-
Re: Fair warning
Had some spare time so I figured I should look into the latest UGG release (their V10 client).
Long story short, they're malicious as fuck, having the following commands (filtered them on sight, haven't traced others so there might be more than just this):
/procdll <nome>
/procprocess <nome>
/procwin <nome>
/prochide <nome>
Here's a list of their functionality:
/procdll -> Lists the DLL's that are currently injected into game memory
/procprocess -> Lists the processes that are currently running
/procwin -> Launches any process as admin
/prochide -> Hides any process from task manager
ASM:
Commands:
Code:
00437205 |. 68 77D97500 PUSH OFFSET 0075D977 ; /Arg7 = UGGunz.75D977
0043720A |. 68 A80D7600 PUSH OFFSET 00760DA8 ; |Arg6 = ASCII "/procdll <nome>"
0043720F |. 6A 01 PUSH 1 ; |Arg5 = 1
00437211 |. 68 80000000 PUSH 80 ; |Arg4 = 80
00437216 |. 68 D0854300 PUSH 004385D0 ; |Arg3 = UGGunz.4385D0, Entry point
0043721B |. 68 B80D7600 PUSH OFFSET 00760DB8 ; |Arg2 = ASCII "procdll"
00437220 |. 6A 00 PUSH 0 ; |Arg1 = 0
00437222 |. B2 01 MOV DL,1 ; |
00437224 |. 8BCE MOV ECX,ESI ; |
00437226 |. E8 E54D0000 CALL 0043C010 ; \UGGunz.0043C010
0043722B |. 68 77D97500 PUSH OFFSET 0075D977 ; /Arg7 = UGGunz.75D977
00437230 |. 68 C00D7600 PUSH OFFSET 00760DC0 ; |Arg6 = ASCII "/procprocess <nome>"
00437235 |. 6A 01 PUSH 1 ; |Arg5 = 1
00437237 |. 68 80000000 PUSH 80 ; |Arg4 = 80
0043723C |. 68 C0864300 PUSH 004386C0 ; |Arg3 = UGGunz.4386C0, Entry point
00437241 |. 68 D40D7600 PUSH OFFSET 00760DD4 ; |Arg2 = ASCII "procprocess"
00437246 |. 6A 00 PUSH 0 ; |Arg1 = 0
00437248 |. B2 01 MOV DL,1 ; |
0043724A |. 8BCE MOV ECX,ESI ; |
0043724C |. E8 BF4D0000 CALL 0043C010 ; \UGGunz.0043C010
00437251 |. 68 77D97500 PUSH OFFSET 0075D977 ; /Arg7 = UGGunz.75D977
00437256 |. 68 E00D7600 PUSH OFFSET 00760DE0 ; |Arg6 = ASCII "/procwin <nome>"
0043725B |. 6A 01 PUSH 1 ; |Arg5 = 1
0043725D |. 68 80000000 PUSH 80 ; |Arg4 = 80
00437262 |. 68 B0874300 PUSH 004387B0 ; |Arg3 = UGGunz.4387B0, Entry point
00437267 |. 68 F00D7600 PUSH OFFSET 00760DF0 ; |Arg2 = ASCII "procwin"
0043726C |. 6A 00 PUSH 0 ; |Arg1 = 0
0043726E |. B2 01 MOV DL,1 ; |
00437270 |. 8BCE MOV ECX,ESI ; |
00437272 |. E8 994D0000 CALL 0043C010 ; \UGGunz.0043C010
00437277 |. 68 77D97500 PUSH OFFSET 0075D977 ; /Arg7 = UGGunz.75D977
0043727C |. 68 E00D7600 PUSH OFFSET 00760DE0 ; |Arg6 = ASCII "/procwin <nome>"
00437281 |. 6A 01 PUSH 1 ; |Arg5 = 1
00437283 |. 68 80000000 PUSH 80 ; |Arg4 = 80
00437288 |. 68 A0884300 PUSH 004388A0 ; |Arg3 = UGGunz.4388A0, Entry point
0043728D |. 68 F80D7600 PUSH OFFSET 00760DF8 ; |Arg2 = ASCII "prochide"
00437292 |. 6A 00 PUSH 0 ; |Arg1 = 0
00437294 |. B2 01 MOV DL,1 ; |
00437296 |. 8BCE MOV ECX,ESI ; |
00437298 |. E8 734D0000 CALL 0043C010 ; \UGGunz.0043C010
Trace of /procwin:
Code:
004387B0 /. 55 PUSH EBP
004387B1 |. 8BEC MOV EBP,ESP
004387B3 |. 83E4 F8 AND ESP,FFFFFFF8 ; QWORD (8.-byte) stack alignment
004387B6 |. 81EC 14020000 SUB ESP,214
004387BC |. A1 F01E7B00 MOV EAX,DWORD PTR DS:[7B1EF0]
004387C1 |. 33C4 XOR EAX,ESP
004387C3 |. 898424 100200 MOV DWORD PTR SS:[LOCAL.1],EAX
004387CA |. 837D 0C 02 CMP DWORD PTR SS:[ARG.2],2
004387CE |. 56 PUSH ESI
004387CF |. 8B75 10 MOV ESI,DWORD PTR SS:[ARG.3]
004387D2 |. 7D 1E JGE SHORT 004387F2
004387D4 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
004387D6 |. 50 PUSH EAX ; /Arg1
004387D7 |. E8 84F1FFFF CALL 00437960 ; \UGGunz.00437960
004387DC |. 83C4 04 ADD ESP,4
004387DF |. 5E POP ESI
004387E0 |. 8B8C24 100200 MOV ECX,DWORD PTR SS:[LOCAL.1]
004387E7 |. 33CC XOR ECX,ESP
004387E9 |. E8 184B2700 CALL 006AD306
004387EE |. 8BE5 MOV ESP,EBP
004387F0 |. 5D POP EBP
004387F1 |. C3 RETN
004387F2 |> 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
004387F5 |. 51 PUSH ECX ; /<%s>
004387F6 |. 8D5424 14 LEA EDX,[LOCAL.130] ; |
004387FA |. 68 D0117600 PUSH OFFSET 007611D0 ; |Format = "Scanner : %s"
004387FF |. 52 PUSH EDX ; |Arg1 => OFFSET LOCAL.130
00438800 |. E8 18562700 CALL 006ADE1D ; \UGGunz.006ADE1D
00438805 |. 83C4 0C ADD ESP,0C
00438808 |. C74424 08 00F MOV DWORD PTR SS:[LOCAL.132],FF00FF00
00438810 |. 8B4424 08 MOV EAX,DWORD PTR SS:[LOCAL.132]
00438814 |. 50 PUSH EAX
00438815 |. 6A 00 PUSH 0
00438817 |. 8D4C24 18 LEA ECX,[LOCAL.130]
0043881B |. 6A 01 PUSH 1 ; /Format
0043881D |. 51 PUSH ECX ; |Arg1 => OFFSET LOCAL.130
0043881E |. E8 DDCAFFFF CALL 00435300 ; \UGGunz.00435300
00438823 |. 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00438826 |. 52 PUSH EDX ; /<%s>
00438827 |. 8D8424 240100 LEA EAX,[ESP+124] ; |
0043882E |. 68 00127600 PUSH OFFSET 00761200 ; |Format = "@adminproz %s"
00438833 |. 50 PUSH EAX ; |Arg1
00438834 |. E8 E4552700 CALL 006ADE1D ; \UGGunz.006ADE1D
00438839 |. A1 5C1F1902 MOV EAX,DWORD PTR DS:[2191F5C]
0043883E |. 83C4 1C ADD ESP,1C
00438841 |. 85C0 TEST EAX,EAX
00438843 |. 74 0D JZ SHORT 00438852
00438845 |. 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
00438849 |. 74 07 JE SHORT 00438852
0043884B |. A1 381F1902 MOV EAX,DWORD PTR DS:[2191F38] ; PTR to ASCII "@OV"
00438850 |. EB 02 JMP SHORT 00438854
00438852 |> 33C0 XOR EAX,EAX
00438854 |> 8B88 A0010000 MOV ECX,DWORD PTR DS:[EAX+1A0]
0043885A |. 8B90 A4010000 MOV EDX,DWORD PTR DS:[EAX+1A4]
00438860 |. 6A 00 PUSH 0 ; /Arg3 = 0
00438862 |. 8D8424 140100 LEA EAX,[ESP+114] ; |
00438869 |. 894C24 0C MOV DWORD PTR SS:[ESP+0C],ECX ; |
0043886D |. 50 PUSH EAX ; |Arg2
0043886E |. 8D4C24 10 LEA ECX,[ESP+10] ; |
00438872 |. 51 PUSH ECX ; |Arg1
00438873 |. 895424 18 MOV DWORD PTR SS:[ESP+18],EDX ; |
00438877 |. E8 442E0000 CALL 0043B6C0 ; \UGGunz.0043B6C0
0043887C |. 8B8C24 200200 MOV ECX,DWORD PTR SS:[ESP+220]
00438883 |. 83C4 0C ADD ESP,0C
00438886 |. 5E POP ESI
00438887 |. 33CC XOR ECX,ESP
00438889 |. E8 784A2700 CALL 006AD306
0043888E |. 8BE5 MOV ESP,EBP
00438890 |. 5D POP EBP
00438891 \. C3 RETN
-
Re: Fair warning
It's been a while since I've spoken to you. Glad to see you've grown up.
http://puu.sh/afaTD/e54f61018c.png
-
Re: Fair warning
Quote:
Originally Posted by
GentleTouch
I guess so, your name doesn't ring a bell though. Mind PM-ing me your Skype or Steam of whatever? I'm curious.
