Unpacking Themida 3.x is a complex reverse engineering task because it employs advanced protection layers like code virtualization, mutation engines, and multi-stage anti-debugging techniques. While early versions of Themida could often be bypassed by dumping memory after the unpacking stub finished, version 3.x is designed to resist these simple "dump and fix" methods by keeping portions of the code virtualized or encrypted even during runtime. Popular Unpacking Tools for Themida 3.x
Several tools have been developed to automate the unpacking and deobfuscation of Themida 3.x protected binaries:
Unlicense Project: A notable dynamic unpacker that supports Themida 2.x and 3.x for both 32-bit and 64-bit PEs. It automatically recovers the Original Entry Point (OEP) and reconstructions the obfuscated Import Address Table (IAT).
Themida-unmutate: A static deobfuscation tool specifically designed to handle the mutation-based obfuscation found in Themida and Code Virtualizer 3.x. It has been tested up to version 3.1.9.
Themida Unpacker for .NET: Specifically targeted at .NET applications, this tool detects the clrjit.dll load to suspend and dump the process before the final protection layers are fully active.
Bobalkkagi: A static unpacker and unwrapper that targets Themida 3.1.x. Key Challenges in Unpacking 3.x
ergrelet/unlicense: Dynamic unpacker and import ... - GitHub
Known Limitations * Doesn't handle .NET assembly DLLs. * Doesn't produce runnable dumps in most cases. * Resolving imports for 32- Themida 3.x Unpacker
Unpacking Themida 3.x is a complex task because it is one of the most advanced software protectors available, utilizing virtualization, mutation, and kernel-mode protection. Unlike older versions, there is no single "one-click" tool that works for every file; instead, the process requires a combination of specialized scripts and manual debugging. Recommended Tools and Scripts
To unpack or de-virtualize Themida 3.x, the community generally relies on the following ecosystem:
x64dbg / x32dbg: The industry-standard debugger used for the manual portion of the unpacking process.
Scylla: An Integrated Import Reconstructor used to fix the Import Address Table (IAT) after you have reached the Original Entry Point (OEP).
Themida/WinLicense V3.x - OEP Finder: A popular script for x64dbg that automates the search for the OEP by bypassing anti-debugging checks.
LID (Library Identification Tool): Often used to identify linked libraries that Themida might be hiding. General Unpacking Workflow
While every protected file is different, the standard procedure follows these steps: Unpacking Themida 3
Anti-Debugging Bypass: Use plugins like ScyllaHide to prevent Themida from detecting that it is being run inside a debugger.
Locating the OEP: Run an OEP-finding script in x64dbg. The script handles the complex transitions between protected code sections to land at the start of the original application code.
Dumping the Process: Once at the OEP, use Scylla to "dump" the memory of the application into a new executable file.
Fixing the IAT: Use Scylla’s "IAT Autosearch" and "Get Imports" functions to reconstruct the table of functions the program needs to run.
De-virtualization: If the code was protected with "Virtual Machine" macros, you may need additional tools like VTIL (Virtual Tooling Intermediate Language) to translate the obfuscated bytecode back into readable assembly. Where to Find Resources
Because these tools are frequently updated to keep up with new Themida builds, it is best to source them from active reverse-engineering communities:
Tuts4You: The premier forum for unpacking tutorials and script databases. Malware Analysis: Legitimate
GitHub: Search for repositories under "Themida Unpacker" or "x64dbg scripts" to find the latest automated loaders.
Exetools: A long-standing community focused on software protection analysis.
Warning: Unpacking software may violate End User License Agreements (EULA) and should only be performed for educational purposes or interoperability research in accordance with local laws.
The search for a "Themida 3.x Unpacker" exists in a gray area.
If you are a developer and your software is being unpacked by others, Themida 3.x is still a strong deterrent, but not absolute. Consider combining it with server-side checks or hardware locking.
Here's an example unpacker code in C:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
// Define the OEP and memory dump functions
DWORD find_oep(HANDLE hProcess, LPCVOID lpBaseAddress);
VOID dump_memory(HANDLE hProcess, LPCVOID lpBaseAddress, DWORD dwSize, LPCSTR lpDumpFile);
int main()
// Specify the protected executable and output file
LPCSTR lpProtectedExecutable = "protected.exe";
LPCSTR lpOutputFile = "unpacked.exe";
// Open the protected executable
HANDLE hFile = CreateFileA(lpProtectedExecutable, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
printf("Failed to open protected executable\n");
return 1;
// Map the file into memory
HANDLE hMapFile = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hMapFile == NULL)
printf("Failed to create file mapping\n");
CloseHandle(hFile);
return 1;
// Get the base address of the mapped file
LPCVOID lpBaseAddress = MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, 0);
if (lpBaseAddress == NULL)
printf("Failed to map view of file\n");
CloseHandle(hMapFile);
CloseHandle(hFile);
return 1;
// Find the OEP
DWORD oep = find_oep(GetCurrentProcess(), lpBaseAddress);
if (oep == 0)
printf("Failed to find OEP\n");
UnmapViewOfFile(lpBaseAddress);
CloseHandle(hMapFile);
CloseHandle(hFile);
return 1;
// Dump the memory
dump_memory(GetCurrentProcess(), lpBaseAddress, 0x100000, "memory.dump");
// Reconstruct the import table
// ...
// Write the unpacked executable
HANDLE hOutputFile = CreateFileA(lpOutputFile, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOutputFile == INVALID_HANDLE_VALUE)
printf("Failed to create output file\n");
UnmapViewOfFile(lpBaseAddress);
CloseHandle(hMapFile);
CloseHandle(hFile);
return 1;
// Write the unpacked code
DWORD dwSize = 0x100000;
WriteFile(hOutputFile, lpBaseAddress, dwSize, &dwSize, NULL);
// Close handles
CloseHandle(hOutputFile);
UnmapViewOfFile(lpBaseAddress);
CloseHandle(hMapFile);
CloseHandle(hFile);
return 0;
// Define the OEP and memory dump functions
DWORD find_oep(HANDLE hProcess, LPCVOID lpBaseAddress)
// TO DO: implement OEP finding logic
return 0x100000;
VOID dump_memory(HANDLE hProcess, LPCVOID lpBaseAddress, DWORD dwSize, LPCSTR lpDumpFile)
// TO DO: implement memory dumping logic
Note: This is a basic example and may require modifications to work with your specific use case.
The Themida 3.x Unpacker, like other software protection and bypass tools, exists within a complex landscape of cybersecurity, ethical research, and software piracy. As software protection mechanisms evolve, so too do the methods to bypass them, reflecting an ongoing battle between protectors and those seeking to test, exploit, or understand protected systems.
This is the primary reason generic unpackers fail for Themida 3.x. You cannot rely on automatic tools to fix the imports perfectly.