CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

*WARNING* The 32-bit version might have been overpacked, I'll resend a less protected version if too many people are having problems.

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

TiGa

Nice!

And thanks for uploading it to the CRCETL too!

http://www.woodmann.com/collaborative/tools/CHimpREC

Oh, and please upload any updates directly to this CRCETL entry instead of attaching them in the forums (announcements in the forums are of course still very welcome though).

lol TIGA video is so funny.. when he was talking but he did great job ...never the less he sounds like FRENCH dude :P

Yes, french accent but definetly canadian intonations.
Cool tool btw.

In a general way, everybody's got an accent for somebody else.

TiGa

Hey TiGa, there's a comment on the CRCETL page about the program not being runnable inside VMware, due to an overly protective protection/packer.

I agree that this is very unfortunate, since many people (including me) do most/all of their reversing/malware analysis inside virtual machines.

Would it be possible to remove this protection "feature"?

Also, just in general, it's a little bit ironic that you're trying to protect a reversing/unpacking tool so hard with one or several packers, wouldn't you say?

The actual version in the CRCETL doesn't check for that anymore.
If that message still pops-up, you're using the wrong version.

lARP was a bit over-paranoid, not to say schizoid.
All the testing looked ok to me, even when running in a VM.
It was never intended not to allow it in a VM.
Everything is fixed now, no more lARP, lARP is gone.

Also, I'd say that about 75% of the "not working" comments everywhere were caused by people not installing the redistributable packages as suggested, not because of the packer.

The protector was mostly to ward off script kiddies.
I knew that anybody who would really want to unpack it would manage to anyway.

I'm working on the next version already, which will include the changes that were done in the "knock-off" Chinese version.

TiGa

Great! And looking forward to the new version.

i dont know if you have this but it would be nice if you would have like exit button like F12 or something when your app freezes..

Me no understandy problèm, me FRENCH dude.

Maybe you could tell me in what conditions the program freezes or what you call a freeze exactly.

It takes more time than ImpRec to Get Imports when there is a shitload of modules or imports.
Firefox is one of the longest that I have seen (and remember) but it takes less than 10 seconds.

If you don't describe problems beyond: "it freezes" or "doesn't work", I cannot really fix them.

TiGa

And please try your best not to use "like" as an acceptible "modifer" for anything in the written English language.

It's "like" one of the worst "like" slang expressions of the "like" modern era.

As in "like dude, that's so like lame."

But heck, my kids, who are themselves young adults, also occasionaly sneek one or two in a sentence on occasion. "Like wow!"

Regards,

TiGa, any chance of adding the feature I suggested at REcon? (Auto-updating the OEP field with the current EIP of the (only) thread in the taget process.)

Thank you for reminding me again, I had honestly forgotten completely.
I thought of including a yes/no nag if the OEP was not modified but this is much better.

That feature would have saved my demo at ReCon, I'm pretty sure that I forgot to change the OEP.

Following some other suggestions that I received, the next version will probably also include:
ImpREC plugin support (32-bit)
Resizable/Maximizable window
Disassembler (32-bit)

That would make CHimpREC roughly equivalent to ImpREC but with some additional bugfixes.

TiGa

TiGa, today finished playing with viri, was time & tested your chimprec.
please, compare with original ITable: is IMP_functions names on
exact placements?

Could you please delete that attachment?
As a common courtesy, like I asked you privately by PM...

My tool is not an UnpackMe.

If you want to unpack it, please keep the result to yourself.

TiGa

but i never said: i'm unpacking only "unpackme"s.
i'm unpack-hobbyist. i'm UNp anything everywhere..

have you other ARGs!?

BTW: you can ask Don Wooma about it!

So basically, you're saying: "I can unpack it so I will. Screw you!".
Nice attitude!

How many arguments would it take to convince you otherwise?
2? 4? 6? 23?
I really thought it was common sense, you don't post a modified version of somebody else's work, especially when he asks you not to.
I guess that it was terribly wrong of me.

I would have preferred a "Thanks! Nice tool!" or "Hey! I unpacked your tool" instead of "I unpacked your tool, here is the attachment"

Did you at least try it?

TiGa

BTW: i yet not unpacked your tool! only 90%;
code needs recovered from LEA EAX,EAX

BTW: i found failure in protector & written it:
http://community.reverse-engineering.net/viewtopic.php?f=14&t=2123

From the FAQ:


I believe CHimpREC does include that little © symbol (which is actually not necessary to copyright something).

Evaluator, please respect the rules, and especially respect our members.

As mentioned above, the rules do indeed forbid you to post unpacked or otherwise modified programs (or even unmodified, if just commercial/copyrighted and against the license/will of the author) or other material on this board.

It is completely ok to describe HOW to unpack a certain generic packer/protector though (or even an entire custom protection, if just not the target name is revealed), but not to upload an unpacked/cracked product.

I really don't want to make a big deal out of this and start and argument.
I just don't want any "unofficial" versions popping up left and right.

I simply see no need to unpack it now.
The version available from the CRCETL works in VMs.

TiGa

BTW evaluator You can unblock me from your PM list if you want

wow, bad news!
should i also remove all my unpacks? all falls under this terms!!
are you sure? or Times changed!?

Please respect the FAQ.

By disregarding it, you put me in a situation where I risk having the server shutdown.

Then we have to move.
Then we have to set up a new server.
Then we have to fix all the bugs.

This takes time and costs me money.

Be kind please.

Woodmann

i will repect! maybe

you think, TiGa is such person, who likes your server shutdown!?

TiGa i blocked all privmsg, except from admin.. "don't take"
i had not MFC80.dll, so not tested your app. just unpacked, was time;
after sea i will test, recover SRS & share with.. (meself!?