A Python 3 tool to dynamically unpack executables protected with Themida/WinLicense 2.x and 3.x.
Warning: This tool will execute the target executable. Make sure to use this tool in a VM if you're unsure about what the target executable does.
Note: You need to use a 32-bit Python interpreter to dump 32-bit executables.
Warning: This tool will execute the target executable. Make sure to use this tool in a VM if you're unsure about what the target executable does.
Note: You need to use a 32-bit Python interpreter to dump 32-bit executables.
Features
- Handles Themida/Winlicense 2.x and 3.x
- Handles 32-bit and 64-bit PEs (EXEs and DLLs)
- Handles 32-bit and 64-bit .NET assemblies (EXEs only)
- Recovers the original entry point (OEP) automatically
- Recovers the (obfuscated) import table automatically
Known Limitations
- Doesn't handle .NET assembly DLLs
- Doesn't produce runnable dumps in most cases
- Resolving imports for 32-bit executables packed with Themida 2.x is pretty slow
- Fix a couple of bugs with the IAT search and resolution for Themida/Winlicense 3.x
- Fix potentially invalid IAT truncations for Themida/WinLicense 3.x
- OEP detection now works in a runtime-agnostic manner (and handles virtualized entry points and Delphi executables)
- TLS callbacks are now properly detected and skipped
