TinyLoad - PE packer for Windows

Development Blog

v5 is here — Anti-Dump & Stealth

v5 doubles down on anti-analysis. The payload is now worthless without the stub at runtime — dumping from memory gets you a broken executable with no import table.

what changed

Anti-Dump IAT hooking: Critical API calls (GetModuleHandleA, GetProcAddress, ExitProcess, VirtualAlloc) are redirected through stub-resident wrappers. The payload's IAT points into stub memory — dump it and the addresses are meaningless.
Import directory wiped: After loading, the import directory and OriginalFirstThunk are zeroed. No automated IAT reconstruction path remains.
String encryption: The signature, DLL names, and API names are XOR-encrypted in the stub binary. No plaintext markers visible to static analysis.
Dead code insertion: Fake functions (CRC32, PEB debug checks, PRNG scrambling) are baked into every packed binary to bloat disassembly and mislead analysts.
Opmap encryption: The VM decode table is now encrypted with a per-file key derived from tail data — not a fixed XOR pattern.
Junk instruction insertion: NOPs, self-moves, and zero-rotates are scattered through the VM bytecode to break pattern matching.

why this matters

Previous versions protected the payload at rest. v5 protects it at runtime too — even if an analyst dumps the decrypted payload from memory, they get an exe with no import table, IAT entries pointing to dead addresses, and no way to automatically remap them. They'd have to manually reverse every IAT slot by its stub address.

v4 is out — Protection Updates

v4 is finally here. We focused heavily on anti-analysis and hardening to make TinyLoad practically invisible to standard debuggers and automated unpackers.

what changed

Anti-Debugging integration: Automatically detect debuggers (`IsDebuggerPresent` and `CheckRemoteDebuggerPresent`) and abort payload execution before decryption even starts.
VM Opaque Predicates: Inserted fake branching logic into the custom VM. If you try to reverse or manually alter the execution flow during debugging, it drops into a trap (`HLT`) and halts.
PE Section Scrambling: Instead of having obvious packer-specific structural anomalies, TinyLoad v4 intercepts the executable before writing it to disk and rewrites all the section headers (`.text`, `.data`, `.rdata`, etc.) using generic names, blending perfectly into the background and avoiding automated packer detection.

why this matters

A virtual machine is great for hiding the decryption routine, but it doesn't help if an analyst can just step through it or dump the unpacked payload from memory right before execution. The new anti-debugging mechanisms prevent them from even starting the debugging process.

The section scrambling completely breaks automated tools that rely on specific packer signatures, forcing analysts to manually reverse the VM just to figure out where the payload actually lives.

What is this

TinyLoad is a simple tool for packing Windows executables. it compresses the input file and encrypts the payload using a custom virtual machine. when the packed executable runs, it spins up a VM interpreter, decrypts the payload, and loads it directly into RAM.

the whole thing is one .cpp file with no external dependencies.

Usage

TinyLoad.exe --i app.exe --c
TinyLoad.exe --i app.exe --o packed.exe --vm --c
TinyLoad.exe --i game.exe --vm

Flag	What it does
`--i <file>`	input executable to pack
`--o <file>`	output path, defaults to inputname_packed.exe
`--vm`	encrypt payload with custom VM, randomized ISA every build
`--c`	compress with LZ77

How compression works

custom hash-chain LZ77 with a 64KB sliding window and deep chain search. uses lazy match evaluation to pick better matches. compression runs on the raw PE first, then VM encryption is applied on top so patterns in the compressed stream are also hidden.

How VM encryption works

a custom 32-opcode VM interpreter is embedded in the stub. at pack time the opcode table is randomly shuffled — so every packed file has a different instruction set. the decryption program is stored as bytecode with 128-bit keys embedded as immediate values. v5 adds multiple opaque predicates, junk instruction scattering, and encrypted decode tables to make VM tracing infeasible without fully reversing the interpreter.

Anti-Dump

v5 redirects critical payload imports through stub-resident wrappers and wipes the import directory after loading. a dumped payload has no import table and IAT entries pointing into dead addresses. automated reconstruction is impossible — every slot must be manually reversed.

Download

grab the source on GitHub or download the latest build: releases.