Themida-Unmutate : Mastering Deobfuscation Of Protected Software

A Python 3 tool to statically deobfuscate functions protected by Themida, WinLicense and Code Virtualizer 3.x’s mutation-based obfuscation.
The tool has been tested on Themida up to version 3.1.9. It’s expected to work on WinLicense and Code Virtualizer as well.

A Binary Ninja plugin is also available here.

Features

Automatically resolve trampolines’ destination addresses
Statically deobfuscate mutated functions
Rebuild fully working binaries

Known Limitations

Doesn’t support ARM64 binaries

How To Download

You can install the project with pip:

pip install themida-unmutate

A standalone PyInstaller build is available for Windows in “Releases”.

How To Use

Here’s what the CLI looks like:

$ themida-unmutate --help
usage: themida-unmutate [-h] -a ADDRESSES [ADDRESSES ...] -o OUTPUT [--no-trampoline] [--reassemble-in-place] [-v] protected_binary

Automatic deobfuscation tool for Themida's mutation-based protection

positional arguments:
  protected_binary      Protected binary path

options:
  -h, --help            show this help message and exit
  -a ADDRESSES [ADDRESSES ...], --addresses ADDRESSES [ADDRESSES ...]
                        Addresses of the functions to deobfuscate
  -o OUTPUT, --output OUTPUT
                        Output binary path
  --no-trampoline       Disable function unwrapping
  --reassemble-in-place
                        Rewrite simplified code over the mutated code rather than in a new code section
  -v, --verbose         Enable verbose logging

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.