KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

xsysvermin a ripper from China and "his" BypassUAC

https://www.kernelmode.info/forum/viewtopic.php?f=11&t=4216

Page 1 of 1

xsysvermin a ripper from China and "his" BypassUAC

PostPosted:Sun Jan 31, 2016 6:42 am
by EP_X0FF
Long story short - meet an idiot and ripper presumable from China -> https://github.com/xsysvermin and "his" BypassUAC project which is blant copy-paste of my UACMe with the following "additions"
Code: Select all
Comparing files C:\MALWARE\ORIGINAL\apphelp.h and C:\MALWARE\AUTIST_RIP\apphelp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\carberp.c and C:\MALWARE\AUTIST_RIP\carberp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\carberp.h and C:\MALWARE\AUTIST_RIP\carberp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\cmdline.c and C:\MALWARE\AUTIST_RIP\cmdline.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\cmdline.h and C:\MALWARE\AUTIST_RIP\cmdline.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\compress.c and C:\MALWARE\AUTIST_RIP\compress.c
***** C:\MALWARE\ORIGINAL\compress.c

        if (FinalCompressedSize == NULL)
                return NULL;

        do {
***** C:\MALWARE\AUTIST_RIP\compress.c

        do {
*****

Comparing files C:\MALWARE\ORIGINAL\compress.h and C:\MALWARE\AUTIST_RIP\compress.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\consts.h and C:\MALWARE\AUTIST_RIP\consts.h
***** C:\MALWARE\ORIGINAL\consts.h

#define PROGRAMTITLE TEXT("#UACMe#")
#define WOW64STRING TEXT("Apparently it seems you are running under WOW64.\n\r\
This is not supported, run x64 version of this tool.")
#define WOW64WIN32ONLY TEXT("This method only works with x86-32 Windows or from Wow64")
***** C:\MALWARE\AUTIST_RIP\consts.h

#define PROGRAMTITLE TEXT("#BypassUAC#")
#define WOW64STRING TEXT("Apparently it seems you are running under WOW64.\n\rThis is not supported, run x64 version of this to
ol.")
#define WOW64WIN32ONLY TEXT("This method only works with x86-32 Windows or from Wow64")
*****

***** C:\MALWARE\ORIGINAL\consts.h
#define UACFIX TEXT("This method fixed/unavailable in the current version of Windows, do you still want to continue?")
#define RESULTOK TEXT("Bye-bye!")
#define RESULTFAIL TEXT("Something went wrong")
#define T_AKAGI_KEY    L"Software\\Akagi"
#define T_AKAGI_PARAM  L"LoveLetter"

***** C:\MALWARE\AUTIST_RIP\consts.h
#define UACFIX TEXT("This method fixed/unavailable in the current version of Windows, do you still want to continue?")
#define RESULTOK TEXT("Injeact success!")
#define RESULTFAIL TEXT("Something went wrong")
#define T_AKAGI_KEY    L"Software\\bypassuac"
#define T_AKAGI_PARAM  L"uac_is_disabled"

*****

Comparing files C:\MALWARE\ORIGINAL\fubuki32.h and C:\MALWARE\AUTIST_RIP\fubuki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki32comp.h and C:\MALWARE\AUTIST_RIP\fubuki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64.h and C:\MALWARE\AUTIST_RIP\fubuki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64comp.h and C:\MALWARE\AUTIST_RIP\fubuki64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\global.h and C:\MALWARE\AUTIST_RIP\global.h
***** C:\MALWARE\ORIGINAL\global.h
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2016
*
*  TITLE:       GLOBAL.H
***** C:\MALWARE\AUTIST_RIP\global.h
*
*  TITLE:       GLOBAL.H
*****

Comparing files C:\MALWARE\ORIGINAL\gootkit.c and C:\MALWARE\AUTIST_RIP\gootkit.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\gootkit.h and C:\MALWARE\AUTIST_RIP\gootkit.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32.h and C:\MALWARE\AUTIST_RIP\hibiki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32comp.h and C:\MALWARE\AUTIST_RIP\hibiki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64.h and C:\MALWARE\AUTIST_RIP\hibiki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64comp.h and C:\MALWARE\AUTIST_RIP\hibiki64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hybrids.c and C:\MALWARE\AUTIST_RIP\hybrids.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hybrids.h and C:\MALWARE\AUTIST_RIP\hybrids.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inazuma32.h and C:\MALWARE\AUTIST_RIP\inazuma32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inject.c and C:\MALWARE\AUTIST_RIP\inject.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\inject.h and C:\MALWARE\AUTIST_RIP\inject.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou32.h and C:\MALWARE\AUTIST_RIP\kongou32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou32comp.h and C:\MALWARE\AUTIST_RIP\kongou32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou64.h and C:\MALWARE\AUTIST_RIP\kongou64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\kongou64comp.h and C:\MALWARE\AUTIST_RIP\kongou64comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\main.c and C:\MALWARE\AUTIST_RIP\main.c
***** C:\MALWARE\ORIGINAL\main.c
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2016
*
*  TITLE:       MAIN.C
***** C:\MALWARE\AUTIST_RIP\main.c
*
*  TITLE:       MAIN.C
*****

***** C:\MALWARE\ORIGINAL\main.c
        case ERROR_BAD_ARGUMENTS:
                ucmShowMessage(TEXT("Usage: Akagi.exe [Method] [OptionalParamToExecute]"));
                break;
***** C:\MALWARE\AUTIST_RIP\main.c
        case ERROR_BAD_ARGUMENTS:
                ucmShowMessage(TEXT("Usage: BapassUAC.exe [1-16] [OptionalParamToExecute]\n\nExample:\BapassUAC.exe 1 cmd.exe")
);
                break;
*****

***** C:\MALWARE\ORIGINAL\main.c

VOID main()
{
***** C:\MALWARE\AUTIST_RIP\main.c

int main()
{
*****

***** C:\MALWARE\ORIGINAL\main.c
        uResult = ucmMain();
        if (uResult == ERROR_SUCCESS) {
                OutputDebugString(RESULTOK);
***** C:\MALWARE\AUTIST_RIP\main.c
        uResult = ucmMain();
        if (uResult == ERROR_SUCCESS) 
        {
                OutputDebugString(RESULTOK);
*****

***** C:\MALWARE\ORIGINAL\main.c
        ExitProcess(uResult);
}
***** C:\MALWARE\AUTIST_RIP\main.c
        ExitProcess(uResult);

        return 0;
}
*****

Comparing files C:\MALWARE\ORIGINAL\makecab.c and C:\MALWARE\AUTIST_RIP\makecab.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\makecab.h and C:\MALWARE\AUTIST_RIP\makecab.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\minirtl.h and C:\MALWARE\AUTIST_RIP\minirtl.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\ntos.h and C:\MALWARE\AUTIST_RIP\ntos.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\pitou.c and C:\MALWARE\AUTIST_RIP\pitou.c
***** C:\MALWARE\ORIGINAL\pitou.c


                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
***** C:\MALWARE\AUTIST_RIP\pitou.c

                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
*****

***** C:\MALWARE\ORIGINAL\pitou.c


                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
***** C:\MALWARE\AUTIST_RIP\pitou.c

                r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
*****

Comparing files C:\MALWARE\ORIGINAL\pitou.h and C:\MALWARE\AUTIST_RIP\pitou.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\resource.h and C:\MALWARE\AUTIST_RIP\resource.h
Comparing files C:\MALWARE\ORIGINAL\rtltypes.h and C:\MALWARE\AUTIST_RIP\rtltypes.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\simda.c and C:\MALWARE\AUTIST_RIP\simda.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\simda.h and C:\MALWARE\AUTIST_RIP\simda.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\strtoul.c and C:\MALWARE\AUTIST_RIP\strtoul.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\sup.c and C:\MALWARE\AUTIST_RIP\sup.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\sup.h and C:\MALWARE\AUTIST_RIP\sup.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\ultostr.c and C:\MALWARE\AUTIST_RIP\ultostr.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcat.c and C:\MALWARE\AUTIST_RIP\_strcat.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcmp.c and C:\MALWARE\AUTIST_RIP\_strcmp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcmpi.c and C:\MALWARE\AUTIST_RIP\_strcmpi.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strcpy.c and C:\MALWARE\AUTIST_RIP\_strcpy.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strend.c and C:\MALWARE\AUTIST_RIP\_strend.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strlen.c and C:\MALWARE\AUTIST_RIP\_strlen.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncmp.c and C:\MALWARE\AUTIST_RIP\_strncmp.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncmpi.c and C:\MALWARE\AUTIST_RIP\_strncmpi.c
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\_strncpy.c and C:\MALWARE\AUTIST_RIP\_strncpy.c
FC: no differences encountered

FC: cannot open C:\MALWARE\AUTIST_RIP\resource.h - No such file or folder
So he actually:

1) Killed all copyrights
2) Relabebed tool as "BypassUAC"
3) Destroyed functionality of payload dlls
4) Removed VERSION_INFO block
5) Added more spaces and returns
6) Changed VOID to int and added return

Great additions!

The most important part with all these rippers - they are so fucking dumb every time, so when they try to change something inside code, they don't fucking know how it actually works.

This autist changed key name from

orig
Code: Select all
#define T_AKAGI_KEY    L"Software\\Akagi"
#define T_AKAGI_PARAM  L"LoveLetter"
to

rip
Code: Select all
#define T_AKAGI_KEY    L"Software\\bypassuac"
#define T_AKAGI_PARAM  L"uac_is_disabled"
but where this used? Inside of Fubuki and Hibiki. This is key and param used to transfer custom parameter to these dlls. So if you change their names you have to do this inside dlls too, recompile them, recrypt and merge into Akagi. But this autist didn't
Code: Select all
Comparing files C:\MALWARE\ORIGINAL\hibiki32.h and C:\MALWARE\AUTIST_RIP\hibiki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki32comp.h and C:\MALWARE\AUTIST_RIP\hibiki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64.h and C:\MALWARE\AUTIST_RIP\hibiki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\hibiki64comp.h and C:\MALWARE\AUTIST_RIP\hibiki64comp.h
FC: no differences encountered
Code: Select all
Comparing files C:\MALWARE\ORIGINAL\fubuki32.h and C:\MALWARE\AUTIST_RIP\fubuki32.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki32comp.h and C:\MALWARE\AUTIST_RIP\fubuki32comp.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64.h and C:\MALWARE\AUTIST_RIP\fubuki64.h
FC: no differences encountered

Comparing files C:\MALWARE\ORIGINAL\fubuki64comp.h and C:\MALWARE\AUTIST_RIP\fubuki64comp.h
FC: no differences encountered
Nope autist, this won't work.

Another interesting part of this story is a twitter autists who retweet every shit they see, without any kind of understanding. And what a surprise - all of them claim themself as "security consultants", "experts" or "evangelists" (of what? stupidity must be?).

Now imagine one simple thing. If this ripper was smart enough, he can actually put some malware inside of these encrypted arrays (we can't know whats inside, he doesn't even provided/ripped source code of these dlls) - and when you use this tool - this malware will activate with full admin access. And all these twitter monkeys will retweet/like this. Another bunch of idiots sits on github, doing the same. I strongly suggest all of them - kill yourself.

P.S.
fucking idiot
Injeact success!
BapassUAC.exe

Re: xsysvermin a ripper from China and "his" BypassUAC

PostPosted:Sun Jan 31, 2016 6:43 am
by EP_X0FF
Bonus: github bots

Image

Re: xsysvermin a ripper from China and "his" BypassUAC

PostPosted:Mon Sep 19, 2016 2:32 am
by Tula33923
Whats the point of the Github bots? I guess more popularity?

Re: xsysvermin a ripper from China and "his" BypassUAC

PostPosted:Mon Sep 19, 2016 9:13 am
by EP_X0FF
Tula33923 wrote:Whats the point of the Github bots? I guess more popularity?
I mean they are maybe not computer bots, but humans acting like bots.

Re: xsysvermin a ripper from China and "his" BypassUAC

PostPosted:Fri Dec 23, 2016 4:38 am
by EP_X0FF
This ripper idiot account vanished from github with his stolen *work*, so this thread is now closed.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/