[Refox not really secure]
> Using level I yes, Level I+ -- Maybe, if you use a password you remember.
> I use pure random passwords when I brand my apps, so even a brute force
> attack would take forever. Level II -- no way. none. Care to try?

Josh, where did you pick up these exotic ideas? What Refox does is branding the app - it leaves a mark in it that makes other Refoxes refuse to decompile it unless the serial number and password (if required) match. Other decompilers may show warnings about ill-formed object code or benign structural defects when they encounter the scent mark of Refox but that is all.

As regards the brute-force attack: there is no reason to try a brute-force attack because there is no secret information. The password protection works only against Refox but a cracker who wants to use Refox will simply remove the scent mark from the app; if they use another decompiler then they do not even need this step. If it is a level II branded app then the decompiler can determine the changed obfuscation parameters from the branded runtime dll (compare branded and unbranded dlls to see what I mean) although Refox itself will not do this, naturally.

But let's say Mallory Malicious walked off with your level II branded app and forgot to bring the branded runtime dll. Now, how long do you think it will take to brute-force those parameters? Ballpark figure.