[Account Appeal + Counter CW + Explanation] Wine Official // Nexus42 // Part 1

Introduction

Hello everyone, my account was deleted not long ago, in order to fix this today we are going to be discussing reasons as to why my account was deleted and finding the truth in Wine's history. There seem to be 2 main reasons why it was deleted and I will be going through and debunking both in this thread. I was told by jon to make this btw :)

 

Creation of WeAreDevs Botnet

Source 1:

https://media.discordapp.net/attachments/873174420200488980/920813490791415928/unknown.png

 

Source 2:

https://media.discordapp.net/attachments/873174420200488980/920814110495608892/unknown.png

 

In source 1 I can be seen telling mr.1000 I was working on a powerful RAT! Oh no! But no, this is not true :(((. This is a common practice known as "bluffing". I was using this technique to attempt to motivate them into revealing whether they had indeed infected me with malware, as I had downloaded their exploit that they sent to me at some point not long ago. This was also revealed to be false, the source of Parhelion was released and allowed me to relax. In source 2 after it does not work I explain it was a hoax, and from then on they appeared to believe me.

 

Couple more facts that contribute to the fact what I said to mr.1000 was completely untrue, I barely have any experience in c++, let alone reverse engineering. I also would not ever want to risk my reputation in the community and my future exploits for something like this.

 

Wine Official

Source 3:

https://wearedevs.net/forum/t/17815

 

Source 4:

https://cdn.discordapp.com/attachments/747766265157910529/747766296984420412/Screenshot_20200825-063542.png

 

Source 5:

https://i.imgur.com/rcpG5bF.png

 

Source 6:

https://wearedevs.net/forum/t/17893

 

All of this information will be coming from Source 3, please read that thread first.

Let's start with the pastebin. Reading the first few screenshots I can clearly see what this is going to be. These screenshots are taken out of context, my words are twisted, skepticism is turned into fact. It's a complete mess of unconfirmed facts, misinformed information and untrue lies. The only thing true in this pastebin is the hacking of bon bon to troll his discord server. I had misremembered that it was peyton who helped and ofc I have mentioned this topic many times. This was a mistake and occured at the very start of my role in wearedevs. Take source 4 for example, the real screenshot I have long lost, but peyton was not talking about me at all. Whoever tried to use this as proof clearly seems to have done it intentionally as this conversation was about MrFlipPhone, not me. It's obviously not about me as they mention "he's a 10 fag". This image is an example of many images that have been taken out of context. The image of tracey finding a logger in the bootstrapper is an unconfirmed suspicion. They had a program that detected webhooks in a file (they told me this), in many cases this would work great however wine used webhooks to log unidentifiable information, and of course that would have came up with a discovery on this program. I wouldn't be surprised if this was something tracey had explained but was cut out of the picture.

 

Now onto the thread,

notice how they mentioned I wanted to keep away people? That was not true, they took a list of registered users from an account database for wine and pasted them on the thread, assuming they were blacklisted. And if thats the start of the thread im already worried about the state of the rest of the "facts". The claim about unhashed HWIDS has literally no foundation, completely baseless, and completely untrue, as can be seen in source 5. They also "accidentally" happen to fail to mention the IPs were also HASHED. Also the chat don't use any "rosery haxx" it literally just uses a discord api and 000webhost and a stripped discord token grabber - used as a retriever to get information including profile picture and discord username on the user. 

 

The "trying to delete system32" function was not actually referenced in the code, therefore can't have been ran :/ This could've been confirmed if at least ONE person took a look at the official wine source. Further looking at the function it uses ridiculous naming for it's variables. This is because it was never intended to be used. I had been working on a bootstrapper for Atlantis, and like an idiot decided to make it clear a directory to make room for the new files. Well I gave it to my friend and it destroyed their whole desktop. Another person tried the bootstrapper in system32 and it caused their vm to shutdown. So I was curious and tried replicate this event by making a similar program that intentionally deletes all files in system32 to test if this was true, and the project window I had open at that time was... you guessed it, WINE!

 

Another thing I'd like to mention is that the logger logged this, I had implemented a toggle for error reporting that is automatically disabled:

 - Hashed IP

 - Hashed HWID

 - Username

 

With the toggle on it logged the file path, os verssion, architecture, username aswell.

This function was an update I rolled out to combat the fact that people are complaining about their os version being logged, which to me seems ridiculous. However, oh no, you see the bootstrapper had a similar variation of things it logged, seperate from the main exploit, I FORGOT. I was not available for most the time during this and barely had time to make updates since I WAS OUT CAMPING IN THE MIDDLE OF NOWHERE FFS. Yet these people complain and complain that I was not able to fix this, and stop the bootstrapper from logging all this, and complained that they told me to do so and that I still didn't make the changes. Clearly they don't understand the concept of camping, which in most cases means I don't have 24/7 internet access or access to a pc. ALSO ALSO I ADDED EVERYTHING TO A EULA WHEN I HAD A CHANCE WARNING PEOPLE ABOUT THIS, CLEARLY SHOWING I DID NOT INTEND FOR IT TO HAPPEN!

 

System OS and Architecture are now apparently considered pedophelia, damn.

Attempts were made to make this not be activated the first time you use wine, or without your permission, however obviously things were overlooked in the bootstrapper part of things.

 

They share these token prefixes without having the least consideration for what they might do, or what they're for. Instead they straight up call TOKEN LOGGER!! No, these are parts of an actual token used by the chat system, and in an attempt to hide it I split it into parts.

 

The tokengrabber class is still called that as i copied and pasted it from a token grabber, howevre changed it's use so that it could be used to retrieve profile pictures and discord usernames (I did not know about the extent of the capability of discord RPC i thought it was just a status) I tried to change the name of it but for some reason it seems to have reverted when I built the source.

 

this PIECE OF CANDY LITERALLY SAYS GETLOCALIPADDRESS AND YOUR CALLING THIS IP LOGGING EIURHEWIUEWFKJDSFNJAKFDSA!! This is an attempt to create another piece of information I can use to detect blacklist evading, and ofc didn't even work bcz my lazy ass didnt bother to even read the name of the function :flushed: Also notice how they "forget" to mention this ip goes through a hashing function, the same as in Source 6 :o

 

The HWID logging for blacklisting is also hashed with the same function (once again apparently forgetting to mention that lmfao)

 

that terrible bootstrapper was something I made at the start of wine, at the time their thread was made I had obviously improved my c# skills

 

apparently saying I had forgotten the bootstrapper was still logging somewhat private information like the pc username and file paths is immediately a terrible thing? If they're assuming im saying token logger, they're severely mistaken! Like I said, I COULDN'T DO ANYTHING AT THE TIME TO FIX IT OTHER THAN WARN PEOPLE!

 

This is the first bit, the conclusion can be found here