Disclaimer: I do not use nor encourage the use of illegal software and this post is only for the sole purpose of understanding AVs and RE topics
I have been doing some Reverse engineering lately, specifically on cracking / patching tools that cracks software license. To give you a general picture, patching softwares come in three shapes as far as I know:
Case 0: A cracking/patching tool that only breaks the license of the software, It isn’t encoded and doesn’t have any suspicious activity, although this is very rare.
Case 1: A good majority of cracking tools are only packed by popular packers like UPX and does a dropper-like behavior by embedding the real binary and decoding it and loading/executing it on the runtime as a sub-process as a mean to hide the patching mechanism.
Case 2: Some patching tools do in fact have viruses (Cryptocurrency bots, ransomware , info-stealer and what not ) embedded in the binary and drops the malware, which is in fact malicious in this case. This is Case 1/2 combined a with a virus. It’s good to know that many developers/RE engineers that sell their keygen/patching tools for malicious actors, so they’d embed a trojan into it. This has been the case for a very long while.
- An interesting thing that Case 0 / Case 1 “malwares” can pass through AVs by only changing the
iconor a single
hexvalue, which changes the the signature entirely.
- It can be hard to hide the malicious activity of Case 2 malwares as they are truly malicious and do quite a lot of things that can be observed through the network and the behavior of said malware.
- most of case 0/1 “malware” are marked as “Win32/Keygen”, “riskware”, “patcher”, “highConfidence”, “injector” and what not.
You can take a look at this one I recently reverse engineered (a cracking tool for a download manager), which I can guarantee that it doesn’t have any malicious activity, it’s a case 1 Patcher.
This is before changing the icon of the file (31/70) score :
Here’s the same file, but with the icon removed (13/70) :
I’m truly starting to wonder if AV companies flag patching/cracking software as malicious just for the sole purpose of protecting other-companies-software?