How secure is the compiled code itself!?

I understand, if a computer can read the compiled code, so can a human if this person manage to handle the high level reading that reading byte by byte would require…

But… if I have a 10 line method, would that be easy to extract!?
I have a few vital 5-10 liners as I would like to not share as open source, so to speak!

I’m sure this has been discussed earlier as it’s not at all related to me as the person or my specific project, rather a general issue.

Maybe this issue is not even related with Xojo, rather than Windows, Mac OS X and Linux as operating systems.

It would be interesting to try such tool, on my own complied code…
Does it show inside the compiled code that Xojo is the source!? I mean, who would know, if you don’t tell…!

take a look at this piece of software, try it on your app and you will see !

link text

Thank you very much!
The video was quite descriptive!

I don’t have a (working) Mac or access to Linux. But I get the idea. To hide the code is sort of impossible!

Impressive software, indeed!
I truly believe that all my work will show in clear text nice and clean…!

you can encrypt the code, and decrypt it just before executing it, it’s called obfuscation
if you want to protect only a small portion of code that’s the way to go
there are programs that do only that kind of job, encapsulate your executable to be not-too-easy readable by decompilators.

Oh… That sounds tempting!
I must look into this, because my target users are “the worse kind that is”, so to speak!

It will take only a short time before someone create a “key creator” based on my code.
It will not be good… The whole concept relies on “safe” code, so to speak.
Thank you!

On PC, programs built in Visual Basic are extremely easy to revert to the source code, and there are many programs to do so.

Xojo has the advantage to make that more difficult. But strings are still extremely simple to find, even with the simplest of hex editor. So if your program relies on strings you want to keep for yourself, it is best to encrypt them.

For mathematical operations you want to hide, an option is to use the XojoScript control with source you decrypt when needed, so it does not appear in the decompiler as code.

In practice, with enough time, a stubborn hacker will always be able to get to the root of a program, since ultimately, the program must present machine code to the computer to be able to execute, and that can be looked at. But it has to be worthwhile, and most of the time, unless your program is in the top ten, chances are nobody will ever take the time needed.

The sad truth is that unless you go down the route of using a hardware dongle such as iLok or eLicenser then anyone determined enough will probably do it eventually.

OK, thank you.
I think this discussion is really good, because it light up the scene. If you are aware of the problem, then you can do something about it!

I have a subscription based service, similar to the Xojo kind.
So, the service itself is not serial key based, so to speak.
However, part of the service is. (It’s a poor man https solution…)

OK, so when I can afford a https solution, then there is no need for safe keys!
I think…

You could for example name ‘important’ methods and properties: F0A7 or something. That is a bit harder to find when doing a string search.

Don’t keep hackers away, you can’t. Keep them lagging behind. When they are working to crack MyApp 1.00, release myApp 1.1 and their patches don’t work on those. Even dongles can be emulated.

"F0A7 "
How is this not possible to find with Search feature!?
But yes, I get the idea…

I agree with you.
In this case, I’ve followed an American forum and in clear text followed the ideas when people fooling Google and their AdSense advertisement system. People from India, Afghanistan and Pakistan… Really creative dudes! These people bring Google much headache. They set up a series of computers within schools (universities) and/or businesses on hidden networks that click on their own adverts, to earn money from Google.

These people are my target users! :slight_smile:

My software is in constant development… yes.
But the thing is, all features are included in the software. There are no hidden “pay for this” features. It’s the publishing to the public web that’s limited by the subscription… (oh, let me not explain here and now!!)

The forum, however,is no secret!

OK, I can admit.
I don’t need names such as “encodeKey” or “decodeKey” … You are right! In such case, it’s possible to use alternative names.

Good point!

[quote=155636:@Jakob Krabbe]OK, I can admit.
I don’t need names such as “encodeKey” or “decodeKey” … You are right! In such case, it’s possible to use alternative names.

Good point![/quote]

Instead of creating code you will not be able to read after a few years, see Obfuscate, from Bob Keeney Software :

For more information on Obfuscate go to

use bad names for methods - be deceitful
dont have a single boolean function that can be hacked that is the determiner of “can you use this or not”
this is one area where having methods that computes some portion of the “allowed” bits spread all over is useful
this amounts to being able to determine IF you have been hacked
ie MethodA computes 4 bits
MethodB computes 4 bits
combine all the bits in another method

dont use a simple “if then” test

jump tables of method calls in which you compute the index of the method to call from the license key are fun to debug
basically you’re trying to make the job of the person using hopper REALLY sucky

but dont make it TOO hard on yourself

There’s a fine line between being clever enough to be able to stay far enough ahead and too smart so you make your life hell

there should be an option in xojo compiler to fully hide names on release compilation IMHO
there is (was?) one on RS2012 I still use, but it doesnt work… all the names are fully readable in hopper or other.

Please! Insert this feature again! (To fully hide names in RB / Xojo. It adds a great value!)

I’ll look into the bekeeny -link tomorrow. Thank you!

Norman, my key or, my solution, is actually made somewhat that you describe. It’s been all the way…
Thank you! I’m not that far away! :slight_smile:

As a dedicated “programmatic programmer” I’ve always done things different… not always better but defiantly different!
I’ve developed a disposable key that can be read by simple ASP code and ensure that updates origins from MY software and not from some other software or simply by the address line in the web browser.
It’s confusing enough for the beginners and the (some how dedicated) wannabes.

So. This part is solved.
But having people digging inside the code, the finished product, was a new scenario for me.
However, at this moment, no person has even downloaded the software… so, it’s an “imaginable problem” that MAY occur… in some distant future…

Also, if someone hack the code, they can’t earn any money because there is no money involved in the software.
The software is all full featured while downloading. There are no limits.
So… the incitement to hack the SW is sort of… well, let’s say, in theory someone is stupid enough to do it, I’m sure!

I think I have a solution to this… Before the problem was even created!

Here is the code in ASP, server side:

IF funcOpenKey(trimVars(“open”)) = “42” THEN server.execute “42.asp” ’ “” ## HELLO WORLD
IF funcOpenKey(trimVars(“open”)) = “21” THEN server.execute “language.asp”
IF funcOpenKey(trimVars(“open”)) = “92” THEN server.execute “country.asp”
IF funcOpenKey(trimVars(“open”)) = “38” THEN server.execute “region.asp”

FUNCTION trimVars(myVar)
tmp = request(myVar)
tmp = replace(tmp, “|”, “”)
tmp = replace(tmp, “’”, “’’”)
trimVars = tmp

Simply change those numbers. Version management is already implemented.
So… if you (the user) don’t live in the correct country with the language and have the latest version, then there will be no update.
Problem is solved! I think…

Unless… there is something I didn’t think of. Of course, it happens!

So if someone like me who resides part in FRance part in California and uses an English system connects from France, he will not get any update ? What about members of the European Parliament connecting from Strasbourg, or members of the European Commission connecting from Brussels ? In Belgium yet, who is going to get updates ? French speaking or Flemish ones ? They already have a linguistic war…
In United States, are you going to discriminate against the huge proportion of the population that speaks Spanish, or all the others from around the world ? In Canada, are you going to refuse updates to Quebec ?

You may want to think of something else…

There is only one way to find out! :slight_smile:

This is considered off-topic:
My idea is more clever than that.
Version management is already implemented, by default. No settings is needed.
Each person lives in one place and speak at least one language.
It’s all!

No… I don’t see such scenario, where people will be offended…
This is B2B software and people don’t run serious business all over the planet. They stay in one place.
It’s not a problem, trust me!