Keygens/Patches/Cracks
Ok, I need some insight before I go back into Torrenting. I need a piece of software from a less than reputable company (Wondershare). Now I know Keygens can be run through Sandboxie or a VM to get the key but how do Patches and Cracks work?
One of TorrentGalaxy's most trusted uploaders & software patchers keeps the software updated and uploaded & includes in the download listing the www.virustotal.com report for the installation files which shows a clean listing; however the Patch shows a listing for multiple AV/Malware software which shows the Patch being a virus. So, how do I use the software if the Patch is "infected". Am I missing something? Thanks!
You’ve got a few questions here, so let me break it down…
What is a crack?
A crack is simply a way of defeating DRM. In the old days, games would often require the game disc to be inserted before they would boot. It was a very easy way of preventing people from simply sharing the files. Because even though the game was installed and didn’t need the disc, the game would simply refuse to launch without the CD in the tray. It was a sort of physical DRM, because disc burners weren’t super common yet so copying a game disc wasn’t super easy.
So the crack simply edited the part of the game that checked for a CD. Sometimes it was as simple as removing the few lines of code that told the game to check for a CD. Sometimes it was simply a matter of telling the game that the disc was always inserted. But that’s just an early example of a crack; It was modifying a game file (or files) in some way, to make them boot even when DRM would normally prevent it.
Modern cracks are much more complicated, but the end goal is the same. Crackers are simply trying to defeat the DRM, so the program will boot. It usually modifies a few files, to get the program to boot when it normally wouldn’t. The cracks are usually fairly small in size, because the actual program .exe and a few .dll files are usually all that gets changed. So patching the program is usually as easy as moving the cracked files into the respective folder, and overwriting the legitimate files.
Why does a crack show up as a virus?
Lots of modern cracks need to do some pretty fucky things to defeat modern DRM. It often requires intercepting network traffic that the launcher would use to “phone home” to a company server. For instance, maybe the launcher checks in with a company server to verify that your program is legit. If the server responds that it is, then the program boots. So the crack would potentially need to intercept that network traffic, then spoof a response from the server. But you know what else does something like that? A virus, attempting to hide itself.
And modern antivirus softwares don’t rely on “hard” virus definitions to identify viruses. The traditional way of scanning for viruses was to just keep a massive database of known threats, then compare files against that. But that’s slow and new threats constantly need to be added in order to keep your virus scans accurate. And if a hacker is able to change their virus slightly, you’ll need to add a whole new item to the database just to target the change.
So instead, they use something called heuristics, which basically means they look at how a program operates, then guess whether or not it’s actually a virus. It uses common virus behaviors and pattern recognition to try to identify a virus. This increases the chances of a false positive, but means scans are much quicker and will catch new threats in the wild even when they haven’t been officially documented yet. But since different companies use different virus definitions for their heuristics, different antivirus programs will give false positives to different cracks.
If it’s only a few flags on VirusTotal, you’re likely going to be fine. It’s most likely a false positive from those antivirus programs.
what I want to stress out at this point is that due to the techniques required to crack a game (dll injection, ssl pinning bypass, syscall hooking and more) are used by malware
that though leaves you completely unaware if the crack is benign or not. It could be or it could be not. “but it worked fine for me” is also not a good enough pointer as it’s very common practice making the malware run only under certain conditions (after a month, only when the PC is idle or the screen is locked, or make it extremely lightweight - just upload all your browser cookies once a day
if you get hit by something like this there’s no going back. you need to format. there are very, VERY weird ways that a malware can replicate/hide itself to.
software has, is and always will be a game of trust. do you trust the cracker? or even the company that makes the software? and if so, why
I always suggest to never run cracks on a machine that is used to log into personal accounts
The only crack that I actually trust is mass grave (windows & office crack). It’s a powershell script so you can just read its source code
Also is good to point out that bigger AVs do have an incentive to fight back against cracks because they are funded by these larger companies that such cracks target, so many will try to discourage DRM cracking on purpose, if you've ever seen an AV program report back as
Crack
orKeygen
this is the reason why. They want to discourage this behavior though fear or annoyance.Thank you so much for explaining all of this! So, it's not an "exact" match for a virus, it's the "behaviour" of the Patch/Crack that makes the AV/Malware software "see" or "think" it's a Virus/Malware. That makes much more sense.
I've copied the link for the software with patch below. Wondershare UniConverter
At the bottom of the link, are the references from VirusTotals. I use Avast & Malwarebytes Pro and the report says Malwarebytes would catch and quarantine it. I guess a virus/malware to me is always a risk and I've had my system crashed in the past due to that and don't want a repeat. If you don't mind, I would like your opinion on whether to try it or not. Again, thanks so much for the explanation!
When the source of a crack/patch isn't trusted, I'd do like you said and install it in a VM, then compare the patched files with their unpatched copies using diffing software (Beyond Compare's hex compare feature is useful for this). If there are a huge amount of changes, like completely different size and content, or it is protected with a packer (typically will be a several MB larger), I would definitely steer clear of it. If it's just a few changed bytes (and maybe the digital signature overlay is stripped off), then it's most likely safe and you can just copy the patched files out of the VM and overwrite your main install.
Edit: Also, always prefer official installers directly from the developer's site if they are available; "pre-cracked" installers are always a red flag to me.
This sounds like excellent advice. I happen to have a licensed version of BeyondCompare that I can install and do Hex compare. I appreciate the guidelines to follow and I agree with you on the "pre-cracked" options. I would always install from the developer's site first and then use the patch if I use it at all. Unfortunately, this software mush have a "phone-home" features and has a "hosts file" change as well. As with the previous response, I would appreciate your input on whether you would try it or not.
Wondershare Uniconverter
Thanks for your excellent advice & input!
Do NOT run a crack or patch of any kind. They may pass a Malwarebytes scan, or test clean on virustotal, but one I just ran across tried downloading a bunch of data when I ran it in a VM. Don't risk it, I've been burned in the past. And now with online banking, Paypal, Venmo, cryptocurrency, it's just not worth it.
You might try installing the software in a VM, running the patch in the VM, and then moving the software over to your primary, but I would still be worried about that.
The other people here say you'll probably be fine, but you need to ask yourself if it's worth giving up any of your passwords to an attacker. At best you're looking at a completely benign patch, and a working installation of the software. At worst...it can be pretty bad.
Wait for a keygen, or go without the software. Or, and I do this a lot lately, look around for a free, open source equivalent.
I mean he says it comes from a very reputable source so he will be fine. If he finds something he should reported and make everyone know about it. And of course never sign in into your bank account on the same machine you use to pirate software.