km-khonsu
commented
2 years ago Closed ParzivalWolfram closed 2 years ago
km-khonsu
commented
2 years ago 
ParzivalWolfram
commented
2 years ago You've given me... a password-protected RAR file. This is, potentially, the requested sample, but it's not exactly helpful.
yurryly
commented
2 years ago あなたは私に...パスワードで保護されたRARファイルをくれました。これは、潜在的に要求されたサンプルですが、正確には役に立ちません。
rarpassword=1453
ParzivalWolfram
commented
2 years ago Ah, this is just the dropper. I've had this for a while, actually, I need the actual sample itself. According to the person using the email as listed, the code has been lost.
On Wed, Oct 13, 2021 at 4:37 AM himasugirubutti @.***> wrote:
あなたは私に...パスワードで保護されたRARファイルをくれました。これは、潜在的に要求されたサンプルですが、正確には役に立ちません。
rarpassword=1453
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-942115238, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHE6CQPP3TXIMV332WUKABTUGVHNNANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
2plash6
commented
2 years ago Where is the code in MrsMajor that verifies the key? I searched through every file here, and couldn't find it.
2plash6
commented
2 years ago I got a key a while back, but the key doesn't work anymore. I emailed them again, and no response.
ParzivalWolfram
commented
2 years ago Where is the code in MrsMajor that verifies the key? I searched through every file here, and couldn't find it.
So, from disassembly, it tries to fetch the actual sample from an external server using the key you provide to authenticate. That server, however, is down, meaning what you type in doesn't matter. The actual file WAS hosted somewhere online, but has been removed. This dropper is now pointless.
2plash6
commented
2 years ago _(THanks for quick response.) Oh, so am I never gonna be able to get it because the server is down?
2plash6
commented
2 years ago Can I get around it by compiling the code that we already have?
ParzivalWolfram
commented
2 years ago Yeah, sadly, whoever thought it a good idea to add DRM to meme malware basically killed it for anyone but like 3 Youtubers.
On Wed, Oct 20, 2021 at 10:31 PM Etanomic @.***> wrote:
_(THanks for quick response.) Oh, so am I never gonna be able to get it because the server is down?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-948227388, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHE6CQLXKSMKPGZ4DV2GKP3UH6CPJANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
ParzivalWolfram
commented
2 years ago Can I get around it by compiling the code that we already have?
Sadly, no. All you have here is the dropper, i think?
2plash6
commented
2 years ago Oh.
2plash6
commented
2 years ago Yes. And the public code that's here.
ParzivalWolfram
commented
2 years ago Oh, and this, in large bold letters on the front page. https://github.com/Gork3m/MrsMajor-3.0#do-not-try-to-build-your-own-mrsmajor---that-wont-work-though-ive-modified-the-code-in-a-way-so-it-will-not-work-when-its-built-into-an-exe
2plash6
commented
2 years ago I see.
ParzivalWolfram
commented
2 years ago One could PROBABLY get around that, but that's more work than I wanna put in at this point. I also heavily despise Windows developer environments, as I shouldn't need many gigs of VS just for a compiler, etc. etc.
2plash6
commented
2 years ago Ok.
2plash6
commented
2 years ago I guess that wraps it up. Oh well /¯_(ツ)_/¯
2plash6
commented
2 years ago I hate how it has it's own system that checks if you're inside of a VM(According to Siam), AND you need a key that only 4 people have access to.
ParzivalWolfram
commented
2 years ago It's actually 4 keys one person each has, and yes, it does do extensive checks to ensure you're in a VM.
ParzivalWolfram
commented
2 years ago that actually isn't true, Siam got 2 keys by mistake.
2plash6
commented
2 years ago Wow, I can’t believe you know so much about such a mysterious malware.
ParzivalWolfram
commented
2 years ago I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes.
(yes, that says "horserapistyandere.webhost.com".)
yurryly
commented
2 years ago oh...
2plash6
commented
2 years ago You’re a hacker.
ParzivalWolfram
commented
2 years ago You’re a hacker.
This is not a secret. I do, technically, fit into that category, yeah.
pankoza2-pl
commented
2 years ago despite what the creator says, the code actually compilable and worked for me (using SharpDevelop, not tested with VS)
2plash6
commented
2 years ago Very epic. Leo
On Sat, Dec 25, 2021 at 8:18 AM pankoza-pl @.***> wrote:
despite what the creator says, the code actually compilable and worked for me
— Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-1001023282, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALLQTR5EARSVOLJ6SIJIP4LUSXHELANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
lorenzohappy19
commented
2 years ago despite what the creator says, the code actually compilable and worked for me (using SharpDevelop, not tested with VS)
how do i do that?
Gork3m
commented
2 years ago I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes.
(yes, that says "horserapistyandere.webhost.com".)
Data in KeysDB.txt are in this format: $HASH$ENCRYPTED_TEXT$
Dropper looks for matching hash and tries to decrypt the data linked to that hash using the key you provide. Decrypted data is a direct link to google drive cdn to fetch the actual exe. Dropper saves the key on the disk for main executable to verify. (main exe again checks it in KeysDB.txt)
Unfortunately google removed my KeysDB.txt access (wtf?) and pretty much banned all main executables hosted on drive, therefore droppers don't work anymore. I might re build this soon so people can stop asking me for keys. (I've been getting 30 mails about it daily).
Also building current source won't work because it's missing a lot of stuff in runtime dir. They're originally created by the main dropper exe and are embedded resources that you cant find on this repo.
2plash6
commented
2 years ago I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes. (yes, that says "horserapistyandere.webhost.com".)
Data in KeysDB.txt are in this format: $HASH$ENCRYPTED_TEXT$
Dropper looks for matching hash and tries to decrypt the data linked to that hash using the key you provide. Decrypted data is a direct link to google drive cdn to fetch the actual exe. Dropper saves the key on the disk for main executable to verify. (main exe again checks it in KeysDB.txt)
Unfortunately google removed my KeysDB.txt access (wtf?) and pretty much banned all main executables hosted on drive, therefore droppers don't work anymore. I might re build this soon so people can stop asking me for keys. (I've been getting 30 mails about it daily).
Also building current source won't work because it's missing a lot of stuff in runtime dir. They're originally created by the main dropper exe and are embedded resources that you cant find on this repo.
- Federal#9999
Thanks guys for your comtribution.
Hi, my name is Parzival, I'm an admin for the Malware Wiki and I was wondering if you could send me a copy of MrsMajor v3? You can contact me using any method listed here. Thanks!