My plugin was cracked. Wondering if anyone has insight on how it was done

About a month ago, I released my first plugin which surprisingly took off quite quickly. Considering this was my first plugin, I honestly was not too concerned about security, but still put some basic anti piracy measures in place where the plugin checks in with a server etc. Sure enough though while searching the web for my plugin, I found a crack!

After downloading it and testing the crack, it worked but not in the way I expected it too. For example, the actual interface of the plugin had been slightly altered and the activate button definitely bypassed the API call to my server. Even the settings file where some important information is stored was now being compressed differently. Obviously without knowing the workings of my plugin you won’t be able to say exactly how they did it, but I’m more looking for information about how someone was able to alter my plugin.

I understand you can sometimes un-compile code, or even use hex editors, but I’m really not familiar with any of it. Any insight appreciated! Thanks.


I’m not sure if openly talking about specific ways to hack copy protection is that good of an idea. There are undoubtedly web pages out there that discuss such methods, but I steer clear of all that stuff, and leave it to the experts.

One way to combat that, though, is by providing frequent updates, so that users want the latest and greatest. Also, making those updates only available through your server via that checkin procedure you’re using is another thing that might help even more. That way, they cripple their ability to get updates if they cripple that check.


As there are a bunch of modifications, maybe somebody completely recreated the plugin instead of “hacking” it.

You can play chicken-and-egg with regular updates to attract people to buy the full thing, adding little bits and pieces to throw off the attackers while you’re at it (which will just attract more skilled hackers ultimately as they enjoy the challenge). It’s a viable strategy, but hardly scalable, and eventually you will bloat your plugin with so many features that you put some people off using it in the first place because it’s so complex (you won’t see it happening of course, but those first impressions will get more and more intimating with each release).

Or you can leave it to the professional services like Pace which will get you somewhere between 6 months to 3 years through binary hardening, depending on your luck on when you enter the system and when a compromise hits. This route will cost you money and time in other ways.

Inevitably, everything is cracked eventually. You just gotta decide how often and how hard you want to go down! I’ve done it both ways, and given the choice about which way I’d go starting out fresh with all my hindsight I’m still not sure which I think is the best way for me version 2.0, but it probably depends a lot on your intended audience and product price.

1 Like

Sad to hear that. Hope you can mitigate it, so here are a few thoughts.

It could be that they used some kind of reverse engineering tool like Ghidra:

I think some of those tools can create “flow graphs” of your application. While they can’t extract the original code of your program, it’s possible to see the general flow of your functions. Especially if your classes use a virtual table, the mangled function names are actually included into the binary. Avoid that for critical code.

Now, imagine an attacker is using a runtime debugger and somehow combines the extracted flow graph information with your program in memory. Then it’s possible to hold your program before activation, make a memory snapshot, perform a legit activation, then take another snapshot. Then compare what changed.
The fatal thing here: If they see “Oh… we just need to load this chunk of memory into the application.” Then they patch your original application code and inject new code that loads this compromited memory chunk.

I think this is the general approach. I mean: How else should it work? There is no magic involved here. Although it’s easier said than done, doing it in practice sounds like an insane undertaking. So, there is probably some kind of obvious mistake you’ve done in your “check” code that made this process much easier.

What to do? Well. Think about every critical part. Or use a commercial DRM. But be aware: Using it the wrong way, or not careful enough, will result in the same problem. It happened before.