>Francois, I am 100% sure that any scheme that bolts on around an existing VFP exe will offer very limited protection.
>
>Many of these protection schemes offer quite clever mechanisms to prevent hacking but it's all applied to the" wall around the city". If you are inside the wall it doesn't matter how high the wall is. The issue is that VFP makes it quite easy to get inside the wall. It's not an issue with the protection schemes, it's a characteristic of the VFP app or actually any development environment whose distributed app uses an Intermediate Language.
>
>NET has the same issue FWIW but NET protection seems to focus on altering the code rather than just building a wall. NET obfuscation seriously alters and overloads practically everything so that a decompiled assembly is not much use. Many schemes also offer encryption and other walled protection but that's icing on the cake and sooner or later (usually sooner) such schemes get cracked.
>
>There is another element people need to consider: if your VFP app makes calls to an external dll or fll or other system, it's trivially easy to intercept the call and any parameters. So a hacker can scoop your database logins or your zip encryption passwords or blowfish encryption keys or pop3s credentials without even needing to unprotect your app. Effectively this is an open gate in the city wall, with people focused on making the wall stronger while the gate is left unattended. ;-)


There will always be a continual battle between the makers of protection and those who attempt to bypass protection. The latest ReFox version XII addresses the DBC attack vector as well as adding a layer of obfuscation to the resulting exe file. Although it is true that all walls will be breached so it is that all protections will be breached especially if the attacker has direct access to the target application and sufficient motivation, skills and resources.

I have said before that all protections that I have looked at including Armadillo, Thinstall, Molebox and Refox have been cracked within minutes by experts who make their living reverse engineering code (mainly in the anti-malware industry). And what I mean by cracked is not full de-compilation back to VFP source but that the running application could be accessed in memory and therefore code, passwords, keys and other source and/or data could be retrieved. After that it’s just a matter of time and motivation.

The question is not whether you can protect your application but for how long you want to protect it from a particular level of attacker. If a sufficiently skilled attacker has access to your application or database it will be owned.