Cracking tools often compress their code for whatever reason. Some antivirus apps often report every compressed executable, such as anything using UPX, as being infected. That also happens with demoscene-style code, like MOD players that tend to be included in cracking tools.

The reason for that is that once upon a time some virus used UPX (or some demoscene tool), and the antivirus associated that with the virus. But some antiviruses also often detect cracked stuff and report it as being virus, purely because they're killjoys.

Commercial antiviruses are a plague as bad as virus themselves, unfortunately.

They generally were false positives if you were getting the downloads from decent release channels. The reason the false positives show up is because of the packers used to make the executable files. Cracks in particular show as infected because they are both packed, but also attempt to access other files with executable code at specific byte locations and modify them.

As someone who works on mods for games with no mod api, so using dll injection, hooking, code editing, etc... (basically very similar to what cracks do), it's very easy to get flagged for doing stuff like that.

But even doing simple stuff like compiling with winsock, or with the wrong(!?) compile flags will trigger most AV. We almost always have to just report the dlls as false positive and pray microsoft actually adds them to the whitelist, and I'm guessing that's not really an option for cracks.

How would you suggest someone get started modding games that don't have an api? What background knowledge should I develop?

It really depends on the game/platform, but getting used to using a reverse engineering tool and a debugger is a must. If you can, use IDA, I'm stuck with Ghidra for now but most of the time I have to work against it to get stuff done. Even with C output you'll still need to get used to working with assembly to hook stuff, and do other code modifications. (You can use a library like detours, but when things start crashing it really helps to know exactly what every piece of your code is doing.) Also imgui/nuklear really help with getting a nice GUI for your mods early on.

Though tbh the best thing you can do is just pick up a game you like and just have a go at reversing it, it'll be a bit slow but the more you reverse the easier it gets. After you reverse it it's just a matter of looking up each topic (ie dll injection, hooking, etc) as you need them. None of them are that hard, they just seem overwhelming if you try doing them all at once.

Word of warning - I noticed that frequently enough, antivirus alerts from pirated software were true positives. Repackaging warez with a malicious payload and then using a botnet to boost its seed count and place it at the top of listings was apparently lucrative, and I've had to deal with one instance of a user's account and website compromised due to what was most likely an infected keygen.

An antivirus telling that something is malware does not necessarily mean that it is malicious. For example, they will often report that a keygen - which I've checked that literally does nothing else than display the generated key - is malicious because it can be used for piracy.

I never ran into that. In fact, I never got a virus from any pirate website or pirated software. I know that you can get infected, but it always seemed obvious when you're offered an actual release or one that has been tampered with.

How often did you encounter "false positives" downloading normal shareware applications?

There's your answer.

Often, the alert you get is about a "keygen" or "crack" tool, which is exactly what you wanted in the first place.

"Cracked" softwares/games for myself and can confirm that modifying .exe can lead to false positivity from antivirus.