A Python 3 tool to statically deobfuscate functions protected by Themida,
WinLicense and Code Virtualizer 3.x's mutation-based obfuscation.
The tool has been tested on Themida up to version 3.1.9. It's expected to
work on WinLicense and Code Virtualizer as well.
A Binary Ninja plugin is also available here.
- Automatically resolve trampolines' destination addresses
- Statically deobfuscate mutated functions
- Rebuild fully working binaries
- Only supports x86_64 binaries
You can install the project with pip
:
pip install themida-unmutate
A standalone PyInstaller build is available for Windows in "Releases".
Here's what the CLI looks like:
themida-unmutate --help
usage: themida-unmutate.cmd [-h] -a ADDRESSES [ADDRESSES ...] -o OUTPUT [-v] protected_binary
Automatic deobfuscation tool for Themida's mutation-based protection
positional arguments:
protected_binary Protected binary path
options:
-h, --help show this help message and exit
-a ADDRESSES [ADDRESSES ...], --addresses ADDRESSES [ADDRESSES ...]
Addresses of the functions to deobfuscate
-o OUTPUT, --output OUTPUT
Output binary path
-v, --verbose Enable verbose logging