>> I remember that some guy here said that with an Hexadecimal editor it will
>> be possible to decompile even if it's protected with refox
>
>ReFox 'protects' apps against decompilation by leaving one or more marks in the app (structural inconsistencies and invalid object code, containing some id data). If ReFox finds such marks and it does not recognize them as its own (ReFox serial #, password hash etc.) then it refuses to disassemble this file. Of course, other dissassemblers do not necessarily adhere to this convention and so ReFox cannot protect against them.
>
>I think there is at least one level of branding that ReFox refuses to decompile in any case (the one where it patches the Fox runtime) but - as before - this is simple convention that applies only to ReFox but not to other programs.
>
>There is another class of 'protectors' (exe packers like ConXise (sp?) from the vendor of ReFox IIRC), but all of them would be trivially foiled by a simple DLL that is loaded instead of VFP?R.dll (/D switch) and that exports a single function which saves the decompressed/unscrambled app to disk instead of running it.
>
>Be that is it may, the 'hexeditor approach' requires that you know the offset of the flag that says 'this file has a ReFox password'. Changing this byte so that it yields a value that is equivalent to 'no password' after descrambling requires at most 255 tries. I think this is more theoretical than practical, especially as it requires you to know the offset(s) of the branding mark(s) which depend on the version and branding level. Also, there are supposed to be hacked versions of ReFox on the web which do not respect the scent marks left by the branding.

Actually I edited the refox.exe to do it, not the compiled foxpro app.


>BTW, I think one should consider carefully what the threat model is before paying ReFox tax. Simple obfuscation (the ENCRYPT option in Fox) is enough to foil lay users and things like ReFox etc. do not achieve a whole lot more than that. Evil minds might say that distributing source code can also be a very efficient method of obfuscation, but I think this could be easily circumvented by stripping comments and running the code through a beautifier. ;-)