Decompiling an illegal 'patch' application - does it secretly install or run malware?

A friend of mine called me the other day with the following story: "I downloaded a torrent application which contains a patch. I ran the patch application but it didn't work. Do I have a virus now?"

My first reaction was of course: "Yes buddy - you're screwed". But I decided to have him send the application over so I could take a look at it.

As it turns out, this patch is a .NET application - so not only will it be easy to decompile, it will also be very readable.

So I was expecting things like the patch secretly installing key loggers or some other secret background service or making the computer part of  a botnet.

I opened up my trusty DotPeek and had a 'peek' inside. First I opened the references tab - see what BCL libraries the application uses:

OK - that was surprising: System.Web wasn't there. I was expecting that at the very least. OK, see what resources it carries then:

Remarkable: nothing but some icons and a background image. That doesn't seem too evil. But, OK, I must be missing something - let's check out the sources:

Aha - I thought: the 'SeekAndDestroy' method must do something bad. As it turns out, it doesn't. It just opens some .exe and .dll files and replaces some byte sequences with another. So unless that injected byte sequence is the actual malware ( which I don't think ) ... it seems this patch actually only tries to mess with the application license check. Wow, I didn't see that one coming, seems this patch is clean!