What's new
RevTeam.Re - Reverse Engineering Team

Welcome Guest! Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox! Register and wait for our approve!

Magicmida 2026.05.14 (Themida unpacker)

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
Magicmida is a fully automated Themida unpacker.

Magicmida.jpg


Features:

• Unpacking: Unpacks the binary file of your choice. The unpacked binary file will be saved with a U suffix.
• File section handling: Restores .rdata/.data sections. Works only for very specific purposes.
• Process memory dump: Allows inputting the PID of a running process, whose .text section will be overwritten by the already unpacked file. This is useful after using Oreans Unvirtualizer in OllyDbg.
• File resource rebuilding: Removes all unused sections (if virtualization has been removed or if your binary file does not utilize virtualization).
• Anti-anti-debugging: Newer versions of Themida detect hardware breakpoints. To counter this, ScyllaHide injection is supported. The corresponding profile comes bundled with Magicmida. You just need to download SycllaHide and place HookLibraryx86.dll and InjectorCLIx86.exe next to Magicmida.exe.

Magicmida v2026.05.14
Homepage:
Please, Log in to view URLs content!


 
Last edited:

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
New version Magicmida: 2024-05-05

- added support for newer Themida v3 IAT anti-dump measures.
- added hack for stolen/virtualized Themida v3 MSVC OEP.
- added support for Themida v2 binaries that aren't compressed/encrypted.

The header has been updated!
 

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
New version Magicmida: 2024-05-11

- removed unnecessary checks from Themida v3 import tracing for better Delphi compatibility;
- fixed an issue where an exception in some random unrelated thread would interfere with import tracing;
- added support for targets that utilize Thread Local Storage via the PE TLS directory;
- changed IAT start determination to hopefully avoid unfortunate edge cases;
- added support for more IAT forwards (crypt32 and dbghelp);
- added headless/command line mode for easier automation.

The header has been updated!
 

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
New version Magicmida: 2024-05-16

- Made call site tracing slightly more performant in some scenarios.
- Fixed regression with binaries that have a TLS directory but callbacks are not called.
- Fixed edge case in Themida v2 Special IAT Patch.
- Fixed rare issue where IAT ended up too big.
- Added workaround for issue where certain older binaries were incorrectly assumed to be Themida v3.

The header has been updated!
 

FR36

Well-known member
Joined
Feb 14, 2023
Messages
195
Reaction score
162
so anyone have unpacke method
themida winlicense 3.xx
 

reguser

New member
Joined
Jul 5, 2024
Messages
3
Reaction score
1
Please, Log in to view quote content!

Tried to run the latest version. It started and then executed the program. After clicking on the program's popup OK button, it said process finished, but when I clicked on "Dump Process" it asked for a PID. How do I reply to this prompt?
 

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
New version of Magicmida (2025-09-14):

- ScyllaHide: Disable KiUserExceptionDispatcherHook and NtContinueHook - they don't seem to be required and cause issues with hardware breakpoints for some targets.
- Debugger: Patch pShimData in target so apphelp doesn't install random hooks.
- Patcher: Add data section pattern for TWMS locale.
- Improve detection of TLS entrypoints.
- Remove ExceptionInformation check, doesn't work properly for some targets (for TLS entrypoints).
- IAT: When scanning from text start, don't impose a limit.

P.S. Download link in the thread header.
 

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
New release of Magicmida (2026-05-14)!

Changes in this version:

- add support for OneCore in IAT reconstruction. If detected, apiset DLLs will be used for imports where applicable.
- add experimental support for unpacking Go binaries (not widely tested).
- dumper: Rework the way IAT thunks and forwards are handled. This should hopefully solve the issue of invalid IATs being generated.
- add missing bounds checks that broke unpacking some DLLs.
- support unpacking DLLs that have an SxS manifest (e.g., depending on very specific MSVC versions).
- reconstruct stolen/partially virtualized MSVC9 DLL OEP.
- fix dumping binaries that have a NOACCESS retpoline section.
- dumper: Add forward handling for advapi32 and setupapi.
- fix a bug where IAT search failed for Delphi applications with a virtualized OEP (disasm result error).
- fix AntiDumpFix not respecting image base.
- gUI: Add option to copy entire log when right-clicking log.
- x64: Improve TLS handling for weird targets.
- add sanity check for functional x64 ScyllaHide version.
- add sanity check for if the binary is packed in the first place.
- add support for unpacking DLL files.
- x64: Improve unpacking logic for broader compatibility.
- fix a critical bug that could rarely cause the unpacked file to be saved and then deleted immediately.
- add more descriptive error when using the wrong build of Magicmida for a file.
- change: If you run Magicmida with a changed working directory, it will assume you want that path as the working directory for the target process.
- x64: Fix a critical bug in PEB patching that caused access violations early on.
- add support for dumping .NET binaries.
- x64: Fix cases of corrupt IAT caused by hooked ExitProcess API.
- x64: Add support for restoring virtualized OEPs for MSVC 9 and higher.
- new: Add 64-bit build that can unpack Themida x64 applications. This is experimental.
- add support for ordinal imports.
- fix regressions with very old targets introduced a while ago.
- internal refactoring / code structure improvements.

Header has been updated!
 
Last edited:

wsorg

Member
Joined
Dec 26, 2022
Messages
18
Reaction score
375
I conducted an experiment using the latest available version of Themida (v3.2.4.52) to pack a test file. It turns out that the latest Magicmida release fails to unpack it in only one specific case: when the “Entry Point Virtualization” option is enabled in Themida (see screenshot). Moreover, during the unpacking attempt, Magicmida logs the following error: “Don't know what to do about OEP for this compiler. Your target likely won't run” (see screenshot). Hopefully, this issue will be fixed in future releases.

Безымянный 1.pngБезымянный 2.png
 
Last edited:
Top