HackMyApp - Protect Your Xojo Applications (and Profits!!!)

A Little about HackMyApp beta v1.0
I see many great pieces of software come from Xojo developer’s. Although it is impossible to make a 100% hack-proof application, it is possible to cover many bases so that hackers/crackers have a harder time doing what they do best. I’ve created your very own hacker that is willing to work for you, in your favor. HackMyApp will attempt its hand at decompiling your software (in memory…not to disk) to reveal potential vulnerabilities, deobfuscate data you’ve tried securing, and present you with a list of information you are freely giving away everytime you distribute your software.

Why Did I make HackMyApp?
This application was developed to make developers mindful of what they’re giving away freely. Over the past few months I’ve seen a number of forum posts regarding security, and some really troublesome posts of users thinking about embedding credit card numbers in their software (NEVER DO THAT!!!), passwords to their accounts, and a number of confidential/private information. After I began porting this application (from VB6 -> LiveCode -> Xojo), I became even more troubled to see Xojo veterans of almost 20 years themselves becoming lazy in thinking about what they are actually handing out to the public. Using HackMyApp on over 20 publicly available well-known Xojo applications, I was abhorred to find MBS Plugin serials, eSellerate credentials and account information, Einhugur serials, as well as some other serious “should be kept secret” data. (I’ve already contacted the authors and the issues in their software have been rectified for some time now.)

Here is a scan of a well-known developer tool (from a well known developer…whom I’ve contacted privately already) containing a number of issues…

To think, a developer of Xojo for over 15 years, never once worried about their MBS Plugin serial or eSellerate account information being public…and a single 10 minute scan later, revealed much was being compromised. Blacked-out above, one could find serial keys, account logins, and a number of “secret” items.

The art of hacking can be troublesome for developers, when trying to make a living, as well as keep data safe or unseen from prying eyes. To a seasoned hacker, anything included in your software before compile-time, is fully available using the right techniques, patience, and determination. But that doesn’t mean you can’t give a hacker quite a struggle in their progress by using very simple encryptions/decryptions in place of raw strings (EncodeBase64 will not work…).

What is at Risk?
Using HackMyApp, you will notice that every control, class, object, string, image, and every property and method are visible using the “Advanced Scan” technique. During this scan, your application will be torn-to-shreds using 12 common hacking methods. First your application will be searched for ‘plain-sight’ non-binary strings, then searched by a binary-to-hex algorithm to obtain all classes, methods, objects, properties, and controls. Using debugging tools such as OllyDbg, a hacker can modify the raw address points and create cracks to skip over serial number verification, create key generators based on the assembly code, and steal passwords or sensitive data embedded directly in your applications.

Something to Think About
HackMyApp was designed to help Xojo developers realize exactly what they are handing over to the public, before it is too late. When using MBS Plugins or a number of serial-based development plugins and tools, a developer inserts a serial number directly into the Xojo code editor, and rarely thinks of the consequences. Without first encrypting the serial number, and using a decode method in place of the actual serial, you are freely giving away your licensed embedded serials to anyone willing to search for them. In turn, you are stealing money from MonkeyBreadSoftware, risking your license getting terminated, and losing money yourself. HackMyApp will reveal any such security issues, so that you may go back and fix them before distributing your finalized software.

Further Protection Ideas
To protect yourself from hex-editors and decompile-recompile hacking techniques, a developer can include an encrypted SQLite database settings file which contains a hashed checksum of the application. When the application is first loading, a checksum comparisson can be performed and verified against the stored checksum from the encrypted database. If a hacker modifies even a single byte of the compiled application, the checksum will change as well. If the checksums do not match, a messagebox can prompt the user that the software is corrupt, “Please reinstall.” All controls, classes, objects, images, and properties can be modified using such mentioned techniques with ease, and a simple checkum verification could prevent money from leaving your pocket as your software floats freely cracked on the internet. Executable packers (like UPX) are also a great tool to obfuscate the binary code of the application, reduce its size, and deter a good portion (at least 1/3) of hackers unknowledable of packing/unpacking methods.

Where Do I Start?
If you are unsure how to implement security checks and ensure the stability and security of your software, speaking with other developers will provide you with deeper insight as well as personal experiences. You may also contact the distributor of your plugins or development tools or contact Xojo, Inc. to obtain access to a referred developer, or receive paid support from Xojo, Inc. directly.

HackMyApp Beta 1.0 (Beta test lasts til June 1st, 2014)

Windows: http://www.xojodevspot.com/demos/hackmyapp/Windows-HackMyApp.zip

Mac: http://www.xojodevspot.com/demos/hackmyapp/MacOSX-HackMyApp.zip

Linux: http://www.xojodevspot.com/demos/hackmyapp/Linux-HackMyApp.zip

I’m sure @Christian Schmidt and a number of developers with compromised tools (and profits) will greatly appreciate this developer tool :slight_smile: Although this application uses a number of reverse engineering techniques, it will not provide source code or help you to hack an application in any means or manor. It does not reverse engineer or decompile the Xojo framework. HackMyApp was specifically designed with the Xojo Developer in mind to spread awareness of potential vulnerabilities that may exist in your own software and be exploited. The language translations were generated using my automated locality class and may be (most likely are…) incorrect in a number of places. If anyone would like (and would greatly be appreciated) to correct a locality file, please do so and forward to me so that they can be updated and corrected for future releases. In the next version, when a vulnerability is found, a link will also be given next to the compromised data so that the user can quickly find a fix and explore methods to secure such data appropriately.

Nice. Looking forward to trying this.

Great idea : bravo Matthew.

But… When I try to open the Mac version, I get an error message and the app does not run. I am using Mac OS X Mavericks 10.9.3 on a 4GB iMac.

HackMyApp cannot be opened because of a problem.

Check with the developer to make sure HackMyApp works with this version of OS X. You may need to reinstall the application. Be sure to install any available updates for the application and OS X.

Click Report to see more detailed information and send a report to Apple.

The problem says that the Xojo framework wasn’t found…

Dyld Error Message: Library not loaded: @executable_path/../Frameworks/XojoFramework.framework/Versions/A/XojoFramework Referenced from: /Users/USER/Downloads/*/HackMyApp.app/Contents/MacOS/HackMyApp Reason: image not found

Went to check, and it’s really not there :3

[quote=91977:@Michel Bujardet]Great idea : bravo Matthew.

But… When I try to open the Mac version, I get an error message and the app does not run. I am using Mac OS X Mavericks 10.9.3 on a 4GB iMac.

HackMyApp cannot be opened because of a problem.

Check with the developer to make sure HackMyApp works with this version of OS X. You may need to reinstall the application. Be sure to install any available updates for the application and OS X.

Click Report to see more detailed information and send a report to Apple.[/quote]

I was wondering if the mac version would work…everytime I attempt to build any Mac builds I get the following…

I can’t find any information on the issue…the application seems to build correctly for mac…but that’s the error I get. Possibly a Xojo Windows -> Mac bug?

You probably already tried to delete the previous build file, right ?

I’ve attempted clearing the folder out yes :-)…it’s the desktop so I know it’s writable (plus linux and windows builds create ok). I’ve tried a number of things and only when I attempt to build for Mac the error message shows up. A myapplication.tar is created, but the xojoframework never makes it to the build :frowning:

Carbon builds perfectly :-/

Have you tried redownloading/reinstalling Xojo?

trying that now :slight_smile: I think something got lost in the 1.1 update because it attempted the auto-update 3 times in the last month.

I vaguely remember Paul Lefebvre discussing the way they used Tar to build Mac apps on Windows. Would it be possible that the file XojoFramework.Tar is missing from your PC ?

I found XojoFramework.tar on my PC at
C:\Program Files (x86)\Xojo\Xojo 2014r1.1\Resources\Frameworks\XojoFramework.tar

I guess the file was missing :slight_smile: After a reinstall of xojo the build succeeded perfectly. The link above should work for mac now. Hopefully the application doesn’t look horrid…It hasnt been tested on mac yet.

I do have to give a big thanks to Kem for helping get the scanning method to work much quicker! Thank You!!! And thank you all for being the first beta testers of the public cross-platform releases (Mitchel & Tim).

You may have built it using Carbon now.

An exception of class PlatformNotSupportedExtension was not handled. The application must shut down.
Exception Message: Creating a Picture with alpha channels is not supported in Carbon, use Cocoa instead.

My download says - Beta Test expired?

Sorry to be the bearer of bad news :frowning:

An exception of class PlatformNotSupportedException was not handled. The application must shut down.
Exception Message : Creating a Picture with alpha channel is not supported in Carbon, use Cocoa instead.

Build again with Cocoa, you should be fine.

I just ran the Windows version. Apparently, you locate all significant strings within the executable. Impressive list. I scanned one of my app, but as I do not use MBS, Heinhugur or eSellerate, my serials where not exposed :wink:

Impressive scan speed…

Has been replaced with Cocoa :slight_smile: Thanks Tim.

Not to credit livecode or VB6…but they were much much faster at decompiling (10 MB app in 2 minutes vs. Xojo 10MB app in 10-20 minutes). The application is loaded into memory, disassembled into assembly code, then the assembly code is gone through address by address and jumping points looking for vulnerabilities. I’ll be adding a “plugin interface” so further methods can be added…but for the moment the 12 most common hacking techniques are used to pull apart the application. I was going to attach the plugin interface for the beta version but since I couldn’t test mac (my mac is far away :-/) I thought it best to leave that out for now. The first plugin will be able to access from 1 to 10 how secure serial code verification is and will give a specific reference point in your xojo code to go back and fanangle a more difficult means to bypass if the difficulty scale is too low. :slight_smile:

If there are any problems with the “exclude xojo framework” let me know. I found a pattern in the framework assembly and was using that to “leave out” any references to the xojo framework. Since Its only been tested on windows and linux, I don’t know if the same patterns hold true for mac…

Just redownloaded and when run, it still says Beta Expired?

I believe that is because your system date is backwards :-p I will update the beta later with a newer one once more people have been able to test it and remove the beta timer :slight_smile:

Well first impressions on the Mac: You’re using Windows text encoding :stuck_out_tongue: