Even after unpacking, the code is still unreadable. You see calls to the VM handler rather than the original logic (e.g., a simple password check).
The solution was innovative and elegant. Instead of looking for code patterns, the developer observed that x64dbg in its comments — but there was no script command to detect them. After requesting the feature, mod.isexport() was added to x64dbg. This function checks whether a register or memory address points to an exported API, returning 1 for true and 0 for false.
Themida, developed by Oreans Technologies, has been a frontrunner in software protection solutions. Its primary purpose is to protect software applications against reverse engineering, cracking, and analysis. With each iteration, Themida has incorporated more advanced features and techniques to stay ahead of crackers and malware analysts. Themida 3x, a version particularly noted for its robust protection mechanisms, marked a significant milestone in this evolutionary journey.
He leaned back. The water treatment plant would live. But as he reached for his cold coffee, his screen flickered. A new window opened on his desktop—one he hadn't launched.
It was 3:00 AM, and Leo’s screen was the only light source in the room. On it, a single debugger window blinked. He wasn't hunting a flag for a CTF or cracking a keygen for bragging rights. He was trying to resurrect a ghost. themida 3x unpacker
The chaos collapsed into order. Clean, readable assembly. The original Entry Point (OEP) stared back at him: PUSH EBP / MOV EBP, ESP .
Unlike simple packers that just compress an executable, Themida 3.x uses a "SecureEngine®" architecture. It employs several layers of defense:
: For files using mutation-based obfuscation, tools like themida-unmutate are used to statically deobfuscate protected functions. This is often paired with a Binary Ninja plugin for deeper analysis.
Modern unpackers like the TopSoftdeveloper/UnpackThemida Python tool aim to automate the process for 2.x and 3.x, supporting 32-bit and 64-bit EXEs and DLLs. Even after unpacking, the code is still unreadable
Software protection today is more sophisticated than ever, yet the landscape is shifting in unexpected ways. On one hand, packers like Themida have evolved into formidable guardians of intellectual property, employing advanced virtual machines, code virtualization, and aggressive anti-debugging. On the other hand, the release of Themida/WinLicense 3.0 introduced curious changes that arguably made the protector to defeat in certain respects. This deep dive explores the current state of Themida 3.x unpacking — the tools, the techniques, and the cat-and-mouse game that defines modern software protection.
A driver-based tool to hide debuggers at the kernel level.
: Hides the Original Entry Point (OEP) within packed sections, typically in a .boot section at non-standard addresses.
For a reverser looking to unpack Themida 3.x, there is no substitute for a deep understanding of the Windows PE format, assembly language, and the specific architecture of the Themida Virtual Machine. Automated tools exist but are often unreliable or specific to certain builds. As such, Themida 3.x remains a highly effective deterrent against generic cracking and unauthorized analysis, maintaining its reputation as a top-tier commercial protector. Instead of looking for code patterns, the developer
Handles 32-bit and 64-bit PEs (EXEs and DLLs) and .NET assemblies. It attempts to recover the OEP (Original Entry Point) and obfuscated IAT automatically.
Set hardware breakpoints on memory allocation ( VirtualAlloc , VirtualProtect ) to locate the point where the original code is unpacked.
The standard environment for manual unpacking.
The Themida 3x Unpacker is a powerful tool that can be used for legitimate purposes, such as malware analysis, software development, and digital forensics. However, its use also poses significant risks, including copyright infringement, malware analysis, and security risks. As with any powerful tool, it is essential to use the Themida 3x Unpacker responsibly and in compliance with applicable laws and regulations.
The combination of Ubuntu, IntelliJ, Maven, Jetty and JRebel enables really quick web app development in Java.
Ubuntu. Feel handicapped when forced to use dumbdowned Windows at work.
Maven. A build system with flaws but still better than most, and especially important as it is used by most projects.
IntelliJ IDEA. An IDE with many ingenious little tricks to make development speedier and feels very comfortable to use. At work my IDE is often either Eclipse on some projects as it often is the company standard, or NetBeans when work refuse to buy IntelliJ licenses. But with some clients and at home with my FOSS license I am much more productive with IntelliJ.
Jetty. A standalone java web application server. It is quick and very light. The Maven plugin for it makes it easy to bundle and launch locally. It also then allows for very swift development cycles.
JRebel. JRebel (Née JavaRebel) reloads java classes dynamically and allows even swifter development cycles, by negating the need to ever redeploy. This saves a lot of time, thus money, and improves quality with quicker feedback loops.
And I need these tools to work together seamlessly.
I will assume you have a normal version of Ubuntu Desktop installed. This guide was based upon Ubuntu 10.04 lucid lynx.
A normal java based webapp project buildt with maven that are using the jetty plugin is assumed to be checked out on your machine. If you do not have one set up, you can read up on java, maven & jetty and clone an example app of mine.
sudo aptitude install sun-java6-jdk
In case of other Java JDK are installed, choose Sun's flavour
sudo update-alternatives --config java
sudo update-alternatives --config javac
Environment variables
sudo vi /etc/profile.d/java.sh
export JAVA_HOME=/usr/lib/jvm/java-6-sun
export JDK_HOME=/usr/lib/jvm/java-6-sun
sudo chmod +x /etc/profile.d/java.sh
Your choice: either install via Ubuntu package repository or download the full Maven directly. The repository version depends on a load of unneccesary packages such as gjc, Ant etc. So most people recommend using the apache.org dowload instead.
For this howto I will utilise the repository version, but the only difference afterwards is the path. (You may try and restrict the installation of optional packages...)
sudo aptitude install maven2
If you prefer the downloaded archive then do this instead:
tar xzf apache-maven-2.2.1.tar.gz;
sudo mkdir /opt/apache;
sudo mv apache-maven-2.2.1 /opt/apache/maven-2.2.1;
cd /opt/apache;
sudo ln -s maven-2.2.1 maven;
And refer to /opt/apache/maven instead of /usr/share/maven2 in the paths below.
Some programs depend on different environment variables for Maven.
Also the default memory assignment is very low so you may optionally add it.
sudo vi /etc/profile.d/maven.sh
export MAVEN_HOME=/usr/share/maven2
export M2_HOME=/usr/share/maven2
#export MAVEN_OPTS=-Xms128M -Xmx512M -XX:MaxPermSize=256m
#export MAVEN_OPTS=-noverify -javaagent:$JREBEL_HOME/jrebel.jar
sudo chmod +x /etc/profile.d/maven.sh
Depending on your project you may need to configure the default maven settings,
such as any mirrors you use, passwords, other repositories, profiles etc.
But that is out of scope of this document.
mkdir ~/.m2;
vi ~/.m2/settings.xml
Because of maven dependency characteristics it is wise to do an initial a simple clean & build of your application do download all the dependencies, and the special go-offline goal. Remember to include any potential profiles if they have dependencies. ( -P profile1,profile2....)
This may take a while.... But you only have to do it once (ish..)
cd /path/to/your/project,
mvn clean;
# Wait a little while....
mvn dependency:go-offline;
# Wait a long while....
mvn install;
# Wait a longer while....
mvn jetty:run;
# Wait a longish while....
When ready kill Jetty with ^C (As in ctrl+c)
Remember from now on you should mostly do append -o parameter (offline) to speed up builds.
You need to obtain a license to run JRebel.
You can use the trial version for 30 days. (Its worth it)
Note: ZeroTurnaround do offer free licenses for open source developers.
Download the generic JAR installer
cd /tmp;
unzip ~/Downloads/jrebel-*-setup.zip;
sudo -jar jrebel/jrebel-setup.zip
I tend to choose /opt/ZeroTurnaround/JRebel as my install path, but the default it /usr/local/ZeroTurnaround/Jrebel.
If the installer doesn't trigger the configuration, or you want to reconfigure:
sudo /opt/ZeroTurnaround/JRebel/bin/jrebel-config.sh
sudo vi /etc/profile.d/maven.sh
And then uncomment or add the MAVEN_OPTS line:
export MAVEN_OPTS="-noverify -javaagent:/opt/ZeroTurnaround/JRebel/jrebel.jar $MAVEN_OPTS"
sudo mkdir /var/log/jrebel;
sudo chown jrebel:jrebel /var/log/jrebel
sudo vi /etc/profile.d/jrebel.sh
export JREBEL_HOME=/opt/ZeroTurnaround/JRebel
sudo chmod +x /etc/profile.d/jrebel.sh
Decide which version you want. I will assume a trial of the ultimate edition.
Note: JetBrains do offer free licenses for IntelliJ Ultimate for open source developers.
Go to JetBrains IntelliJ download page, and download the most recent version.
Like JRebel I prefer /opt/jetbrains as my install location. You may prefer directly in /opt or in /usr/local, etc.
cd /tmp;
tar xzf ~/Downloads/ideaIU-10.0.1.tar.gz;
sudo chown -R root:root idea-IU-99.32;
sudo mkdir /opt/jetbrains;
sudo mv idea-IU-99.32 /opt/jetbrains/;
sudo cd /opt/jetbrains;
sudo ln -s idea--IU-99.32 idea;
On first launch IntelliJ will ask you a series of questions regarding plugins etc.
Choose maven plugin amongst others.
Open settings via File/Settings/maven and enter Maven home directory as /usr/share/maven2
IntelliJ does not support Compile-on-save / Auto-build.
This feature is essential to get the best time saving from using JRebel.
So you will have to manually enter ctrl++shift+F9 to compile your file, or just ctrl+F9 to build your whole project.
A decent work around is to map ctrl+s as the build command.
Another is to install a plugin called Eclipse Mode, which auto build like eclipse.
(I have not been able to get this to work as expected)