Windows Software Cracking / Patching tools being detected as a Virus/Trojan/Riskware ..etc

Disclaimer: I do not use nor encourage the use of illegal software and this post is only for the sole purpose of understanding AVs and RE topics

I have been doing some Reverse engineering lately, specifically on cracking / patching tools that cracks software license. To give you a general picture, patching softwares come in three shapes as far as I know:

  • Case 0: A cracking/patching tool that only breaks the license of the software, It isn’t encoded and doesn’t have any suspicious activity, although this is very rare.

  • Case 1: A good majority of cracking tools are only packed by popular packers like UPX and does a dropper-like behavior by embedding the real binary and decoding it and loading/executing it on the runtime as a sub-process as a mean to hide the patching mechanism.

  • Case 2: Some patching tools do in fact have viruses (Cryptocurrency bots, ransomware , info-stealer and what not ) embedded in the binary and drops the malware, which is in fact malicious in this case. This is Case 1/2 combined a with a virus. It’s good to know that many developers/RE engineers that sell their keygen/patching tools for malicious actors, so they’d embed a trojan into it. This has been the case for a very long while.

Interesting facts:

  • An interesting thing that Case 0 / Case 1 “malwares” can pass through AVs by only changing the icon or a single hex value, which changes the the signature entirely.
  • It can be hard to hide the malicious activity of Case 2 malwares as they are truly malicious and do quite a lot of things that can be observed through the network and the behavior of said malware.
  • most of case 0/1 “malware” are marked as “Win32/Keygen”, “riskware”, “patcher”, “highConfidence”, “injector” and what not.

You can take a look at this one I recently reverse engineered (a cracking tool for a download manager), which I can guarantee that it doesn’t have any malicious activity, it’s a case 1 Patcher.

This is before changing the icon of the file (31/70) score :

Here’s the same file, but with the icon removed (13/70) :

I’m truly starting to wonder if AV companies flag patching/cracking software as malicious just for the sole purpose of protecting other-companies-software?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.