Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-17-2014, 22:13
DaGoN DaGoN is offline
Friend
 
Join Date: Jan 2004
Posts: 43
Rept. Given: 15
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 20
Thanks Rcvd at 17 Times in 6 Posts
DaGoN Reputation: 6
Smile Request for a good protection scheme in Java

Hi to all ,
this is my scenario:
- assumptions: A .jar file with all classes signed.

Ok, i've choose the key file solution.
The key file is 'hashed' with sha-256 then the calculated hash is crypted by ECDSA algo.
My app test the genuine of key file in this way: remove crypted hash, recalculate sha-256 and then decrypt sha-256 hash and compare them.

The keygen is impossible... but remains the byte patching approach.

My request is... there is an efficent solution to avoid the byte patching?

All suggestions are accepted...

PHP Code:
key file template example:
---------
user=testuser
email
=test@test.it
hwId
=111-111-111
signature
=%%
------------

sha-256 ECDSA encrypt

user
=testuser
email
=test@test.it
hwId
=111-111-111
signature
=%[(sha-256 <= ECDSA encrypt)]%

My apps remove signature and recalculate sha-256 hash

---------
user=testuser
email
=test@test.it
hwId
=111-111-111
signature
=%%
------------

if(new 
sha-256 ==  ECDSA decrypted (sha-256))
   print 
"good"
else
   print 
"bad" 
Thanks in adv,
DaGoN
Reply With Quote
  #2  
Old 02-17-2014, 23:04
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 210
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 46
Thanks Rcvd at 41 Times in 24 Posts
LaDidi Reputation: 11
@DaGoN:
Hi,

I think you're a funny guy...
Ask here IF there's a solution to avoid to byte patching ? Ha, Ha !
You can't...

Obfuscation is a good beginning.

Regards.
Reply With Quote
  #3  
Old 02-18-2014, 00:33
DaGoN DaGoN is offline
Friend
 
Join Date: Jan 2004
Posts: 43
Rept. Given: 15
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 20
Thanks Rcvd at 17 Times in 6 Posts
DaGoN Reputation: 6
Hi LaDidi,
you say: "Obfuscation is a good beginning.", exactly, a beginning... but i thought a little bit of advanced

Nitallica says: "if it run you can crack it". I know... i know

Actually, my idea was to use the hash of signed classes in jar file and create an hashtable to map some methods of some important classes.

Theory:

PHP Code:

Manifest
-Version1.0
Created
-By1.0

Name
license.class
SHA1-DigestGLCkANwxP5fHNvDWMsjZDnHtPJg=

namemainprog.class
SHA1-DigestPFAwZkhDJwjBlYWxR4OT8FTx1NU=

nameanother.class
SHA1-DigesthZ5BVt7sHyG7rWYWm4eZVBXtfgY

nameinvoker.class
SHA1-DigestUiJgkvDfAHhOJpg++oVYEGlCV9c=

main class methods:
calculate
save 
Always in theory, if i use the license.class hash as a key to crypt the name of methods and i put it inside an hashtable of invoker.class and i call them
through it?

If you patch license.class the program flow is compromised...

What do you think about it?

Bye,
DaGoN
Reply With Quote
  #4  
Old 02-18-2014, 03:57
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
You can use VM over VM over VM etc.
You can use remote code execution and its variations.
You can use HFE (sure, if you can).
Reply With Quote
The Following User Gave Reputation+1 to Syoma For This Useful Post:
DaGoN (02-18-2014)
  #5  
Old 02-18-2014, 07:54
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
I remember I once saw an interesting protection for java implemented by using the launch4j executable wrapper. It embeds the all of the java classes into an executable and references them through pointers. They never get extracted to disk. The author further enhanced the protection by wrapping the exe with a protector. I imagine if you used a strong protector and called some of the protector's functions for crc and date checking from the java code, it would very difficult for someone to make it past the protector to access and/or patch the code.
Launch4J:
Code:
http://launch4j.sourceforge.net/
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
The Following 2 Users Gave Reputation+1 to chessgod101 For This Useful Post:
DaGoN (02-18-2014), wilson bibe (02-18-2014)
  #6  
Old 02-18-2014, 18:57
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
You could also write a custom wrapper for the java virtual machine. Encrypt the jar files and decrypt them on the fly (optionally only decrypting sensitive jar files with an encryption key stored in your license). I once saw this and when you combine it with obfuscation of the jar files, it will certainly take a cracker some time to decrypt everything.

Greetings
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
DaGoN (02-18-2014)
  #7  
Old 02-18-2014, 20:35
marrom79 marrom79 is offline
Friend
 
Join Date: May 2012
Location: BigIsland
Posts: 40
Rept. Given: 34
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 11
Thanks Rcvd at 13 Times in 9 Posts
marrom79 Reputation: 10
Java and Security should be antonyms. I haven't seen yet a Java proggie that you can't easily crack.
Reply With Quote
The Following User Gave Reputation+1 to marrom79 For This Useful Post:
wilson bibe (02-19-2014)
  #8  
Old 02-20-2014, 04:42
|roe |roe is offline
Friend
 
Join Date: Jun 2011
Location: Saturn V, towards the heaven
Posts: 50
Rept. Given: 193
Rept. Rcvd 24 Times in 17 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 5 Posts
|roe Reputation: 24
Depends. If you can leverage online website, you could port important and/or critical classes and pieces of code from your java program online. You can do more than just a serial check then :-)

Usually, what you would like, is to get 100% sure that the license is not leased, thus, if it was bought, then you should have IP of the guy that uses it, some of the hardware info (sounds familiar?) and such, I am not sure if this is a strong protection.

I encountered something similar to this in here which nobody found a solution for.

If you cannot validate with the server, you won't be able to get anything to run, that is also, you won't get a class to run on and pieces of the program, much like a demo, but worse.

You could combine this with what the others proposed, and I think you will make someone very very busy for a lot of time :-)
Usually, reproducing a server to answer to requests of program takes too much time :-(
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Adobe protection scheme Dark Intentions General Discussion 0 07-09-2015 03:35
Obsidium protection scheme as a target! Mr.reCoder General Discussion 26 07-08-2015 02:23


All times are GMT +8. The time now is 16:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )