are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when\ntargeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable\nplatform independent automatic unpacking by using emulation that yields runnable Windows binaries.\n\n## Fully supported packers\n\n- **[ASPack](http://www.aspack.com/)**: Advanced commercial packer with a high compression ratio\n- **[FSG](https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG)**: Freeware, fast to unpack\n- **[MEW](https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml)**: Specifically designed for small binaries\n- **[MPRESS](http://www.matcode.com/mpress.htm)**: Free, more complex packer\n- **[PEtite](https://www.un4seen.com/petite/)**: Freeware packer, similar to ASPack\n- **[UPX](https://github.com/upx/upx)**: Cross-platform, open source packer\n- **YZPack**\n\n## Other packers\nAny other packers should work as well, as long as the needed API functions are implemented in Un{i}packer. For packers that\naren't specifically known you will be asked whether you would like to manually specify the start and end addresses for emulation.\nIf you would like to start at the entry point declared in the PE header and just emulate until section hopping is detected,\npress ```Enter```\n\n## Showcase\nWe are humbled to see some active usage of Un{i}packer for research projects, university courses and other resources that teach students about malware obfuscation:\n\n- [Tutorial video](https://youtu.be/ee5_JUIEf8Q) belonging to the Master's course \"Malware Analysis and Cyber Threat Intelligence\" at the Westphalian University,\n  demonstrating how to analyze obfuscated malware with Un{i}packer\n- [DeepReflect](https://www.usenix.org/conference/usenixsecurity21/presentation/downing): Paper presenting a tool for localizing and identifying malware\n  components within a malicious binary. Its dataset relies on a Un{i}packer preprocessing step\n- [BDHunter](https://dl.acm.org/doi/abs/10.1145/3433210.3457894): Paper describing a system that automatically identifies behavior dispatchers to assist triggering malicious behaviors.\n  The tool requires unpacked malware samples as input, where the authors propose using Un{i}packer\n- [JARV1S Disassembler](https://github.com/L1NNA/JARV1S-Disassembler): Disassembler that uses Un{i}packer as a preprocessing step\n- [Anti-Anti-Virus 2](https://www.cs.virginia.edu/~cr4bd/4630/S2021/slides/20210301-slides.pdf) lecture of University of Virginia's \"CS 4630: Defense Against the Dark Arts\",\n  using Un{i}packer as an example for unpacking techniques\n- [Mastering Malware Analysis](https://www.amazon.com/Mastering-Malware-Analysis-practical-cybercrime/dp/1803240245): The second edition of this comprehensive guide to malware analysis by\n  Alexey Kleymenov and Amr Thabet also explains how unpacking and deobfuscation works, mentioning Un{i}packer as a suitable tool for several popular packers\n- [Malflow](https://link.springer.com/chapter/10.1007/978-981-96-3531-3_9): Paper presenting a static analysis method to classify malware families. Its dataset relies, among others, on a Un{i}packer preprocessing step. The authors publish the experiment's full dataset on [Kaggle](https://www.kaggle.com/datasets/amester/malflow), containing analysis of unpacked samples from BODMAS: Radare2 disassembled objects, instructions statistics, malware transformed into RGB images, and more.\n- [PhD research](https://attilamester.github.io/call-graph/): thesis and related static analysis research projects, some of them using Un{i}packer for malware preprocessing. \n\nIf you are using Un{i}packer for additional projects and would like them featured in this list, we would love to hear from you!\n\n## Usage\n### Normal installation\nInstall the [YARA](https://github.com/VirusTotal/yara) package for your OS, get Un{i}packer from PyPi and start it using the automatically created command line wrapper:\n```\npip3 install unipacker\nunipacker\n```\nFor detailed instructions on how to use Un{i}packer please refer to the [Wiki](https://github.com/unipacker/unipacker/wiki).\nAdditionally, all of the shell commands are documented. To access this information, use the ```help``` command\n\nYou can take a quick look at Un{i}packer in action in a (german) [video](https://youtu.be/ee5_JUIEf8Q) by Prof. Chris Dietrich\n\n### Development mode installation\nClone the repository, and inside the project root folder activate development mode using ```pip3 install -e .```\n\n### Using Docker\nYou can also use the provided Dockerfile to run a containerized version of Un{i}packer:\n```\ndocker run -it -v ~/local_samples:/root/unipacker/local_samples vfsrfs/unipacker\n```\nAssuming you have a folder called ```local_samples``` in your home directory, this will be mounted inside the container.\nUn{i}packer will thus be able to access those binaries via ```/root/unipacker/local_samples```\n\n### RESTful API\nA 3rd party wrapper created by @rpgeeganage allows to unpack samples by sending a request to a RESTful server: [https://github.com/rpgeeganage/restful4up](https://github.com/rpgeeganage/restful4up)\n","funding_links":[],"categories":["Deobfuscation",":wrench: Tools","Python","🔧 Packages"],"sub_categories":["Other Resources","Before 2000","⚡ Unpacking"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funipacker%2Funipacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funipacker%2Funipacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funipacker%2Funipacker/lists"}