We don't recommend ENCODE or CLEAR macros in DLLs but instead, use VM or CodeReplace macros.
Insertion of ENCODE and CLEAR macros in DLLs are a bit tricky. Themida inspects your application searching for macros. Once a macro is found, it gets encrypted at protection time. The problem appears with DLLs as they can be relocated in memory, so some references need to be fixed in the DLL at runtime thus allowing the DLL be relocated in memory. Note: All of the references to be fixed are included in the relocation section of a DLL. If one of those references to fix in the DLL were included in an ENCODE or CLEAR macro, the reference will be fixed incorrectly, because all the code in the ENCODE/CLEAR macro is encrypted until it needs to be executed.
To show an example of this situation, take a look at the following code:
The problem with the above code is the instruction: "s = "Hello World";".
int a = 0;
s = "Hello World";
for (int i = 0; i < 10; i++)
a = a * i;
Have a look at its disassembly:
mov [ebp - 0xC], 0x403140
Where [ebp - 0xC] is the value of "s" in the stack and 403140 points to the data section (string "Hello World"). If the DLL is relocated, so it will be its data section. In our above example, the offset 0x403140 in the instruction "mov [ebp - 0xC], 0x403140" will not be relocated properly, because it is encrypted inside the macro.
All the above problems will not happen with VM or CodeReplace macros in DLLs, because those macros can relocate the code for DLLs in runtime.