Skip navigation.

Themida query

Some time ago, a colleague mentioned that he had "heard from someone" that Themida used some sort of incremental decryption. The impression I got was that the executing code would decrypt and execute a few instructions from the payload, then decrypt a few more -- possibly erasing or overwriting the previously decrypted ones -- and so on, so that any point in the execution only a few instructions from its payload would actually be exposed.

Can anyone confirm whether Themida unpackers can have this sort of behavior? I realize that the packing tool itself has a lot of different user-tweakable options, and that the unpacker behavior can therefore vary depending on what options were selected for packing -- I'm just trying to understand what the phrase "incremental decryption" might mean, and whether this kind of little-at-a-time decryption is encountered in Themida-packed executables.



I was checking out the developers of Themida's website and found the below:

"The CodeEncrypt technology provides the ability to select blocks of code that will be encrypted all the time while it is not executed. Once executed, the code gets encrypted again to avoid a possible reconstruction of that code if an attacker manages to dump a protected application from memory to disk. SecureEngine® uses strong encryption algorithms to ensure that an attacker can not reconstruct an encoded block of code."

Does that help in answering your question?

thank you :)

That helps! Thanks.