This review is dedicated to Themida (in the past X-Protector), one of the most powerful and reliable protectors of Win32 applications. Since I recently needed Themida for one of my applications, I decided to write a short review on it. At the same time asked the author to answer some questions that interest me. I think the answers will be interesting to you too. Find the results of this short interview at the end of the article.

I want to note that the article is based on Themida version 2.1.3.30, the last one as of the date of this review. It has several new features in terms of macros. Demo two years ago with on the official site, they are deprived.


')

Basic information

In fact, there are four products based on Themida technology.

• Themida (Basic € 149 / Professional € 199)
• WinLicense (Basic € 349 / Professional € 399)
• X-Bundler (Basic 79 € / Professional 119 €)
• WinLicense DLL Control (99 €)
• Code Virtualizer (59 €)

Basic version from Professional differs only in the lack of ability to work with .NET applications. Everything that we will talk about further, works both in Themida and in WinLicense.

• Themida is the protector itself, which is the main subject of this article.
• WinLicense is Themida with the addition of the ability to protect applications based on all sorts of serial numbers. The WinLicense SDK is able to generate these serial numbers, check them, safely store, link to hardware, create trial serials with expiration by a specified date or after a specified number of launches, create password-protected applications and so on.
• X-Bundler is a plugin for Themida and WinLicense that allows you to embed external files into a secure application. For example, you can embed a help file or a * .mp3 file. Moreover, it is possible to access this file from the application as an external one lying on the disk. The application and will not know that the file is protected by Themida and is inside your * .exe. You can also embed the assembly used by the .NET application inside the main * .exe file.
• WinLicense DLL Control is a plugin for WinLicense, with which you can implement your security options based on serial numbers.
• CodeVirtualizer is a small independent piece of Themida that allows you to exclusively convert the specified functions inside your application into code for a Themida virtual machine. It does not provide any other protection (protection against debugging, encryption, integrity checks, etc. it does not exist). Allows you to protect both x32 and x64 applications, including drivers.

Themida automatic protection features

First, about the "boring platitudes".

• Anti-debugger. It supports both the detection of standard debuggers and kernel-level debuggers. There is also an aggressive search mode, but in this case, the application may refuse to run on computers with active anti-viruses, rootkits, or under Wine.
• Antidumper. Themida protects applications continuously. Dumping the memory of an application to a disk and then launching it will not remove protection (who would doubt. ... Such primitive methods have not worked for a long time)
• Entry Obfuscation (OEP). Themida hides the entry point to the library or application.
• Encryption resources. If your application includes any resources (icons, files, and so on), they will be encrypted and decrypted only when they are accessed.
• VMWare / VirtualPC compatibility. You can activate this mode so that the protected application can run under hypervisors.
• Wrapping Windows API calls. Themida hides information about the Windows API functions that your application calls. Information about the required libraries to run is also not available to the hacker.
• Protection of the application from modification. Themida can check the integrity of the application when it starts, without allowing the modified copy of the application to start. You can activate the mode in which the application after protection can be freely signed.
• Protecting the application's memory from modification during execution (useful if you are developing, for example, a game).
• Technology code mutation. All Themida core code that binds to your application is mutated and smeared. Each time this code is generated anew using virtualization techniques (see below).
• Protection from monitoring files and registry. Themida does not allow external programs to track a protected application to files or registry.
• Compression. Overlay protection leads to a rather strong increase in the size of the executable file on disk. To reduce this size, Themida supports the compression of both the application itself (with a built-in security code) and its resources.
• Themida is able to protect Delphi / C ++ Builder forms from a special way. The contents of the forms (in fact, a * .dfm file) cannot be extracted from both * .exe and during the execution of the application.

Almost all the features described can be turned on / off as you wish.

CodeReplace technology

The CodeReplace technology extracts parts of the application, inserts a garbage code instead, mixes the original code with the security code and stores it elsewhere in the application. When running a portion of the code protected by CodeReplace, after numerous checks, it is extracted and decrypted. After execution, it is replaced again with garbage. Themida can analyze your application itself and select functions that seem appropriate to it for such protection. But it will be better if you do it yourself using macros (they will be discussed later).

Virtual machine

Themida virtual machine is one of the most powerful ways to protect an application. Its essence lies in the fact that parts of your code are replaced by the generated assembler code, but not native to Intel processors, but by the code for an abstract virtual processor with its command system and internal structure. Themida each time randomly generates a plan for its architecture. Thus, the protection code becomes difficult to understand.
Themida supports several types of virtual processors:

• CISC. Basic security, protected code runs relatively quickly.
• CISC-2. Extended protection, code takes up more space than in the case of CISC. Slightly slower.
• RISC-64. Each virtual instruction takes 64 bits, protection is stronger than that of CISC, but the protected code is executed slowly.
• RISC-128. Advanced super-slow and super-secure version of RISC-64

For CISC processors, simultaneous embedding of several virtual processors of the same type, but with a different system of commands, into a protected application is supported. This increases security, but increases the size of the executable application code.

Generating noise allows you to mix useful instructions that do not mean anything that would make the hacker more difficult to work.

As in the case of CodeReplace, Themida can choose which functions within your program to protect by converting to code for a virtual machine. But it is better to do it yourself (see below).

Other

• Themida allows you to hide the application from PE scanners, which determine how the application is protected.
• Localization options are available for the application interface (windows with errors and system messages) and inserting splash screens (the startup time of the protected application increases by 500-5000 milliseconds depending on the protection settings, you need to take something at this time).
• Themida supports management from the command line, which allows it to be integrated into the Build system.

Now for a bit of sadness. Even if you use everything listed above, your application can still be broken. To make it harder for a hacker to work, you should use Themida macros. About them now and talk.

Macros Themida.

Themida macros are byte sequences that are embedded in an application that do not affect its operation until you protect the Themida application. They have a special meaning for the tread. In fact, they inform Themida about the intricacies of the internal structure of your code, allowing you to more effectively protect it.
Macros have start and end markers, defining the amount of source code to which they apply. Ready macros in the SDK are for assembler, C, D, Delphi and VisualBasic / Pure Basic. But in principle, they can be altered in two minutes to any language that supports assembly or simply byte inserts into the code. Here I will use the Delphi syntax that is closest to me.

Attention! Macros cannot be used in .NET and Visual Basic applications compiled into P-code.

VM

The VM macro restricts the area of ​​code that Themida should virtualize (turn into instructions for a virtual machine, the settings of which you specify in the interface). Used as follows:

{$I VM_Start.inc}
//
{$I VM_End.inc}


In this macro, it is recommended to wrap sections of code whose algorithm is of particular secrecy. For example, checking the activation key, decrypting data files, checking for the presence of a protection key, and so on.

Limitations:

• There should be no work with exceptions directly inside the block (try, raise)
• No other macros are allowed inside the block.

VM_WithLevel

The macro is similar to the VM macro in all, but provides additional protection by increasing the level of virtualization by the amount you specify. It is also used. To indicate the required level of virtualization, you will have to edit the corresponding * .inc file in Delphi (see the commentary in it). A large value of the virtualization level will lead to a strong bloat on the code. At level 0, the macro behaves the same way as the VM macro.

The limitations are the same as the VM macro.

CodeReplace

The macro marks the code for processing by CodeReplace technology, which we talked about above. Used in the same way as the VM macro.
The limitations are the same as the VM macro.
Encode
The macro marks a block of code that you want to encrypt and decrypt only before execution, encrypting it back when you exit the block. Used as well as the VM macro. This macro provides weaker protection than the VM and CodeReplace macros, but the code under it runs much faster.

Limitations:

• Cannot be used in DLL
• You cannot declare variables or exit a procedure inside a block (return / exit)

Clear

The macro marks the block of code that will be removed from the process after the first call. This macro is recommended for operations that your program performs only once per launch. For example, the calculation of session keys for data exchange or checking the presence of a license key. Used in the same way as the VM macro.

Limitations:

• Cannot be used in DLL

Unprotected

Marks the block to be removed from the application after protection. For example, it can be used to make an application report if it is not protected. It is used as well as all the described macros. There are no restrictions.

CheckProtection

In the demo version of Themida this macro is not available. It is used to verify the security of the application. Its use is best shown by an example taken from Themida SDK.

 procedure TForm1.Button4Click (Sender: TObject);
 var
   StatusProtection: Integer;
 begin
     {$ I CheckProtection_Prolog.inc}
     asm
       push $ 33333333
       pop StatusProtection
     end;
     {$ I CheckProtection_Epilog.inc}
     if StatusProtection = $ 33333333 then
       MessageBox (0, 'Protection OK.', 'Protection Check Macro', MB_OK + MB_ICONINFORMATION)
     else
       MessageBox (0, 'Application protection violated!', 'Attention!', MB_OK + MB_ICONERROR);
 end;

You define a number (of type Integer / Cardinal) that the macro should return in case the security is OK. In this example, 0x33333333. When protection is applied, assembler instructions push and pop will be removed from the program. Instead, a complex verification procedure will be inserted, which will return the specified number in the specified variable (in our example, the StatusProtection), if it does not detect any security violations. In case of detection of a security breach, the number will be random.

Of course, in real life as shown, this macro cannot be used. The simplest thing is to take any important constant used in the project, the value of which is not too obvious in the context and replace it with a variable. Then use this macro on this new variable somewhere early in the code. If the protection is removed, the value of this constant / variable will be incorrect, which most likely will lead to the collapse of the application in the most unexpected places.

Inside the macro block there should not be anything other than the specified assembler instructions.

CheckCodeIntegrity

In the demo version of Themida this macro is not available. The macro is very similar to CheckProtection, it just works with another part of the protection system. Its use is absolutely similar.

CheckVirtualPC

In the demo version of Themida this macro is not available. The macro is similar to the previous two, but it does not check for the presence of a protection system, but to launch a protected application under a hypervisor like VirtualPC or VMWare. Its use is absolutely similar. Unless it is worth combining with the corresponding checkbox in the program interface. Then, in a protected application, upon detection of a launch under the hypervisor, Themida will issue a warning, and if under VirtualPC they try to launch an application version with the Themida protection part removed, a macro will help you out.

Protection features of .NET applications.

Despite the fact that Themida can protect .NET applications, you need to keep in mind the following:

• After protection. NET application (*. Exe) ceases to be. NET assembly and becomes a normal Win32 application (with preservation, however, of all its functions, was checked on *. Exe file Paint.NET). Download the application as a assembly. NET will no longer work. Of course, this hinders the work of utilities like ILDASM.
• Macros inside .NET applications are not supported.
• The IL code inside the application remains intact, although it is encrypted, like the entire contents of the * .exe file. It can be subjected to obfuscator treatment before Themida protection.
• Protection of individual assemblies in the form of *. Dll is not supported yet. However, using the X-Bundler assembly, you can simply integrate into the main * .exe file.

Interview with Raphael

• What was the reason for stopping the development of X-Protector and the release of Themida?
• A few reasons. X-Protector was notorious for compatibility issues. We wanted to release a new product, devoid of these shortcomings. In addition, the development team has changed somewhat.
• What are your plans for Themida64 (support for protecting 64-bit applications)?
• Themida for x64 will be released in the coming months, and in the very near future our beta testers will receive it.
• What are the benefits of Themida custom builds?
• Unfortunately, we currently do not provide such a service, although we do have some opportunities for buyers with specific compatibility requirements.
• I saw that the help file mentions Wine and ReactOS. Do Themida-protected applications really work in these environments?
• Yes, applications protected by our protector should work successfully in these environments. These are the requirements of a large number of our customers.
• Does Themida use ring-0 based protection?
• Some time ago, the first versions of Themida did offer such protection. But after some time we removed the use of ring-0 to increase compatibility with new versions of Windows, implementing protection based on code virtualization instead.
• Themida is an extremely powerful protector. But what do you think about the approach that was implemented in ExeCryptor (the code there did not turn into codes for the virtual machine, but simply mutated and complicated, while remaining native for the processor).
• I think that ExeCryptor still had its own virtual machine. Opcodes that could be emulated - emulated. Those that can not - mutated in the x86 version. In any case, this is what I heard, as if I do not know.
• What are your plans for the future of Themida?
• In general, we are thinking about a serious redesign to further enhance protection. But above all, x64 support will be released, and all subsequent tread versions will support both x32 and x64 applications.