A Python 3 tool to statically deobfuscate functions protected by Themida 3.x's mutation-based obfuscation.
- Automatically resolve trampolines' destination addresses
- Statically deobfuscate mutated functions
- Rebuild fully working binaries
- Binary Ninja integration
- Doesn't support ARM64 binaries
You can fetch the project with git
and install it with pip
:
pip install git+https://github.com/ergrelet/themida-unmutate.git
Here's what the CLI looks like:
themida-unmutate --help
usage: themida-unmutate.cmd [-h] -a ADDRESSES [ADDRESSES ...] -o OUTPUT [-v] protected_binary
Automatic deobfuscation tool for Themida's mutation-based protection
positional arguments:
protected_binary Protected binary path
options:
-h, --help show this help message and exit
-a ADDRESSES [ADDRESSES ...], --addresses ADDRESSES [ADDRESSES ...]
Addresses of the functions to deobfuscate
-o OUTPUT, --output OUTPUT
Output binary path
-v, --verbose Enable verbose logging
You can also find a Binary Ninja plugin in the binja_plugin
directory.