I got wind today that someone is distributing a cracked version of my software for $5 on some mexican website. It appears that they simply tweaked the XojoGUIFramework32.dll that comes with my app. How can I go about discovering exactly what they changed? I’ve done a diff of XojoGUIFramework32.dll from my distribution vs the one they are including, and there are 2 very small (a few bytes) differences, but I’m just using FileMerge to compare them, so I can’t really tell what they changed or how they did it. Can someone teach me to become an l33t h4xor?
How is your app protected?
With a pretty complex home-grown licensing scheme. During app startup, check to see if a license exists in a local SQLite database. If that license exists, check to see if it is valid by bumping up against a WebService we host with our licensing servers. If a license does not exist, prompt the user to register with their provided license keys they received at time of purchase.
The cracked version is never attempting to contact the licensing server. It is also never asking the user for their credentials. It does create the licensing database, but never creates the relevant entries for an actual license.
A bit more detail: I have a module named “auth” which contains all the functions for validating / licensing. In the app class there are calls to auth.haveLocalLicense() as well as auth.localLicenseIsValid(). Both return booleans. If the crackers simply changed where those functions point from the .dll to always return true for both, then it would let them in in the manner I’m seeing.
To be clear: this is an older version of our software which is cracked, and figuring out exactly what they did and how they did it will be mostly to make sure it’s harder for them to do it in the future.
this sort of thing is the easiest to do
I’d guess they simply altered a function that computes some value to
NOP
NOP
return whatever indicates true
somewhere in the code there’s a “RETURN” and it sounds like they turned all the code before the return into “NOP” or “do nothing” followed by returning a true value
There are debuggers and disassemblers that make doing some of this fairly simple (Hopper for instance)
1 Like
So are you saying the XojoGUIFramework dll is custom compiled for each app, and it contains calls into your code? I thought the dlls were just libraries that your code called, not the other way around. Kimball stated this is the only file that was modified.
I’m still figuring it all out, but I believe the XojoGuiFramework.dll mostly just contains pointers to the entry points of the methods compiled into the application’s .exe. Norman will correct me here if I’m wrong… maybe it does actually contain app code - but I can’t tell. None of the decompilers / disassemblers I’ve tried so far can do better than spit it out in assembly for me.
However, yes, the only file that was altered was this .dll, and the alterations were very very minimal.
It appears that Hopper is only for OS X binaries. Do you know of something similar for Win32? Specifically something that will disassemble the .dlls Xojo produces? And that is not from a sketchy foreign website with many much ads/trackers/spyware pre-installed?
Yeah, I’ve had a day. 
One hint that the dll’s were “standard” or always the same is that they always have the same date for a given version of Xojo. But I also just compared the GUI dll from two different apps of mine and they are identical. Therefore, they can’t contain any of your app code. And I can’t see how modifying the dll could prevent or circumvent a call from within your code to another part of your code.
no that file isnt custom compiled for each app
Dunno what they might have modified in there that would do this but the EXE itself would be where the xojo code that his app compiled down to would reside
right … xojoguiframework isnt your app code
cant imagine what they might have altered in there
and no most decompiler can / wont make heads or tails out of a lot of xojo code 
Those dlls should be from VS
Hopper can disassemble a lot of stuff with a paid version
Huh. Here’s the whole story:
We found the app for sale on a sketchy mexican website. Ordered the app. We received a .rar file which contained the installer (which I could SWEAR is MY installer) as well as a video with instructions to run the installer, then replace the installed .dll with a modified one provided in the .rar file.
I have not done a binary comparison of the .exe yet. Will do that tomorrow. Will also see if I can determine if the installer they sent over is in fact my original installer or if they re-built an installer that looks, smells, and behaves exactly like mine… but if they did create a new installer, why not include the new .dll so that the user does not need to swap it post-install?
Lots of hinky. Gonna walk away from it until tomorrow. Thanks for all the feedback, everyone!
- You’re not going to stop the crackers, period. You can build the most complex system you can think of, but it won’t stop them.
- Make sure that you use an auto-update system, which does no checks to see if the app has been cracked, do not fire this system on launch. Use a timer or a delayed approach. The aim is to auto-update the cracked version with the legitimate version. You may win a couple of users, especially if they continue to use your application.
- Don’t worry too much about it, as you can’t stop them, not to mention the last time I did some investigation into cracked versions of my app, out of 10 downloads (claiming to be my app), only one was actually the cracked version, and it was 20mb larger than the legitimate version, so who knows what kind of malware the crackers had injected in there.
- Accept that some people will simply not pay for software.
- Consider it marketing, so think of creative ways to utilize the exposure.
Edit: If you can figure out how they cracked (often you can do this by using the same code in a different location (with zero dependencies)), you can offer the user a discounted license to upgrade to the legit version. Those that genuinely find your app useful, may consider this.
1 Like
This might help for checking windows file differences…
https://www.git-tower.com/blog/diff-tools-windows/
For Binary comnparisons:
153
If you want to find out only whether or not the files are identical, you can use the Windows fc command in binary mode:
fc.exe /b file1 file2
For details, see the reference for fc
and this may be helpful:
http://www.flexhex.com/docs/howtos/file-comparison.phtml
Good luck!
I use HexEdit on my mac and it can diff binary files
It cant tell you WHAT that code is but it can diff them
1 Like
hopper claims to be able to debug and decompile 32 and 64 bit Windows (PE32 PE32+)
https://www.hopperapp.com/faq.html
Is your software signed? Did the Mexicans resign the app? How does Windows check if the software is signed?
I would be interested which functions they patched in the Xojo runtime DLL.
Where is your license check?
Usually hackers pack some function like IsLicensed to always return true.
Yes, the software is signed. The version available from the mexican site contains my Original signed installer. The only file that needs to be changed is XojoGuiFramework32.dll. I just used HexFiend to do a binary comparison of the official installer package we distributed and the installer from the Mexican store. They are completely identical.
To be clear: The instructions for the Mexican version are to install using my original, signed installer. Once install is complete, replace the installed XojoGuiFramework32.dll with the version they sent. Then my app launches without ever even trying to license the user.
There are differences in the .dll that HexFiend can show, but since it’s all binary, I cannot tell exactly what they changed. The differences are minor, though.