📜 ⬆️ ⬇️

Win32 and .NET application protection: Themida (X-Protector) review

This review is dedicated to Themida (in the past X-Protector), one of the most powerful and reliable protectors of Win32 applications. Since I recently needed Themida for one of my applications, I decided to write a short review on it. At the same time asked the author to answer some questions that interest me. I think the answers will be interesting to you too. Find the results of this short interview at the end of the article.

I want to note that the article is based on Themida version, the last one as of the date of this review. It has several new features in terms of macros. Demo two years ago with on the official site, they are deprived.


Basic information

In fact, there are four products based on Themida technology.

Basic version from Professional differs only in the lack of ability to work with .NET applications. Everything that we will talk about further, works both in Themida and in WinLicense.

Themida automatic protection features

First, about the "boring platitudes".

Almost all the features described can be turned on / off as you wish.

CodeReplace technology

The CodeReplace technology extracts parts of the application, inserts a garbage code instead, mixes the original code with the security code and stores it elsewhere in the application. When running a portion of the code protected by CodeReplace, after numerous checks, it is extracted and decrypted. After execution, it is replaced again with garbage. Themida can analyze your application itself and select functions that seem appropriate to it for such protection. But it will be better if you do it yourself using macros (they will be discussed later).

Virtual machine

Themida virtual machine is one of the most powerful ways to protect an application. Its essence lies in the fact that parts of your code are replaced by the generated assembler code, but not native to Intel processors, but by the code for an abstract virtual processor with its command system and internal structure. Themida each time randomly generates a plan for its architecture. Thus, the protection code becomes difficult to understand.
Themida supports several types of virtual processors:

For CISC processors, simultaneous embedding of several virtual processors of the same type, but with a different system of commands, into a protected application is supported. This increases security, but increases the size of the executable application code.

Generating noise allows you to mix useful instructions that do not mean anything that would make the hacker more difficult to work.

As in the case of CodeReplace, Themida can choose which functions within your program to protect by converting to code for a virtual machine. But it is better to do it yourself (see below).


Now for a bit of sadness. Even if you use everything listed above, your application can still be broken. To make it harder for a hacker to work, you should use Themida macros. About them now and talk.

Macros Themida.

Themida macros are byte sequences that are embedded in an application that do not affect its operation until you protect the Themida application. They have a special meaning for the tread. In fact, they inform Themida about the intricacies of the internal structure of your code, allowing you to more effectively protect it.
Macros have start and end markers, defining the amount of source code to which they apply. Ready macros in the SDK are for assembler, C, D, Delphi and VisualBasic / Pure Basic. But in principle, they can be altered in two minutes to any language that supports assembly or simply byte inserts into the code. Here I will use the Delphi syntax that is closest to me.

Attention! Macros cannot be used in .NET and Visual Basic applications compiled into P-code.


The VM macro restricts the area of ​​code that Themida should virtualize (turn into instructions for a virtual machine, the settings of which you specify in the interface). Used as follows:

{$I VM_Start.inc}
{$I VM_End.inc}

In this macro, it is recommended to wrap sections of code whose algorithm is of particular secrecy. For example, checking the activation key, decrypting data files, checking for the presence of a protection key, and so on.



The macro is similar to the VM macro in all, but provides additional protection by increasing the level of virtualization by the amount you specify. It is also used. To indicate the required level of virtualization, you will have to edit the corresponding * .inc file in Delphi (see the commentary in it). A large value of the virtualization level will lead to a strong bloat on the code. At level 0, the macro behaves the same way as the VM macro.

The limitations are the same as the VM macro.


The macro marks the code for processing by CodeReplace technology, which we talked about above. Used in the same way as the VM macro.
The limitations are the same as the VM macro.
The macro marks a block of code that you want to encrypt and decrypt only before execution, encrypting it back when you exit the block. Used as well as the VM macro. This macro provides weaker protection than the VM and CodeReplace macros, but the code under it runs much faster.



The macro marks the block of code that will be removed from the process after the first call. This macro is recommended for operations that your program performs only once per launch. For example, the calculation of session keys for data exchange or checking the presence of a license key. Used in the same way as the VM macro.



Marks the block to be removed from the application after protection. For example, it can be used to make an application report if it is not protected. It is used as well as all the described macros. There are no restrictions.


In the demo version of Themida this macro is not available. It is used to verify the security of the application. Its use is best shown by an example taken from Themida SDK.
 procedure TForm1.Button4Click (Sender: TObject);
   StatusProtection: Integer;
     {$ I CheckProtection_Prolog.inc}
       push $ 33333333
       pop StatusProtection
     {$ I CheckProtection_Epilog.inc}
     if StatusProtection = $ 33333333 then
       MessageBox (0, 'Protection OK.', 'Protection Check Macro', MB_OK + MB_ICONINFORMATION)
       MessageBox (0, 'Application protection violated!', 'Attention!', MB_OK + MB_ICONERROR);

You define a number (of type Integer / Cardinal) that the macro should return in case the security is OK. In this example, 0x33333333. When protection is applied, assembler instructions push and pop will be removed from the program. Instead, a complex verification procedure will be inserted, which will return the specified number in the specified variable (in our example, the StatusProtection), if it does not detect any security violations. In case of detection of a security breach, the number will be random.

Of course, in real life as shown, this macro cannot be used. The simplest thing is to take any important constant used in the project, the value of which is not too obvious in the context and replace it with a variable. Then use this macro on this new variable somewhere early in the code. If the protection is removed, the value of this constant / variable will be incorrect, which most likely will lead to the collapse of the application in the most unexpected places.

Inside the macro block there should not be anything other than the specified assembler instructions.


In the demo version of Themida this macro is not available. The macro is very similar to CheckProtection, it just works with another part of the protection system. Its use is absolutely similar.


In the demo version of Themida this macro is not available. The macro is similar to the previous two, but it does not check for the presence of a protection system, but to launch a protected application under a hypervisor like VirtualPC or VMWare. Its use is absolutely similar. Unless it is worth combining with the corresponding checkbox in the program interface. Then, in a protected application, upon detection of a launch under the hypervisor, Themida will issue a warning, and if under VirtualPC they try to launch an application version with the Themida protection part removed, a macro will help you out.

Protection features of .NET applications.

Despite the fact that Themida can protect .NET applications, you need to keep in mind the following:

Interview with Raphael

Source: https://habr.com/ru/post/106920/

All Articles