They bought the permission to make changes to customer machines that had been granted to the seller by the customer. If it's just a sale of the source code, there's no problem. But what is bought is usually the pre-existing update channel (the installed base), precisely to be able to alter the product for existing users without explicitly informing them or asking for consent.

I get what you’re trying to say but comparing selling your tool to pocketing money on the job to commit a crime is not the same thing.