TinyLoad
PE packer/crypter for Windows. compresses and encrypts executables with a custom virtual machine into a self extracting stub.
Single file C++ Windows PE packer that compresses and encrypts an executable, then unpacks it in memory through a small randomly shuffled virtual machine.
TinyLoad is a Windows tool that takes a normal executable file and wraps it in a smaller, scrambled version of itself. The README calls this a PE packer. The original program is compressed, encrypted, and stored inside a stub. When you run the new file, the stub reverses those steps in memory and then runs the program directly, without writing the unpacked version to disk. The whole project is written in one C++ file with no external dependencies.
The interesting part is how the unpacking happens. TinyLoad ships a small custom virtual machine with 32 opcodes. The opcode table is reshuffled randomly every time you pack a file, so each packed exe effectively speaks its own instruction set. A standard disassembler cannot follow the decryption logic without first reverse-engineering the interpreter for that specific build. The actual cipher is a 128-bit stream cipher with rotation-based key mixing, and it runs entirely inside the virtual machine, so there is no native decryption loop a tool can match against.
You run it from the command line as TinyLoad.exe --i input.exe with at least one of two flags: --c turns on LZ77 compression with a 64KB sliding window and hash-chain matching, and --vm turns on the virtual-machine encryption. Compression runs first on the raw input, then encryption is applied on top, so repeated patterns in the compressed stream are also hidden. To build from source you need MinGW and a single g++ command, or you can grab a precompiled binary from the GitHub releases page.
Version 5.0 adds anti-dump features. After the payload loads, it redirects critical Windows API calls (GetModuleHandleA, GetProcAddress, ExitProcess, VirtualAlloc) through wrappers in the stub, then zeroes out the import directory, DLL names, and import data structures. The README says this makes a dumped payload very hard to reconstruct because the import table is gone. Internal strings in the stub are also XOR-encrypted.
The project is MIT licensed. The README includes a request not to use the tool to pack malicious software and asks users to open an issue if a packed file does not run.
Where it fits
- Study how a PE packer compresses and encrypts a Windows binary
- Learn how a tiny custom virtual machine can hide a decryption loop
- Experiment with LZ77 compression plus stream cipher layering
- Read a single file C++ reference implementation of anti dump tricks