#1
|
|||
|
|||
Request for a good protection scheme in Java
Hi to all ,
this is my scenario: - assumptions: A .jar file with all classes signed. Ok, i've choose the key file solution. The key file is 'hashed' with sha-256 then the calculated hash is crypted by ECDSA algo. My app test the genuine of key file in this way: remove crypted hash, recalculate sha-256 and then decrypt sha-256 hash and compare them. The keygen is impossible... but remains the byte patching approach. My request is... there is an efficent solution to avoid the byte patching? All suggestions are accepted... PHP Code:
DaGoN |
#2
|
|||
|
|||
@DaGoN:
Hi, I think you're a funny guy... Ask here IF there's a solution to avoid to byte patching ? Ha, Ha ! You can't... Obfuscation is a good beginning. Regards. |
#3
|
|||
|
|||
Hi LaDidi,
you say: "Obfuscation is a good beginning.", exactly, a beginning... but i thought a little bit of advanced Nitallica says: "if it run you can crack it". I know... i know Actually, my idea was to use the hash of signed classes in jar file and create an hashtable to map some methods of some important classes. Theory: PHP Code:
through it? If you patch license.class the program flow is compromised... What do you think about it? Bye, DaGoN |
#4
|
|||
|
|||
You can use VM over VM over VM etc.
You can use remote code execution and its variations. You can use HFE (sure, if you can). |
The Following User Gave Reputation+1 to Syoma For This Useful Post: | ||
DaGoN (02-18-2014) |
#5
|
||||
|
||||
I remember I once saw an interesting protection for java implemented by using the launch4j executable wrapper. It embeds the all of the java classes into an executable and references them through pointers. They never get extracted to disk. The author further enhanced the protection by wrapping the exe with a protector. I imagine if you used a strong protector and called some of the protector's functions for crc and date checking from the java code, it would very difficult for someone to make it past the protector to access and/or patch the code.
Launch4J: Code:
http://launch4j.sourceforge.net/
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler |
The Following 2 Users Gave Reputation+1 to chessgod101 For This Useful Post: | ||
DaGoN (02-18-2014), wilson bibe (02-18-2014) |
#6
|
|||
|
|||
You could also write a custom wrapper for the java virtual machine. Encrypt the jar files and decrypt them on the fly (optionally only decrypting sensitive jar files with an encryption key stored in your license). I once saw this and when you combine it with obfuscation of the jar files, it will certainly take a cracker some time to decrypt everything.
Greetings |
The Following User Gave Reputation+1 to mr.exodia For This Useful Post: | ||
DaGoN (02-18-2014) |
#7
|
|||
|
|||
Java and Security should be antonyms. I haven't seen yet a Java proggie that you can't easily crack.
|
The Following User Gave Reputation+1 to marrom79 For This Useful Post: | ||
wilson bibe (02-19-2014) |
#8
|
|||
|
|||
Depends. If you can leverage online website, you could port important and/or critical classes and pieces of code from your java program online. You can do more than just a serial check then :-)
Usually, what you would like, is to get 100% sure that the license is not leased, thus, if it was bought, then you should have IP of the guy that uses it, some of the hardware info (sounds familiar?) and such, I am not sure if this is a strong protection. I encountered something similar to this in here which nobody found a solution for. If you cannot validate with the server, you won't be able to get anything to run, that is also, you won't get a class to run on and pieces of the program, much like a demo, but worse. You could combine this with what the others proposed, and I think you will make someone very very busy for a lot of time :-) Usually, reproducing a server to answer to requests of program takes too much time :-( |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Adobe protection scheme | Dark Intentions | General Discussion | 0 | 07-09-2015 03:35 |
Obsidium protection scheme as a target! | Mr.reCoder | General Discussion | 26 | 07-08-2015 02:23 |