Need help unpacking Themida 3.x x64

kernel · #1 05-18-2026, 15:06

You can try Unlicense, but it is not perfect unpacker. It needs some fixes because it recovers the iat at the wrong place and overwrites some initialization data there. And it does not devirtualize the code too. If VM integrity checks option is used then even after the unpack the VM will check the unpacked binary...

1ST · #2 05-18-2026, 22:31

Quote:

Originally Posted by kernel

You can try Unlicense, but it is not perfect unpacker. It needs some fixes because it recovers the iat at the wrong place and overwrites some initialization data there. And it does not devirtualize the code too. If VM integrity checks option is used then even after the unpack the VM will check the unpacked binary...

Two main problems:

1. Stolen OEP — DllEntryPoint is a Themida trampoline (lea rcx, [rcx+0x38]; jmp 0x10cb0) instead of real DllMain. The DLL can't initialize properly.

2. IAT placed at wrong RVA — unlicense overwrote initialization data with the rebuilt IAT (at 0x814000). The app's config/state data that was there got corrupted.

3. VM code untouched — .themida section (8.6 MB) still present with all virtualized code still running through the VM interpreter. VM integrity checks detect the

modified binary and kill it.

The exports were correctly patched though — InternalCheck/CheckConnect all had the right mov eax,1;ret patches baked in.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

The Following 2 Users Say Thank You to kernel For This Useful Post:
1ST (05-18-2026), niculaita (05-18-2026)

The Following User Says Thank You to 1ST For This Useful Post:
niculaita (05-20-2026)