: > If you're worried about backdoors, reverse engineer it and verify : > that it works as advertised. Given that the program has to largely : > duplicate an existing set of source, this should be trivial. : : do you mean decompile it, or reverse engineer it based on the Decompile. : neither is "trivial" in my mind. I have a program that (mostly) automatically turns 386 code into ugly C code. It's not maintainable but, for the purpose of determining that the commercial product is essentially the same as the version that you have source to, that's not necessary. You compile the two versions, decompile them, diff the results, pattern match to eliminate the artifactual differences, re-diff and then examine the diff with the proverbial fine-tooth comb. This would make it quite easy to determine what the commercial code is actually doing, with a minimum of work. And remember: it only has to be done once per version. (No, before anyone asks, the decompiler isn't available. It's not documented. It's hackery. And the code is gross. You'd be much better off writing your own; it isn't hard.)