A Themida 3.x unpacker for Linux, written in Rust, using Unicorn CPU emulation.
Midas turns Themida-protected binaries into analyzable code through CPU emulation.
- Pure Linux operation: No Windows required
- Unicorn-based emulation: Emulates x86-64 instruction execution
- Windows API emulation: Implements critical Windows APIs
- OEP detection: Automatically finds the original entry point
- IAT reconstruction: Recovers import table (basic implementation)
- Anti-debug bypasses: Handles common anti-debugging techniques
PE File → Parser → Unicorn Loader → Emulation → OEP Detection → Dump
↓
Windows API Hooks
(PEB, TEB, APIs)
✅ Phase 2 Complete - Core unpacking functionality implemented!
What's Working:
- ✅ PE64 parsing and section detection
- ✅ Themida version detection
- ✅ Unicorn emulation setup with full execution loop
- ✅ Windows structure emulation (PEB, TEB, LDR)
- ✅ API hooks framework with ~6 critical APIs
- ✅ Memory write tracking for code sections
- ✅ OEP detection heuristics
- ✅ Memory dumping and basic PE output
- ✅ JSON output mode for automation
- ✅ Detect-only mode for version identification
In Development:
- 🚧 IAT reconstruction (advanced)
- 🚧 PE reconstruction with proper imports
- 🚧 Additional API implementations
- 🚧 Testing with real Themida samples
docker run --rm -v "$(pwd):/midas" -w /midas rust:latest bash -c '
apt-get update && apt-get install -y libclang-dev clang cmake
export LIBCLANG_PATH=/usr/lib/llvm-19/lib
cargo build --release
'
# Binary will be at: target/release/midaschmod +x test-build.sh
./test-build.shDue to Unicorn build requirements, this must be built on Linux. Use Docker as shown above.
# Basic usage
midas -i protected.exe -o unpacked.exe
# Verbose output
midas -i protected.exe -o unpacked.exe -v
# Quiet mode (only errors)
midas -i protected.exe -o unpacked.exe -q
# JSON output (for automation)
midas -i protected.exe -o unpacked.exe --json
# Detect Themida version only (no unpacking)
midas -i protected.exe --detect-only
# Custom instruction limit
midas -i protected.exe -o unpacked.exe --max-instructions 500000000: Success1: Failure
- Success messages → stdout
- Logs and errors → stderr
- JSON output → stdout
- 64-bit only: Currently supports only PE64 files
- Themida 3.x focus: Optimized for Themida 3.x
- No virtualization: Cannot unvirtualize VM-protected code
- Non-runnable dumps: Dumps are for analysis, not execution
- API coverage: Limited to ~20 critical APIs initially
- Parse PE: Load and analyze the protected PE file
- Setup Emulation:
- Map PE sections into Unicorn memory
- Create fake PEB/TEB structures
- Setup IAT with hook addresses
- Emulate:
- Execute from entry point
- Hook Windows APIs as they're called
- Monitor code section for writes
- Detect OEP:
- Watch for execution leaving Themida section
- Identify transition to original code
- Dump:
- Extract decrypted memory
- Reconstruct imports
- Generate output PE
APIs are hooked by:
- Mapping fake API addresses (e.g., 0xFEED_0000 range)
- Detecting when execution reaches these addresses
- Executing emulated implementation
- Returning control to caller
OEP is detected by monitoring:
- Execution entering code section from outside
- Pattern of memory writes to code
- API call sequences typical of unpacked code
0x7FFF_F000: PEB (Process Environment Block)
0x7FFF_E000: TEB (Thread Environment Block)
0x7FFF_D000: LDR_DATA
0x00100000: Stack (1MB)
0x00400000: PE Image (typical)
0x20000000: Workspace (allocations)
0xFEED_0000: Fake API addresses
- unicorn-engine: CPU emulation
- iced-x86: x86/x64 disassembler
- goblin: PE parsing
- clap: CLI argument parsing
Based on research of existing tools:
- Magicmida: Windows-native Themida unpacker (Delphi)
- unlicense: Python Themida unpacker using Frida
- mwemu: Rust malware emulator framework
- unicorn_pe: PE emulation with Unicorn
GPL-3.0 - See LICENSE file
Contributions welcome! This is an active development project.