this post was submitted on 27 Oct 2025
188 points (96.1% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

65104 readers
610 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

🏴‍☠️ Other communities

FUCK ADOBE!

Torrenting/P2P:

Gaming:

💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com
Andromxda@lemmy.dbzer0.com
CosmicTurtle0@lemmy.dbzer0.com
tenchiken@lemmy.dbzer0.com
unruffled@anarchist.nexus
188
I got infected like an idiot (lemmy.ml)
submitted 1 week ago by Moonrise2473@lemmy.ml to c/piracy@lemmy.dbzer0.com
48 comments fedilink hide all child comments
 

I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn't trust it, but i ran in a vm and nothing happened.

Then i told myself "i have microsoft defender and windows firewall control, they will warn me" and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.

Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if "aspnet_compiler.exe" is allowed to access the internet or not.

Suspicious, i go to check that "aspnet_compiler.exe" and it's located in the .net system folder, i scan it with microsoft defender and it doesn't report as a virus. I do not pay attention to the fact that it doesn't have a valid Microsoft signature, and i tell myself "probably just a windows update" and i whitelist it on the firewall.

After a few hours I realize "wait a minute: it's impossible that an official windows exe isn't signed by microsoft!" I go back to scan it, not infected... or it looks like, defender says "ignored because in whitelist". What? The "loader" put c:* in the whitelist!

The "crack loader" wasn't a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names...

And this for a $60 perpetual license program that i should buy anyway because it's for work

you are viewing a single comment's thread
view the rest of the comments
[–] Moonrise2473@lemmy.ml 6 points 1 week ago* (last edited 1 week ago) (1 children)

probably i would have ran it outside as the crack just silently "crashed" (while successfully dropped the malware as admin in the right spot, ready to be ran as admin at the next boot via the task scheduler) and i would have thought "maybe it doesn't run in a sandbox/vm".

But yes, in a hindsight, if i ran in sandboxie then i might have noticed that it had dropped suspiciously named files in common:startup with that nice file transfer GUI (unless if the malware detected sandboxie and did not run the malicious routines)

[–] Cevilia@lemmy.blahaj.zone 4 points 1 week ago* (last edited 1 week ago)

If it didn't run the malicious routines, problem solved :)

Not a silver bullet, just something to remember exists.