However, for the skilled reverse engineer, a custom unpacker can be built. It requires:
: While it supports up to version 3.1.9, newest releases of Themida often introduce changes that break existing automated scripts, requiring manual updates to the unpacker [8, 9]. Summary Table Capability Supported Versions Themida/WinLicense 2.x and 3.x (tested up to 3.1.9) [9, 10] 32-bit and 64-bit support [10] Dumping Style Dynamic (requires execution) [1] Automatic IAT and OEP recovery [10] Main Use Case Themida 3.x Unpacker
: The original code is converted into "P-Code" that only this custom VM understands. However, for the skilled reverse engineer, a custom
Click . Scylla will attempt to find the boundary of the original imports. // Find the OEP DWORD oep = find_oep(GetCurrentProcess(),
Themida checks for user-mode and kernel-mode debuggers using API calls ( IsDebuggerPresent , CheckRemoteDebuggerPresent ), direct PEB (Process Environment Block) inspection, and timing checks ( RDTSC ).
// Find the OEP DWORD oep = find_oep(GetCurrentProcess(), lpBaseAddress); if (oep == 0) printf("Failed to find OEP\n"); UnmapViewOfFile(lpBaseAddress); CloseHandle(hMapFile); CloseHandle(hFile); return 1;
This process is not fully automated. For most malware analysts, it's easier to trace the VM execution until you reach a critical API call than to de-virtualize the entire binary.