Cursed repo - why are we still unsure?

[4A5246]

Version1.1.2.1428 release notes make the claim:

Replaced all mentions of https://github.com/vxiiduu/VxKex/ (FAKE) from this release's files with https://github.com/i486/VxKex/

But, this is not true. Only the README.md was changed. There are several examples where the old, so-called "fake" address still persists where it actually counts. For example in KexVer.h.

1428 contains 1 hit for i486 and 4 hits for github.com/vxiiduu.

I find this highly suspicious, since it seems unlikely to be a mistake. The author is well-aware that the URL appears in multiple places including in compiled binaries.

Even worse, all prior VxKex files (EXE/DLL/shell extension) still point to that repo since it used to be the real one

I accept the prima-facie claim that if github.com/i486 is also compromised, then there would be no need to do this. However this may just be sloppy scam-craft.

I've been researching for many hours now over a few months and my conclusion is that none of these repositories can be trusted, including the original vxiiduu repository. I have no hard proof to support this claim, but the history around this cursed software is concerning, specifically:

• The issue reported above,
• There is no publicly-known reason why vxiiduu deleted their account. This is a very strange thing to do. It's reminiscent of other software developers who opted to disappear from public life rather than insert backdoors into their high-critically code. We are giving VxKex permission to insert kernel-code. (There is no higher target for malicious interference).
• There has been no statement from github.com on the circumstances of the account closure, i.e. to settle the question of whether this account was voluntarily closed or forced closed.

These concerns are coming from someone who desperately wants to use this software. Sadly, I think nothing short of a code audit will satisfy that the code is safe at this point.

[SeaHOH]

These concerns are coming from someone who desperately wants to use this software. Sadly, I think nothing short of a code audit will satisfy that the code is safe at this point.

Yes, the source code is here, everyone can read, modify, and compile it.

• There is no publicly-known reason why vxiiduu deleted their account. This is a very strange thing to do.

I think the reason is probably due to pressure and deterrence from Microsoft. Unfortunately we can't verify who the witch really is.

[4A5246]

I think the reason is probably due to pressure and deterrence from Microsoft.

This seems to be the most common opinion, but it's just speculation and doesn't really make sense to me at least.

• Beyond a simple take down enforcement, there is no reason Microsoft would want to or could compel a "gag order" on vxiiduu. The only possible justification is some weak EULA violation or use of reverse engineered W10+code. That would be a public issue, and not warrant some shady coercive harassment from Microsoft.
• i486 would be equally exposed if this were the case, yet this repo is still here.
• There is no reason why vxiiduu would be compelled to delete their account beyond just pulling the repo.
• MS own GH right? It seems much more likely MS would just compel GH to delete vxiiduu's account for whatever made up violation rather than negotiate with them. At which point we might expect vxiiduu to be very public about what happened, surely?
• All of this assumes Microsoft even care - There can't be more than a handful of us Win7 cultists, fewer still that would actually install W10+ if forced.

I guess it's plausible they just paid him to delete the account and walk away. All we have is speculation.