Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (476)
Games in Android Showcase (106)
games submitted by our members
Games in WIP (533)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2 3
  ignore  |  Print  
  Java .class files safe?  (Read 13381 times)
0 Members and 1 Guest are viewing this topic.
Offline Badmi

Senior Newbie




Java games rock!


« Posted 2006-08-03 05:14:42 »

I do not know where to post this so I am going to post it here. 

I have been considering making an offline commercial game in java for a long time. The one thing that concerns me is the fear that pirates would decompile my game and remove any security I placed in it then redistribute it for free. Is there any way I can protect my code? 
Offline Jeff

JGO Coder




Got any cats?


« Reply #1 - Posted 2006-08-03 05:28:38 »

Pirates WILL decompile your code and defeat your security.

 No ,matter what it is written in. 

They've been doing that for long before Java even existed. Deal with it.

This is a red herring where Java is concerned.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline Badmi

Senior Newbie




Java games rock!


« Reply #2 - Posted 2006-08-03 05:44:53 »

Dose java have an increased risk?
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline kevglass

JGO Kernel


Medals: 120
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #3 - Posted 2006-08-03 06:31:08 »

Definitely an increased risk - it's easy to decompile java and understand it than it is with C++.

However, if you intend to write a commercially successful game then it has to be good. If it's good - then someone *will* crack it. It only takes one to crack it - distribution after that doesn't take long.

Obfuscation helps.
Compiling to a native helps.
Using quirky/ornate security helps.

Still, if it's good, and people want it - it'll get cracked.

Kev

Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #4 - Posted 2006-08-03 09:19:04 »

If the attacker knows how to decompile java and read it (and is not just a script kiddy) obfuscation doesn't help at all.
For example, if the attacker wants to bypass, say, a cd rom check, obfuscation might turn a 30 minute hack into a 45 minute one. But not more.

That said, obfuscation definitely doesn't hurt either, and it's dead simple to automate into your building process, so there's really no reason to not use an obfuscator. Just make sure you use one that spits out a reverse mapping file so you can still follow the stack traces. =)

Play Minecraft!
Offline CommanderKeith
« Reply #5 - Posted 2006-08-03 10:20:50 »


Its a little strange that such a basic problem as this has no solution for all of java's security Undecided

re obfuscation: I've read that it makes your jars smaller in size too.

Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #6 - Posted 2006-08-03 11:17:39 »

Quote
Its a little strange that such a basic problem as this has no solution for all of java's security
It's not so strange if you consider that java security is not about copy protection. It's two totally different matters.

Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #7 - Posted 2006-08-03 11:25:03 »

To be honest, I think the java way is slightly better and less self-deceptive.

Natively compiled files can and frequently do get decompiled, analyzed and modified as well.
There's no such thing as client-side code security. As long as you're aware of this, you get forced to either implement some REAL security (if possible), or not ship sensitive material to the client. Of course, those two are often the same thing.

Play Minecraft!
Offline Badmi

Senior Newbie




Java games rock!


« Reply #8 - Posted 2006-08-03 17:38:01 »

The problem with single player games is that all the sensitive data is on the clients side. Are there any successful single player games that use java? Is there any tool that would allow me to encrypt the class file then hide the key?
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #9 - Posted 2006-08-03 17:52:38 »

You can encrypt whatever you want, but you are required to give the client the key at some point, invalidating the whole effort.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline cylab

JGO Ninja


Medals: 38



« Reply #10 - Posted 2006-08-03 17:54:57 »

As others stated, you can't prevent that your game will be decompiled and cracked. Code obfuscation is an option to provide make it more difficult. You could encrypt your jars and write a ClassLoader that decrypts them, but the loader code will be unencrypted and therefore vulnerable.

I would opt to trust your users Wink

Mathias - I Know What [you] Did Last Summer!
Offline Jeff

JGO Coder




Got any cats?


« Reply #11 - Posted 2006-08-03 21:54:10 »

And it just aint that hard to find the test condition for your security in assembled binary and NOP it.

It really isnt.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline Anon666

Junior Member




aka Abuse/AbU5e/TehJumpingJawa


« Reply #12 - Posted 2006-08-03 22:45:06 »

And it just aint that hard to find the test condition for your security in assembled binary and NOP it.

It really isnt....


...that simple.
Offline noblemaster

JGO Ninja


Medals: 20
Projects: 10


Age of Conquest makes your day!


« Reply #13 - Posted 2006-08-03 23:18:45 »

put some code on a server ...

Offline pepijnve

Junior Member




Java games rock!


« Reply #14 - Posted 2006-08-04 14:51:49 »

The company I work for sells a commercial api. We've had the same concerns about people running off with the code, but in the end came to the conclusion that it's just not worth all the effort you put into it. As has been said before, any software checks (however clever you make them) can be cracked if people put enough time and effort into it. The more complex you make your copy protection/licensing system the more you'll annoy your legitimate users. In the end we just used a relatively simple license checking system combined with obfuscation (using proguard) and that has worked fine. We are in a niche market though, so the likelihood of widespread piracy is probably alot smaller than in the games market.
Offline Evil-Devil

Senior Member


Medals: 2


Fir Tree Master


« Reply #15 - Posted 2006-08-04 15:11:47 »

For online multiplayer games i like the way with hashvalues. Just check for each login if the package has the right hash value. If not reject the client. Ok, skilled hackers will find a way to manipulate your files/archives while not having the hash been changed. But there is some effort needed Wink
Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #16 - Posted 2006-08-04 16:18:42 »

Or just remove the hash check, as that has to be client side as well.

(or if you sent the hash to the server, just send the hash of the unmodified client)

Play Minecraft!
Offline Martin Strand

Junior Member





« Reply #17 - Posted 2006-08-04 16:37:04 »

If you've got a lobby server, send the license key from the client and let the server check it against a db. That way even keygens won't work. Smiley
Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #18 - Posted 2006-08-04 17:10:19 »

If the lobby isn't needed to play the game, the client can just bypass that step.

Play Minecraft!
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #19 - Posted 2006-08-04 17:55:49 »

Its a little strange that such a basic problem as this has no solution for all of java's security Undecided

If you can "solve" this "basic" problem, you will become the world's richest person.

Of course, the only way to solve this problem is to be one of the world's richest people to start off with.

(HINT: it requires you to own every PC in the world. Quite expensive, don't you think?)

Or, to put it another way:

"I can't believe that such a basic problem as death hasn't been solved yet by Western doctors. We have all these smart people, they must be really lazy that they haven't worked out how to do it yet."

malloc will be first against the wall when the revolution comes...
Offline beowulf03809

Junior Member




We live for the code, we die for the code


« Reply #20 - Posted 2006-08-04 18:08:27 »

The problem with single player games is that all the sensitive data is on the clients side. Are there any successful single player games that use java? Is there any tool that would allow me to encrypt the class file then hide the key?

I'm worried from these statements that you're considering Java unsuitable for single-player games because it's "less secure"?  I would counter that there are probably no ( quality ) single-player games written in C++ that have not already been cracked.  Some show up on P2P systems days after release ( sometimes even days BEFORE release ).  In addition to just having download-n-play versions floating around for anyone with the bandwidth and knowing where to look, I have seen various resources ( graphics and sounds ) from such games used on web sites and emails.

As long as the user has physical access to the code the program is going to be hacked if someone wants to.  Trying to avoid this is right up there with the record company trying to "protect" music or Hollywood trying to "protect" movies.  It will deter but it will not stop.  The only way to guarantee your game is never hacked after release is to produce a game so poor that no one wants to put in the effort.  Otherwise, you should do your best to secure it against the efforts of less skilled folk and maybe some extras ( "call home" stuff, etc ) to deter the next level, and just accept that if you made a quality product some people will pay for it and others will steal it.
Offline kevglass

JGO Kernel


Medals: 120
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #21 - Posted 2006-08-04 18:28:42 »

The question is how much of a deterent are Java class files that decompile into reading source compared to native binaries.

It's definitely *easier* in Java to crack software with no online protection. This doesn't mean it's more or less likely to happen though.  That's determined by how good your game is.

I'd suggest spending less time on worrying about security and more time worrying on making the game good enough that people want to crack it. It could almost be considered a badge of achievement - you went to the effort of cracking my game - heh, it must be good Smiley

Kev

Offline Death33284

Junior Member





« Reply #22 - Posted 2006-08-04 18:55:16 »

So true... When people try to get enough protection on software (*coughstarforcecough*) it just ends up being a problem for even regular users. Go the route that even Elder Scrolls IV: Oblivion took, no real protection at all. They knew they had a great game, why delay the inevitable with protection and even though there was no protection they sold millions of copys.
Offline noblemaster

JGO Ninja


Medals: 20
Projects: 10


Age of Conquest makes your day!


« Reply #23 - Posted 2006-08-04 21:32:04 »

Just because there is no copy protection does not mean people are not paying for it anymore. Just because I see an unlocked bicycle on the street does not mean I am going to steal it.

It is still illegal to distribute copyright protected software - most people will pay for your product: Better worry about writing a cool game ...  Cool

Offline Ask_Hjorth_Larsen

Junior Member




Java games rock!


« Reply #24 - Posted 2006-08-05 02:21:04 »

Just write your game in Malbolge instead of Java. Problem solved. Smiley

http://en.wikipedia.org/wiki/Malbolge
Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #25 - Posted 2006-08-05 13:34:55 »

haha, I guess that actually WOULD solve the problem. Cheesy

Now the problem is just managing to write a game in malbolge..

Play Minecraft!
Offline Jeff

JGO Coder




Got any cats?


« Reply #26 - Posted 2006-08-05 21:57:56 »

The question is how much of a deterent are Java class files that decompile into reading source compared to native binaries.

It's definitely *easier* in Java to crack software with no online protection. This doesn't mean it's more or less likely to happen though.  That's determined by how good your game is.

And keep in mind that in this case 90% security  (security against 90% of the users) is no better then 10% security.

As soon as any ONE person cracks your code, its open.

Welcome to the world of the internet.


Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline zingbat

Senior Member




Java games rock!


« Reply #27 - Posted 2006-08-06 01:39:50 »

There is one type of copy protection that can cracked (of course) but will annoy the hell out of hackers. At least it will make them play the entire game which they may not like and give up on cracking the game.

At the beginning of the game ask for the game key and save it somewhere on disk. But don't place this check only at the beginning of the game. Scater silent checks all over the game code and in several, more or less advanced, stages of the game. This forces the hacker to analize the entire code and play the game from start to finish. Also don't terminate the game immideatly after an hacked game is detected.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #28 - Posted 2006-08-06 02:16:18 »

I read an article on a game that Sony built years ago, that removed certain key-elements from the game that prevented you from finishing certain levels.

This 'delayed' the first working crack a few *months*, which for an AAA title might actually increase revenue.

But for anything non-AAA, every brain-cycle spent on clientside-protection is wasted.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Orangy Tang

JGO Kernel


Medals: 56
Projects: 11


Monkey for a head


« Reply #29 - Posted 2006-08-06 02:25:12 »

I read an article on a game that Sony built years ago, that removed certain key-elements from the game that prevented you from finishing certain levels.

That'd be Spyro and it's sequel, the article is on gamasutra and pretty much essencial reading for anyone doing crazy hack prevention. Some really clever stuff, most of which isn't possible in Java code (or even on a pc). IMHO though all it really proves is that *everything* will eventually be hacked, and no copy protection is entirely non-intrusive when it comes to normal development. The real question is how much development time you're willing to spend on it (and so how much you're willing to take away from actual 'proper' development).

[ TriangularPixels.com - Play Growth Spurt, Rescue Squad and Snowman Village ] [ Rebirth - game resource library ]
Pages: [1] 2 3
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

pw (18 views)
2014-07-24 01:59:36

Riven (17 views)
2014-07-23 21:16:32

Riven (14 views)
2014-07-23 21:07:15

Riven (17 views)
2014-07-23 20:56:16

ctomni231 (45 views)
2014-07-18 06:55:21

Zero Volt (41 views)
2014-07-17 23:47:54

danieldean (32 views)
2014-07-17 23:41:23

MustardPeter (36 views)
2014-07-16 23:30:00

Cero (51 views)
2014-07-16 00:42:17

Riven (50 views)
2014-07-14 18:02:53
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!