A Python 3 tool to statically deobfuscate functions protected by Themida, WinLicense and Code Virtualizer 3.x’s mutation-based obfuscation.
The tool has been tested on Themida up to version 3.1.9. It’s expected to work on WinLicense and Code Virtualizer as well.
A Binary Ninja plugin is also available here.
You can install the project with pip:
pip install themida-unmutateA standalone PyInstaller build is available for Windows in “Releases”.
Here’s what the CLI looks like:
$ themida-unmutate --help
usage: themida-unmutate [-h] -a ADDRESSES [ADDRESSES ...] -o OUTPUT [--no-trampoline] [--reassemble-in-place] [-v] protected_binary
Automatic deobfuscation tool for Themida's mutation-based protection
positional arguments:
protected_binary Protected binary path
options:
-h, --help show this help message and exit
-a ADDRESSES [ADDRESSES ...], --addresses ADDRESSES [ADDRESSES ...]
Addresses of the functions to deobfuscate
-o OUTPUT, --output OUTPUT
Output binary path
--no-trampoline Disable function unwrapping
--reassemble-in-place
Rewrite simplified code over the mutated code rather than in a new code section
-v, --verbose Enable verbose loggingThe cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…