Tinkering with MSN Explorer - #1

Hello all!

I’ve had this idea for quite a while, around late 2016-early 2017ish. That idea was to dissect MSN Explorer, an MSN-branded browser. To basically let it connect without relying on Microsoft servers barring old clients/non-MSN Internet Access accounts (@msn.com subscription email accounts).

First thing was to test the clients. Sure enough, I did. With Fiddler in hand (although it’s not trusty for connections made with WinHTTP, mind you), I saw some connections to texreg2.msn.com. Accessing the URL now links you to an inaccessible site, asking for a username and password.

I had ended up coding a quick Python script to host a server and redirected the aforementioned URL to where the server was running. Stupidly enough, I forgot to set something like autossl up, and connection attempts to the server via HTTPS failed. If I can, I’ll get back to that and properly set things up to see what happens. :stuck_out_tongue:

Then, I had decided to tear through the .MAR files, since they contained all of the UI files, made up of HTML and JavaScript, which could potentially uncover how registration worked. Only problem, however, was that there is no available program to read/write .MAR files. While searching up details on these proprietary files, I stumbled across a Neowin thread regarding extracting files out of .MAR files. One of the posters, “oDD”, gave out the structure of these files and stated that he’d code a program to extract and recompress .MAR files. Unfortunately, said program doesn’t exist anymore, as it was hosted on an obscure site that has been lost to time. So I knew I had to do my duty as a programmer to use what I had to create a program that could extract and recompress .MAR files.

Initially, the VB6 junkie I was at the time decided to start the project in VB6, envisioning the program as a GUI application that would work like your average archive opener. But due to the complications that are API definitions involving recreating structs and the poor support of bit manipulation, I ditched that in favor of C#.

Now, at this point, I had no idea how unpacking/packing integer types worked, and I was blind from how endianness worked, so I went searching up how to “convert 4-byte DWORDs to 32-bit integers” (yes I thought it worked like that at the time please). Frankly, the initial code works awfully, as it doesn’t extract the filenames or data with 100% accuracy, and again, I was obsessed with getting the GUI stuff to work.

So after abandoning the project for several months, I decided to revisit the project, but this time, get things straight.

Instead of fancying everything with GUIs, I’ll just make the .MAR extraction and compression programs console programs. With my newly found knowledge of unpacking and packing integer types and endianness, I’ll make sure that nothing is butchered during the parsing of those files. When I do get the console programs working, I’ll go examine any and all contents of the source files. If nothing that can lead to progress can be found, then I’ll go back to using loopbacks for services that MSN Explorer might use.

Well that was one lengthy ride of a post. Have a nice day and catch ya later! :stuck_out_tongue:

9 Likes

I always wanted to use MSN Explorer, but for some reason I could never get the installer to work. It was probably because I didn’t use MSN dial-up. Actually, the installer was pre-installed onto my netbook’s desktop when I brought it, I just never bothered to click on it until about a year ago.

It sounds like a fun project, trying to get it to work again. Good luck with it! :slight_smile: I think MSN Explorer might be still supported by Microsoft, because you can still purchase their dial-up packages from this very old looking website.

I used what seems like the AoL equivalent of MSN Explorer, except it wouldn’t work with my AoL account for some reason. It would startup every time I turned my netbook on, and it would make things really slow. I had to uninstall it eventually.

3 Likes

Woo!

After cooking up a quick Python script to do all of the heavy .MAR extraction lifting, I’ve successfully got my first .MAR file extracted.

But it seems that I need to implement the encoding detection, as I noticed a few files had a Unicode byte order mark (BOM). NVM, realized that hex editors don’t parse Unicode as intended. :stuck_out_tongue:

Other than that, I may be going to new heights. :slight_smile:

3 Likes

Welp, nothing special regarding what’s inside the .MAR files (if you are interested though, mail.mar contains what I believe to be an address book with Messenger-like features :wink:), so I decided it would be time to see what went on on the HTTP side of things.

I got a rudimentary HTTPS server running, and MSN Explorer on my host machine. What I ended up forgetting about, though, is that MSN Explorer is prone to crashing when it has the right admin privileges. Otherwise, it will open a user select dialog with the option to add a new user. But when accessed, it will connect to icereg2.msn.com (which is still up) and sit there in an endless loop doing nothing.

What I plan to do is get my Windows XP VM up and running, since it seems to be the OS of choice to handle a program like MSN Explorer properly, and see if any progress is furthered. Hopefully, this isn’t a dead end. :stuck_out_tongue:

5 Likes

Welp, looks like I hit a roadblock.

Not from MSN Explorer, though, but from my web server setup. Apparently, the SSL context doesn’t like the 0.0.0.0 loopback IP I feed it (so that I can use my local IP on the VM), and even with port forwarding my IP, zilch happened. I’m going to have to figure out how to combat this and get my setup working. :stuck_out_tongue:

2 Likes

OH SHIT I’VE BEEN THINKING ABOUT THIS FOR A WHILE
(but i haven’t had the resources to do so)

4 Likes

Well, tried the same HOSTS-redirected icereg2.msn.com on my host machine. No problems.

Perhaps XP isn’t even bothering to use the latest root certs. :stuck_out_tongue:

2 Likes

I’ve been looking at screenshots of MSN Explorer, it looks like it works with Messenger so it can give you notifications for messages and online friends. I wonder if it could be configured to work with Escargot? I’m not sure if it opens Messenger up for you or if you can use it inside the program.

After poking around online, there seems to still be some people who use this program today. There are some people on the official Microsoft forums complaining that it doesn’t work well with Windows 10.

3 Likes

Actually, there was an HTML file in the location of the extracted mail.mar file, where it seems to set an ActiveX object named Messenger.MessengerApp.1. I can almost immediately point out that MSN versions up to 8.x had an ActiveX control for interfacing with other apps. So it’ll probably utilize the patched MSN client used, meaning no extra patching. :stuck_out_tongue:

I’ve already discovered that early into my endeavors. Surprised that people still use an IE shell too. :stuck_out_tongue:

3 Likes

Well, after a day of fighting with Caddy and the XP cipher compatibility, I’ve made an error on my part (proxying Caddy on top of another server requires the proxied server to not have HTTPS on it already) and had it fixed. Now my setup is working like a charm again! :smile:

4 Likes

So apparently, Caddy doesn’t like it when HOSTS patching is used to redirect to someone’s server.

Guess it’s patching time, then. :stuck_out_tongue:

2 Likes

I never had a chance to use MSN Explorer (heck, I didn’t even knew it existed) so it doesn’t bother me if you can’t make it work.

3 Likes

private “dns” using a microboard or something

3 Likes

Hmm… it seems that the MSN Explorer program calls CreateURI with a hardcoded URL. No reference to any other libraries.

msn6%20createuri

Time to dig into this more. :stuck_out_tongue:

2 Likes

From further discovery, it seems that msnmetal.dll handles the connection to icereg2.msn.com.

I’ve found my potential lead. :stuck_out_tongue:

3 Likes

i knew that file had something to do with everything

(because it listens to metal)

3 Likes

LOL

2 Likes

Ugh now I’m scuffling for a good decompiler to look into msnmetal.dll. Something with Hex-Rays-like decompilation quality. But Snowman w/ x64dbg isn’t working, and even then, it seems that it has its own problems. Fcd is primarily for Unix, and I assume that the next Unix-compilant compiler for Windows to build the thing will have some crazy errors with includes or something. Looks like the rest of those decompilers are either unreliable or produce less-than accurate results.

And no, I’m not shilling out $2,000-$3,000 for a plugin for a disassembler that also cost thousands of dollars, making the total $3,000-$4,000. Too overpriced for a hobbyist like me.

If anyone has any good recommendations for good decompilers around or even surpassing the quality of Hex-Rays, message me on MSN! :stuck_out_tongue:

2 Likes

So I’ve been able to re-route the signup URL MSN Explorer uses inside its .MAR files, and from using my own .MAR compressor, it works like a charm. But MSN Explorer still doesn’t seem to do anything yet. Maybe it wants some sort of HTTP header or a specially formatted body. IDK yet, but that also requires ripping open msnmetal.dll, so I’m technically still stuck. :stuck_out_tongue:

2 Likes

Will have other languages?

2 Likes