Themida v3.1.4 (x32 & x64) - Impossible

Two files are protected with an old version Themida (3.1.4)

Entry Point is virtualized

Just find and restore OEP, recover the IAT and unpack if it possible

Virustotal detects it as a virus, but my AV software is not

File Information

Submitter fReestYler

Submitted 05/10/2025

Category UnPackMe

View File

This one is an interesting sample. Code is really small, so it was stolen completely, thus it's hard to tell app code from protector code.

Functional code is quite simple, just MessageBoxA. And that's it, it does nothing more. After showing the message box it starts freeing memory that definitely isn't app code. But for the sake of completeness let's get to the bottom of this. We have 8 more code bytes. And we have 1 reloc pointing there, meaning ExitProcess should perfectly fit in.

Unpacked file attached with code, import and relocs restored and sections cut.

unpacked.exe

6 hours ago, unpacker1 said:

这个例子很有趣。代码非常小，所以被完全盗用了，所以很难区分应用代码和保护代码。

函数式代码非常简单，就是MessageBoxA。仅此而已，它没有更多作用。显示消息框后，它开始释放肯定不是应用代码的内存。但为了完整性，我们先弄清楚真相。我们还有8个代码字节。而且我们有一个reloc指向那里，这意味着ExitProcess应该完全可以融入其中。

解压文件附带代码，导入和重新定位已恢复，部分被裁切。

unpacked.exe

Very exciting! Themida 3.x seems to be a difficult point. If we can't restore the virtualized code, unpacking will become meaningless. Virtualization may be a good protection method, but there is too little discussion on this aspect. Once again, kudos!