2019-05-21 16:47:42

@49 OK whatever, no one cares at this point, if you want to let this thing ravage your system, then so be it.

Facts with Tom MacDonald, Adam Calhoun, and Dax
End racism
End division
Become united

2019-05-21 16:50:20

Allright! I will do it, whatever happens.

Let's make this forum again a place where wont be any drama.

2019-05-21 17:01:46

Ethin, please examin the code, if you can do that as quick at possible.

Let's make this forum again a place where wont be any drama.

2019-05-21 17:02:36

wait wait wait! if the app contains cracked software, i'm reporting this topic.
also,  I think this Urh guy is either so stubern or working with that ahmad guy.
he's gonna get my 69GB porno folder.....

2019-05-21 17:08:00

WTFWTFTF, you are not sirious, Alariza.

Let's make this forum again a place where wont be any drama.

2019-05-21 17:11:45

Well in the past, I did not see any really good proof so I was ok with defending this, even that I am not using it cause I do not need anything from it at the moment, but now really good proof has been clearly given, so yeah, I will not defend this anymore.

I am myself and noone is ever gonna change me, I am the trolling master!

Thumbs up +1

2019-05-21 18:14:13 (edited by Ethin 2019-05-21 18:19:18)

@53, I... kind of already did (see: post 36). Considering that the main executable downloads code and then executes it without any kind of security whatsoever, the author of said code can do anything. The guy doesn't use HTTP either, so it would be trivial for a skilled hacker (even a script kiddy) to intercept the code stream and inject malicious code into it, which is directly executed, without any kind of check whatsoever (even hash verification or code signing would be preferable to that) to ensure that the code is 'trusted'. Yet you are still defending it, you are still ignoring the fact that the author can do anything they like to anyone who runs this thing, and the only thing that's stopping them from being able to format your computer and wipe your disk clean is windows security, and even that can be broken (see: dd on Win32 and others). This program is a prime example of how to stupidly and idiotically use dangerous functions like eval, exec and so on. No intelligent programmer would *ever* write code like the code I showed in 36. Even with windows security in the way, the injected code still has *a lot*! of power. You'll understand when you run this thing and next think you know your signing into your computer and windows tells you its "creating your user profile" because it got deleted by this thing (yes, If I'm not mistaken that's possible withotuUAC getting in your way). Granted, the guy could add UAC elevation code and you'd still defend it, and you'd still run it, and and you'd skip right passed UAC (or turn it off altogether), resulting in the code pretty much entirely bypassing windows security and allowing it to do pretty much anything it likes. The only things then stopping it are, in order (1) the kernel and (2) the ativirus software. The AV software is unlikely to see this as malicious, despite the fact that it is, and so the kernel will catch it. By that point though, its far, far too late for you to recover from the damage it can inflict on your system. And that is exactly why I haven't disabled UAC for several years now.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Thumbs up +2

2019-05-21 18:58:38

@54, I can't say that it does for sure, and I'm not installing it to find out, but I remember that previous versions of the project did, when it was Get Extra or Blind Extra or whatever other names it's been called over the past couple of years. Speaking of which, I can't believe that the dev is stupid enough to keep only changing the first word in the title, surely if it had a more creative name each time it was found to be malicious, more people would be suckered into trying it. Anyway, I don't really see what someone demonstrating a program on Youtube has to do with anything, how does that automatically make it trustworthy?

The glass is neither half empty nor half full. It's just holding half the amount it can potentially hold.

Thumbs up

2019-05-21 19:34:14

I have tried the software on an old computer that I own, it's a windows 7 machine with no important data on it so I'm willing to accept the risc. The software contains a lot of cracked software, gold wave, windows, win zip, a blind legend, etc. Sofar, nothing has happened to my system and I kinda love the features that this program offers. It has full youtube support, you can play media, download as mp3, skip back and forward between the search results, you can adjust the volume, and the playback position.
I don't encourage anyone to try it since this could be a malicious software, the fact that the author doesn't give a damn about copyright is enough proof for me.

“Get busy living or get busy dying.”
Stephen King

Thumbs up

2019-05-21 19:55:53

@Previous, all of these video-related things can be done with FooYoutube, a Foobar2000 component.

Thumbs up

2019-05-21 19:58:27

hmmm I didn't know that. I am a winamp user for my audio needs and never felt the need to change. I heard many good things about foobar and, since winamp isn't receiving updates anyway, I'll try foobar at some point in the future. Who knows, maybe I'l switch.

“Get busy living or get busy dying.”
Stephen King

Thumbs up

2019-05-21 20:07:54

Where is super mega giga awesome perfect excellent extra? The description sounds so awesome that I am definitely encouraged to try this. You can do this, and that, and that, and this here, and that right there. On another completely unrelated note: What gives people the right to decompile somebody's code? I highly doubt you are security engineers to do those things. Run it in a VM, fine. Examine it's behaviour, do whatever, but does this mean that if a bunch of people start saying how something is insecure you are free to decompile it?

Thumbs up +1

2019-05-21 20:27:33 (edited by Ethin 2019-05-21 20:33:01)

@62, considering that the software contains a lot of cracked software, the maker of this software is well-known for creating malicious applications, and considering the guys reputation... and add to that the community's concerns... I think I had every right to dive in and determine the proof for myself. We do not need to be security engineers or security experts to have the right to decompile code. People all over the world do their best to exploit vulnerabilities in computer chips and other software that is used on a daily basis by millions of users (see: Spectre and Meltdown and the fact that some companies pay people if they're able to hack their infrastructure (and those people aren't on contract)). Are people who publish CVEs probably violating a lot of license agreements? You know, it probably is. But they do it anyway, and it helps the world as a hole.
So, in sum... what gives a security engineer extra rights that someone without the knowledge of a security engineer with training of many years in the field and a ton of certifications doesn't have? I wouldn't have done it, obviously, if it wasn't so disreputable and concerning to the community. I wouldn't have done it if the author was respected, well-known, and/or had shown themselves incorruptible. But the author did none of these things. At all. In fact, he has done his best to do the exact opposite.
Every day or two a new CVE is published. I don't know the exact statistics but I'd guess that more than 60 percent of those people are normal software developers: they're people who write code and work on big programs, but they aren't experts in security or cryptography (not all the time at least). Yet they find vulnerabilities and submit them. Meltdown and Spectre are two good examples that demonstrate that this does not just apply to open-source code either -- this happens to everyone.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Thumbs up +1

2019-05-21 20:35:59

The difference is, you are not using any exploits in the program to get the access to information you otherwise would not be able to. If you were, that would help the developer, company or whoever makes something, which is why people as you said do it. That being said, I never said that the developer is somebody who deserves respect and has a trustable reputation. I am saying this not for this dev specifically. Besides, you doing such things does not show you are any better does it? Could have been done much better if you ask me. You could easily run the program and monitor if it downloads something, that's not really illegal.

Thumbs up

2019-05-21 21:36:25

Guys, it's the principle of the thing. If I understand post 36 correctly, pretty much the first thing this program does when you run it is to download another program. That's bad enough, but again if I understand correctly, it then does absolutely no checks of what it just downloaded. It doesn't do any digital signature or hashing checks, it doesn't look at the downloaded program in any way. In fact, it doesn't even do so much as to check that what it received is, in fact, a Python program and not, say, an error document or some unrelated file. It just blindly executes it anyway. This is bad on so many levels it's not even funny. Putting aside for the moment the obvious scenario where the developer has put out this really nice program, then later decides to modify the downloaded program file to do something nasty, let's look at something even worse. Suppose someone else knows how this program works, and wants to have a little fun at the developer's expense. So they hack into the developer's website and upload their own program in place of the correct one. So now, since the software does no integrity checks whatsoever, it downloads the new Python code uploaded by the hacker instead of the intended Python code, and this new code might do absolutely anything!

This is extremely dangerous! It might be just fine today, but then tomorrow, with absolutely no change to the program you run, it turns nasty. Nobody, and I mean absolutely nobody! can review this software anywhere at all, on Youtube, on a blog, etc. Since it downloads Python code at startup, nobody can know for certain what it will do. For this reason, nobody's review can be trusted.

Thumbs up +1

2019-05-21 21:38:00 (edited by Ethin 2019-05-21 21:45:54)

@64, decompiling the program and describing what it does internally to publish my findings to the community when that community is appropriately concerned about a program that is thought to be malicious (and it turns out, that is malicious) makes me just as bad as the author? OK then... not really sure how you can reason that one, since unlike the author, I'm not going to deliberately make software that is malicious in nature unless I'm authorized by contract for something like a penetration test -- which I'm currently not licensed to do anyway. I could've monitored what it downloaded? Not really. I would know that it downloaded something, but I wouldn't know what it downloaded. I wouldn't know, for example, that it downloaded a python file over HTTP and was happily running i without any form of security, input validation and so on, and was just instead hapily running it without a care in the world. I wouldn't have been able to prove one way or another that the program was in fact malicious and this topic would've gone on far, far longer with people throwing accusations back and forth about what and what isn't malicious, and all that, instead of what has happened -- actual evidence that the program is indeed malicious. Again: the community rightly was concerned about the product, so I was doing what someoneelse probably would've done anyway -- helping them otu by telling them, "yes, your concerns are legit and not just random accusations typed ou on a computer keyboard."
65: good points. Again, as I'm saying to 64, I did that because I, like so many others, held the same concerns, and wished to validate them. I then published my findings to the community (as so many security experts do), despite the fact that I'm not a security expert. Whether I am or am not however shouldn't matter, now should it? And, 65, as an aside, your interpretation was pretty much spot on.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Thumbs up +1

2019-05-21 21:48:27

Here's what I mean about no review being trusted. Let's say this program just came out, and people were suspicious. And let's say, just as a totally hypothetical example, that Liam put it through its paces and gave his word that it's okay, and it doesn't do anything bad. Now in this case I'd always tend to be suspicious, but Liam is someone I consider to be a trustworthy member of the community, someone who's been around for many years, and done many good things. So with Liam's seal of approval, I might be more likely to give it a go.

But here's the thing. In our hypothetical example, Liam's word isn't worth a hill of beans. Why? Because every time the program runs, it downloads and executes arbitrary code from the net, without checking it in any way. So even if Liam says it's the best thing out there, there's no way it could possibly do any wrong, and people install and start using it based on his review, that could all change in an instant when some new Python code is put on that server which does unpleasant things. Then people might find out, then poor Liam gets a bashing for giving a good review to bad software, when the truth is, at the time he posted his review, he did absolutely nothing wrong.

Note: I'm using Liam's name arbitrarily here, as an example only, for the reasons stated above.

Thumbs up +1

2019-05-21 21:54:01 (edited by Ethin 2019-05-21 21:55:36)

@67, props to you. I decompiled the program, again, because people were suspicious (and they had a right to be suspicious). Accusations were being thrown (see the prior posts before 36). Here were my intentions:
1) to determine for myself the legitimacy of the thrown accusations.
2) To determine what the program did.
3) To determine what its downloaded code did (that came later).
4) To publish my findings (along with code).
5) To help the community and give them a strait yes/no kind of answer.
I published the code because, as you stated, my word most likely wouldn't have been taken very seriously if I hadn't. After all, I'm not exactly a well-liked community member on here, now am I? (Or has that changed recently? I haven't bothered keeping track of it tongue.)

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Thumbs up +1

2019-05-22 04:19:20 (edited by TheGreatCarver 2019-05-22 04:22:17)

A lot of posts just got a Thumbs up from me big_smile.

@nidza07, have you ever heard of a Grey hat hacker?

‘Grey Hat’ Hackers
Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.
Usually, grey-hat hackers surf the net and hack into computer systems to notify the administrator or the owner that their system/network contains one or more vulnerabilities that must be fixed immediately. Grey hats may also extort the hacked, offering to correct the defect for a nominal fee.

In this case, if I understand correctly, that's sort of what Ethin is doing. He decompiled the code of Multi Extra so to inform the community of it's potential danger. Sure, it might not be the most legal or ethical way to solve this issue, but it was done to protect the community from malicious software and in my opinion that's the important part of this whole issue. Don't sweat the small stuff, folks.

The Beast continued its studies with renewed Focus, building great Reference works and contemplating new Realities. The Beast brought forth its followers and acolytes to create a renewed smaller form of itself and, through Mischievous means, sent it out across the world.
from The Book of Mozilla, 6:27

Thumbs up

2019-05-22 04:23:50

Also, sorry for double posting, but would someone also be willing to dig into Speech Master to see what surprises that add-on is hiding?

The Beast continued its studies with renewed Focus, building great Reference works and contemplating new Realities. The Beast brought forth its followers and acolytes to create a renewed smaller form of itself and, through Mischievous means, sent it out across the world.
from The Book of Mozilla, 6:27

Thumbs up

2019-05-22 04:30:01

@64 aww, you don't like that... aww well isn't that just too damn bad. I don't like the fact you're a contrarian and can find nothing better to do than bitch at people all the time. Ethin decompiled code and showed the results to us to try to give an answer to whether the thing was malicious or not. If you can't handle that... well, I'll hand the baby his wittle boddwe.

Facts with Tom MacDonald, Adam Calhoun, and Dax
End racism
End division
Become united

2019-05-22 04:36:57

ironcross32 wrote:

@64 aww, you don't like that... aww well isn't that just too damn bad. I don't like the fact you're a contrarian and can find nothing better to do than bitch at people all the time. Ethin decompiled code and showed the results to us to try to give an answer to whether the thing was malicious or not. If you can't handle that... well, I'll hand the baby his wittle boddwe.

Was that outburst really necessary? No. IF you can't find it in yourself to respond politely to someone who you don't agree with, don't respond at all. Think before you type.

The Beast continued its studies with renewed Focus, building great Reference works and contemplating new Realities. The Beast brought forth its followers and acolytes to create a renewed smaller form of itself and, through Mischievous means, sent it out across the world.
from The Book of Mozilla, 6:27

Thumbs up

2019-05-22 04:43:07

haaaaaaaaaaaaaaaaaaaaaaah... That... coming from you?

Facts with Tom MacDonald, Adam Calhoun, and Dax
End racism
End division
Become united

2019-05-22 05:19:56

That’s just funny . Noah  trying to lecture other people about unnecessary outbursts?  If you ever get on team talk with this dude and say something he doesn’t even a little bit agree with he will fucking venue, so don’t even talk about unnecessary outbursts

Is this the real life?
Or is this just fantasy?
Caught in a landslide,
No escape from reality

Thumbs up

2019-05-22 05:35:46

@carver i think that was necessary, all the posts nikola makes, are negative. come on, give me a post of his which doesn't bitch at people. i think it's his purpose to do so, both on skype and audiogames forum.