Silly asm/disassembly question

10 replies [Last post]
afib's picture
Joined: 2011/12/06

For the sheer sake of curiosity, can someone explain why or point me to articles that explain why when you crack a program it tends to show up as an infected exe? I can somewhat understand why keygens do. They're probably found out about and simply added to the signatures or maybe they just use heuristics and look for certain combinations of commands in the executable.

I'm asking because I've been working on learning how to disassemble and the programs I modify are being detected as viruses. For example, when I change the value of jnz to get around a check this happens.

Do AV scanners actively compare files to one another? Can they tell when you manipulate the ASM to get around a check? Is there a self-check mechanism inside PE format? For example, when the program is compiled, do they include some signature that allows the AV to know if the program has been modified since compilation?

I would imagine a basic integrity check would cause the program to fail to launch. You can't arbitrarily add data to it. When I used to open programs in notepad (I was 11 then, give me a break!) I quickly found out that anything you change must have the same amount of bytes in a lot of cases. You can change "cat" to "dog" but not "chupacobra" (using simply a text editor).

I have google and searched, but I couldn't find much. Not sure if I'm not phrasing it right or what... I'm new at this.

I'm more or less just curious about why this happens.