explaingit

iamsopotatoe-coder/tinyload

103C++Audience · researcherComplexity · 4/5ActiveLicenseSetup · moderate

TLDR

Single file C++ Windows PE packer that compresses and encrypts an executable, then unpacks it in memory through a small randomly shuffled virtual machine.

Mindmap

mindmap
  root((TinyLoad))
    Inputs
      Input executable
      Compression flag
      VM flag
    Outputs
      Packed executable
      In memory loader
      Shuffled opcode table
    Use Cases
      Study PE packing
      Shrink legitimate binaries
      Research anti dump tricks
    Tech Stack
      C++
      MinGW
      Windows PE
      LZ77

Things people build with this

USE CASE 1

Study how a PE packer compresses and encrypts a Windows binary

USE CASE 2

Learn how a tiny custom virtual machine can hide a decryption loop

USE CASE 3

Experiment with LZ77 compression plus stream cipher layering

USE CASE 4

Read a single file C++ reference implementation of anti dump tricks

Tech stack

C++MinGWWindowsLZ77

Getting it running

Difficulty · moderate Time to first run · 30min

Needs MinGW and a Windows target, and the project is Windows only with the README asking users not to pack malicious software.

MIT license, free to use, modify, and redistribute including for commercial work, with attribution.

In plain English

TinyLoad is a Windows tool that takes a normal executable file and wraps it in a smaller, scrambled version of itself. The README calls this a PE packer. The original program is compressed, encrypted, and stored inside a stub. When you run the new file, the stub reverses those steps in memory and then runs the program directly, without writing the unpacked version to disk. The whole project is written in one C++ file with no external dependencies. The interesting part is how the unpacking happens. TinyLoad ships a small custom virtual machine with 32 opcodes. The opcode table is reshuffled randomly every time you pack a file, so each packed exe effectively speaks its own instruction set. A standard disassembler cannot follow the decryption logic without first reverse-engineering the interpreter for that specific build. The actual cipher is a 128-bit stream cipher with rotation-based key mixing, and it runs entirely inside the virtual machine, so there is no native decryption loop a tool can match against. You run it from the command line as TinyLoad.exe --i input.exe with at least one of two flags: --c turns on LZ77 compression with a 64KB sliding window and hash-chain matching, and --vm turns on the virtual-machine encryption. Compression runs first on the raw input, then encryption is applied on top, so repeated patterns in the compressed stream are also hidden. To build from source you need MinGW and a single g++ command, or you can grab a precompiled binary from the GitHub releases page. Version 5.0 adds anti-dump features. After the payload loads, it redirects critical Windows API calls (GetModuleHandleA, GetProcAddress, ExitProcess, VirtualAlloc) through wrappers in the stub, then zeroes out the import directory, DLL names, and import data structures. The README says this makes a dumped payload very hard to reconstruct because the import table is gone. Internal strings in the stub are also XOR-encrypted. The project is MIT licensed. The README includes a request not to use the tool to pack malicious software and asks users to open an issue if a packed file does not run.

Copy-paste prompts

Prompt 1
Walk me through building TinyLoad from source with MinGW and packing a hello world exe using --c and --vm
Prompt 2
Explain how TinyLoad's 32 opcode virtual machine is shuffled per build and why that breaks static disassembly
Prompt 3
Show me the LZ77 implementation in TinyLoad and where the 64KB sliding window is defined
Prompt 4
Help me read the version 5 anti dump code that zeroes the import directory and trace which Windows APIs are wrapped
Prompt 5
Sketch a small CTF challenge that uses TinyLoad as the packing step and document the expected unpacking workflow
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.