[EP_X0FF]

Long story short - meet an idiot and ripper presumable from China -> https://github.com/xsysvermin and "his" BypassUAC project which is blant copy-paste of my UACMe with the following "additions"

Code: Select all

Comparing files C:\MALWARE\ORIGINAL\apphelp.h and C:\MALWARE\AUTIST_RIP\apphelp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\carberp.c and C:\MALWARE\AUTIST_RIP\carberp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\carberp.h and C:\MALWARE\AUTIST_RIP\carberp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\cmdline.c and C:\MALWARE\AUTIST_RIP\cmdline.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\cmdline.h and C:\MALWARE\AUTIST_RIP\cmdline.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\compress.c and C:\MALWARE\AUTIST_RIP\compress.c
***** C:\MALWARE\ORIGINAL\compress.c

        if (FinalCompressedSize == NULL)
                return NULL;

        do {
***** C:\MALWARE\AUTIST_RIP\compress.c

        do {
*****

Comparing files C:\MALWARE\ORIGINAL\compress.h and C:\MALWARE\AUTIST_RIP\compress.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\consts.h and C:\MALWARE\AUTIST_RIP\consts.h
***** C:\MALWARE\ORIGINAL\consts.h

#define PROGRAMTITLE TEXT("#UACMe#")
#define WOW64STRING TEXT("Apparently it seems you are running under WOW64.\n\r\
This is not supported, run x64 version of this tool.")
#define WOW64WIN32ONLY TEXT("This method only works with x86-32 Windows or from Wow64")
***** C:\MALWARE\AUTIST_RIP\consts.h

#define PROGRAMTITLE TEXT("#BypassUAC#")
#define WOW64STRING TEXT("Apparently it seems you are running under WOW64.\n\rThis is not supported, run x64 version of this to
ol.")
#define WOW64WIN32ONLY TEXT("This method only works with x86-32 Windows or from Wow64")
*****

***** C:\MALWARE\ORIGINAL\consts.h
#define UACFIX TEXT("This method fixed/unavailable in the current version of Windows, do you still want to continue?")
#define RESULTOK TEXT("Bye-bye!")
#define RESULTFAIL TEXT("Something went wrong")
#define T_AKAGI_KEY    L"Software\\Akagi"
#define T_AKAGI_PARAM  L"LoveLetter"

***** C:\MALWARE\AUTIST_RIP\consts.h
#define UACFIX TEXT("This method fixed/unavailable in the current version of Windows, do you still want to continue?")
#define RESULTOK TEXT("Injeact success!")
#define RESULTFAIL TEXT("Something went wrong")
#define T_AKAGI_KEY    L"Software\\bypassuac"
#define T_AKAGI_PARAM  L"uac_is_disabled"

*****

Comparing files C:\MALWARE\ORIGINAL\fubuki32.h and C:\MALWARE\AUTIST_RIP\fubuki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki32comp.h and C:\MALWARE\AUTIST_RIP\fubuki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64.h and C:\MALWARE\AUTIST_RIP\fubuki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64comp.h and C:\MALWARE\AUTIST_RIP\fubuki64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\global.h and C:\MALWARE\AUTIST_RIP\global.h
***** C:\MALWARE\ORIGINAL\global.h
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2016
*
*  TITLE:       GLOBAL.H
***** C:\MALWARE\AUTIST_RIP\global.h
*
*  TITLE:       GLOBAL.H
*****

Comparing files C:\MALWARE\ORIGINAL\gootkit.c and C:\MALWARE\AUTIST_RIP\gootkit.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\gootkit.h and C:\MALWARE\AUTIST_RIP\gootkit.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32.h and C:\MALWARE\AUTIST_RIP\hibiki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32comp.h and C:\MALWARE\AUTIST_RIP\hibiki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64.h and C:\MALWARE\AUTIST_RIP\hibiki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64comp.h and C:\MALWARE\AUTIST_RIP\hibiki64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hybrids.c and C:\MALWARE\AUTIST_RIP\hybrids.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hybrids.h and C:\MALWARE\AUTIST_RIP\hybrids.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inazuma32.h and C:\MALWARE\AUTIST_RIP\inazuma32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inject.c and C:\MALWARE\AUTIST_RIP\inject.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inject.h and C:\MALWARE\AUTIST_RIP\inject.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou32.h and C:\MALWARE\AUTIST_RIP\kongou32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou32comp.h and C:\MALWARE\AUTIST_RIP\kongou32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou64.h and C:\MALWARE\AUTIST_RIP\kongou64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou64comp.h and C:\MALWARE\AUTIST_RIP\kongou64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\main.c and C:\MALWARE\AUTIST_RIP\main.c
***** C:\MALWARE\ORIGINAL\main.c
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2016
*
*  TITLE:       MAIN.C
***** C:\MALWARE\AUTIST_RIP\main.c
*
*  TITLE:       MAIN.C
*****

***** C:\MALWARE\ORIGINAL\main.c
        case ERROR_BAD_ARGUMENTS:
                ucmShowMessage(TEXT("Usage: Akagi.exe [Method] [OptionalParamToExecute]"));
                break;
***** C:\MALWARE\AUTIST_RIP\main.c
        case ERROR_BAD_ARGUMENTS:
                ucmShowMessage(TEXT("Usage: BapassUAC.exe [1-16] [OptionalParamToExecute]\n\nExample:\BapassUAC.exe 1 cmd.exe")
);
                break;
*****

***** C:\MALWARE\ORIGINAL\main.c

VOID main()
{
***** C:\MALWARE\AUTIST_RIP\main.c

int main()
{
*****

***** C:\MALWARE\ORIGINAL\main.c
        uResult = ucmMain();
        if (uResult == ERROR_SUCCESS) {
                OutputDebugString(RESULTOK);
***** C:\MALWARE\AUTIST_RIP\main.c
        uResult = ucmMain();
        if (uResult == ERROR_SUCCESS) 
        {
                OutputDebugString(RESULTOK);
*****

***** C:\MALWARE\ORIGINAL\main.c
        ExitProcess(uResult);
}
***** C:\MALWARE\AUTIST_RIP\main.c
        ExitProcess(uResult);

        return 0;
}
*****

Comparing files C:\MALWARE\ORIGINAL\makecab.c and C:\MALWARE\AUTIST_RIP\makecab.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\makecab.h and C:\MALWARE\AUTIST_RIP\makecab.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\minirtl.h and C:\MALWARE\AUTIST_RIP\minirtl.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\ntos.h and C:\MALWARE\AUTIST_RIP\ntos.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\pitou.c and C:\MALWARE\AUTIST_RIP\pitou.c
***** C:\MALWARE\ORIGINAL\pitou.c


                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
***** C:\MALWARE\AUTIST_RIP\pitou.c

                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
*****

***** C:\MALWARE\ORIGINAL\pitou.c


                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
***** C:\MALWARE\AUTIST_RIP\pitou.c

                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
*****

Comparing files C:\MALWARE\ORIGINAL\pitou.h and C:\MALWARE\AUTIST_RIP\pitou.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\resource.h and C:\MALWARE\AUTIST_RIP\resource.h
Comparing files C:\MALWARE\ORIGINAL\rtltypes.h and C:\MALWARE\AUTIST_RIP\rtltypes.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\simda.c and C:\MALWARE\AUTIST_RIP\simda.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\simda.h and C:\MALWARE\AUTIST_RIP\simda.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\strtoul.c and C:\MALWARE\AUTIST_RIP\strtoul.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\sup.c and C:\MALWARE\AUTIST_RIP\sup.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\sup.h and C:\MALWARE\AUTIST_RIP\sup.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\ultostr.c and C:\MALWARE\AUTIST_RIP\ultostr.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcat.c and C:\MALWARE\AUTIST_RIP\_strcat.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcmp.c and C:\MALWARE\AUTIST_RIP\_strcmp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcmpi.c and C:\MALWARE\AUTIST_RIP\_strcmpi.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcpy.c and C:\MALWARE\AUTIST_RIP\_strcpy.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strend.c and C:\MALWARE\AUTIST_RIP\_strend.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strlen.c and C:\MALWARE\AUTIST_RIP\_strlen.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncmp.c and C:\MALWARE\AUTIST_RIP\_strncmp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncmpi.c and C:\MALWARE\AUTIST_RIP\_strncmpi.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncpy.c and C:\MALWARE\AUTIST_RIP\_strncpy.c
FC: no differences encountered

FC: cannot open C:\MALWARE\AUTIST_RIP\resource.h - No such file or folder

So he actually:

1) Killed all copyrights
2) Relabebed tool as "BypassUAC"
3) Destroyed functionality of payload dlls
4) Removed VERSION_INFO block
5) Added more spaces and returns
6) Changed VOID to int and added return

Great additions!

The most important part with all these rippers - they are so fucking dumb every time, so when they try to change something inside code, they don't fucking know how it actually works.

This autist changed key name from

orig

Code: Select all

#define T_AKAGI_KEY    L"Software\\Akagi"
#define T_AKAGI_PARAM  L"LoveLetter"

to

rip

Code: Select all

#define T_AKAGI_KEY    L"Software\\bypassuac"
#define T_AKAGI_PARAM  L"uac_is_disabled"

but where this used? Inside of Fubuki and Hibiki. This is key and param used to transfer custom parameter to these dlls. So if you change their names you have to do this inside dlls too, recompile them, recrypt and merge into Akagi. But this autist didn't

Code: Select all

Comparing files C:\MALWARE\ORIGINAL\hibiki32.h and C:\MALWARE\AUTIST_RIP\hibiki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32comp.h and C:\MALWARE\AUTIST_RIP\hibiki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64.h and C:\MALWARE\AUTIST_RIP\hibiki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64comp.h and C:\MALWARE\AUTIST_RIP\hibiki64comp.h
FC: no differences encountered

Code: Select all

Comparing files C:\MALWARE\ORIGINAL\fubuki32.h and C:\MALWARE\AUTIST_RIP\fubuki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki32comp.h and C:\MALWARE\AUTIST_RIP\fubuki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64.h and C:\MALWARE\AUTIST_RIP\fubuki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64comp.h and C:\MALWARE\AUTIST_RIP\fubuki64comp.h
FC: no differences encountered

Nope autist, this won't work.

Another interesting part of this story is a twitter autists who retweet every shit they see, without any kind of understanding. And what a surprise - all of them claim themself as "security consultants", "experts" or "evangelists" (of what? stupidity must be?).

Now imagine one simple thing. If this ripper was smart enough, he can actually put some malware inside of these encrypted arrays (we can't know whats inside, he doesn't even provided/ripped source code of these dlls) - and when you use this tool - this malware will activate with full admin access. And all these twitter monkeys will retweet/like this. Another bunch of idiots sits on github, doing the same. I strongly suggest all of them - kill yourself.

P.S.
fucking idiot

Injeact success!
BapassUAC.exe

[EP_X0FF]

Bonus: github bots

[Tula33923]

Whats the point of the Github bots? I guess more popularity?

[EP_X0FF]

Whats the point of the Github bots? I guess more popularity?

I mean they are maybe not computer bots, but humans acting like bots.

[EP_X0FF]

This ripper idiot account vanished from github with his stolen *work*, so this thread is now closed.