Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (499)
Games in Android Showcase (118)
games submitted by our members
Games in WIP (568)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Java's Security as a whole  (Read 3650 times)
0 Members and 1 Guest are viewing this topic.
Offline dayrinni

Junior Member





« Posted 2007-06-30 03:56:16 »

Hi,

I have been recently investigating the fact that it appears to be quite easy to decompile .class files to attain source code. This scares me! So I have done a bit more research to find out some solutions to stop this.

1.) Encrypt the byte code and use a different class loader.
    This is flawed and will not work. This article is great: http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html
2.) Use an obfuscation tool.
     Just makes it harder...
3.) I have heard of a way to 'lock' the jar so that tools like winrar cannot open it. I do not know anything about that.

Those are the ones that I currently know of to protect the source code. It doesn't seem to hopeful to be honest. I find it very saddening that this is a possibility with java.

Does anyone else have any ways that they protect themselves against potential source code thefts?

I am going to post up some more information as I stumble across this. I feel this is an important aspect to java.

Thanks!
James
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #1 - Posted 2007-06-30 06:45:22 »

you can do that with any language  Shocked
just live with it and get on with releasing your games.

*anything* that is deployed on clientside is crackable. class files, exe files, hd-dvd, fairtunes, dvd, ps2, xbox etc etc.

Offline princec

JGO Kernel


Medals: 391
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #2 - Posted 2007-06-30 12:35:04 »

Also be aware James that your source code is worthless to anyone else, so don't worry about people getting rich off of your hard work.

Cas Smiley

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline oNyx

JGO Coder


Medals: 2


pixels! :x


« Reply #3 - Posted 2007-06-30 13:02:32 »

It's the wrong label btw. This stuff isn't related to security.

If you're afraid that someone steals some of your rocket science tech... don't release it. Well, for the most part your code won't be all that interesting anyways. It's glue between libraries to make this specific application. Only a tiny fraction of that glue stuff is reusable... after heavy refactoring that is.

All the interesting things one might want to steal are open source anyways. Smiley

弾幕 ☆ @mahonnaiseblog
Offline dayrinni

Junior Member





« Reply #4 - Posted 2007-06-30 13:28:32 »

Thanks for the replies guys.

I realize that anything is crackable. It only takes time. What just bothers me is the ease of it. I am under the assumption that it is more difficult to crack, say, an exe file that has been compiled in C++ than a java jar or some class files. Perhaps I am just being ignorant and I have just not stumbled upon a series of decompilers for exe files. I have not looked. I discovered this event last night shortly before I was heading to bed so I did not have time to look around for that.

As my game will be online, I can spend some time to make the client as light as possible such that all the important stuff is located on the server. I am just paranoid. Which can be good and which can be bad Smiley

In terms of the name of this thread, I also realize that there is a subset of Java called Java Security (I work with Java Security in Industry). Perhaps I should of named it something different but I am talking about Java's Security not Java Security  Tongue Tongue Tongue Tongue ::tease::

An another note, has anyone used any code obfuscator's for Java? I am inclined to at least spend a little bit more effort to ensure it is not AS easy.

Offline oNyx

JGO Coder


Medals: 2


pixels! :x


« Reply #5 - Posted 2007-06-30 13:56:20 »

>I am under the assumption that it is more difficult to crack, say, an exe file that has been compiled in C++ than a
>java jar or some class files.

Well, that assumption is wrong. Removing the average CD check takes a few minutes (crack generation included). You also don't need programming skills and the required knowledge fits on a postcard. Removing an equally simple protection in Java requires way more knowledge and time.

Btw I didn't mean java.security. I meant those things which make Java secure. Eg class loaders, bounding checks, immutable strings... that kind of thing. That's what comes to mind if you use a title like "Java's security as a whole".

弾幕 ☆ @mahonnaiseblog
Offline dayrinni

Junior Member





« Reply #6 - Posted 2007-06-30 14:02:10 »

>I am under the assumption that it is more difficult to crack, say, an exe file that has been compiled in C++ than a
>java jar or some class files.

Well, that assumption is wrong. Removing the average CD check takes a few minutes (crack generation included). You also don't need programming skills and the required knowledge fits on a postcard. Removing an equally simple protection in Java requires way more knowledge and time.

Btw I didn't mean java.security. I meant those things which make Java secure. Eg class loaders, bounding checks, immutable strings... that kind of thing. That's what comes to mind if you use a title like "Java's security as a whole".

I was thinking more than removing a CD crack. Those are relativity easy to do. I googled for exe decompilers and received a large amount of results, but I do not know how reliable they are to use. Do you happen to know? Maybe I was just ignorant and they say ignorant is bliss!

Offline keldon85

Senior Member


Medals: 1



« Reply #7 - Posted 2007-06-30 15:35:40 »

You don't just decompile .exe's. You would actually debug them; see what many protection schemes do is encrypt the code and load it into ram. But no matter what you do your assembler code is always going to be loaded into ram so no, there is nothing you can do in any language.

And I can tell you this as a person who has been handed the debugging tools used to crack programs. Exe's are difficult to decompile properly since anything can be data or code, but if you encrypted java byte code then you are in the same boat.

Offline brackeen

Junior Member





« Reply #8 - Posted 2007-06-30 17:32:45 »

Quote
An another note, has anyone used any code obfuscator's for Java?
Try ProGuard (free, open source, has an Ant task).
Offline dayrinni

Junior Member





« Reply #9 - Posted 2007-06-30 19:53:55 »

Try ProGuard (free, open source, has an Ant task).

Thanks. I tried retroguard and got that going. I'll check out proguard.

I'm in the process of decoupling my server and client code from the networking framework I developed. This makes me feel better inside knowing I won't have to put the server code (and most of the processing) in a risker situation.

I appreciate the replies I have received on this topic.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline keldon85

Senior Member


Medals: 1



« Reply #10 - Posted 2007-07-01 01:34:51 »

Whatever you do, don't rely solely (or heavily) on this type of protection for anything where if someone were to manage to decompile the code that they would not be able to suddenly destroy your entire system, or steal other players money. Protection is a deterrent for amateurs, and a filter for the skilled.

Offline broumbroum

Junior Member





« Reply #11 - Posted 2007-07-01 01:48:51 »

Is this realistic to build a program that will re-build itself the first time it is launched? That is, you will have securized the java code by encoding the sources then once an appropriate app. launcher program executed you'll be able to get the sources decode and built at Runtime.  Huh

[ make your java program-builder-launcher (PBL)] -----> give a zip file with the sources tree and a build.xml -----> [ launch your PBL with the zip file ] ---> decode and build ---> [ launch the created .jar from a temp/ securized place ] <= The app is almost securized!!!

::::... :..... :::::: ;;;:::™ b23:production 2006 GNU/GPL @ http://b23prodtm.webhop.info
on sf.net: /projects/sf3jswing
Java (1.6u10 plz) Web Start pool
dev' VODcast[/ur
Offline dayrinni

Junior Member





« Reply #12 - Posted 2007-07-01 03:11:48 »

Whatever you do, don't rely solely (or heavily) on this type of protection for anything where if someone were to manage to decompile the code that they would not be able to suddenly destroy your entire system, or steal other players money. Protection is a deterrent for amateurs, and a filter for the skilled.

Correct! I have a plan that I developed in the past day after learning of this for Java.

1.) Obfuscate my code that will be released.
2.) Change from a thick to a very thin client. Think like a MUD. This is turning out to be a project in its own. Even though it'll set me back for a week or so, the benefits out weigh the time it'll take to do.
3.) Add in server side functionality to ensure the data that it is receiving is 'secure'. One feature that I am going to do is if a connection sends X bogus commands in a row, they will be logged (IP address, connection times, what they tried to send, etc,  and disconnected.).
4.) A checksum verifier that will be execute upon connection to the server.

I know that no matter what I do (besides not releasing) I cannot truly secure my code (I also realize my code isn't all that interesting, but there is no reason not to take the measures). The steps above will just make it harder to get ahold of things. Even if they do decompile the client, it will be utterly useless. I suppose I'll talk a bit more about my plan. I am going to pretty much make 'skeleton' classes in place of the real ones on the server. They will not have any execution code, nor will they have a complex structure (variables, polymorphism, etc). They will be very simple and straight forward. I realize with what I am trying to do, I can merely sending data to the client. The client just needs a good way to store it. So, in a way, this will help me actually have a more efficient program because I am not transmitting useless data to the server.

Well, I've rambled too much so I will not hit the post button!
Offline ddyer
« Reply #13 - Posted 2007-07-01 18:25:20 »

You seem fairly rational overall, not just a paranoid ranting about someone "stealing your code".
-- SO what specifically are you concerned that bad guys will do if they can see too much of your
client?
Offline dayrinni

Junior Member





« Reply #14 - Posted 2007-07-03 02:33:19 »

You seem fairly rational overall, not just a paranoid ranting about someone "stealing your code".
-- SO what specifically are you concerned that bad guys will do if they can see too much of your
client?


Thanks for the kind words Smiley

My plan was to have a thick client so I can offload some of the processing from the server. I have limited funds and I'm not sure how good of a processor I have. So they would be able to see some pretty important code that was related to the game (server protocols, how the data was arranged specifically). Even if they do not steal my code, it could give them a potential to disrupt the game. I wanted to avoid that situation.

I was also thinking of several ways to stem the bogus command sending. One other thing was having the server send the client a special code or something that the client could process and then send back with every command. This would allow the server to ensure the data is correct. We can make the code linked to the current account. It could then change every say, 10 seconds. This would make it so the server and client will always be in a secure fashion. Of course, the hacker could intercept the commands and blah blah blah etc. It is just another wall to climb Smiley
Offline brackeen

Junior Member





« Reply #15 - Posted 2007-07-03 04:05:44 »

In case you haven't thought about it already, here are two things to keep in mind: memory-editing tools and pixel-clicking bots. I had to deal with both of those for a simple game with high scores.

The memory-editing tools (like tsearch and Cheat Engine) allowed anyone to give themselves any score they wanted, usually within 5 minutes or so, no decompiling necessary. I fixed this problem by keeping certain variables (score, level, etc) encrypted in memory.

The pixel-clicking bots are a whole different problem. I didn't even bother trying to detect bots because, for one, it would be difficult. Second, as far as I could tell, there was only one person who created a bot and he was actually a kind person who stopped using it. Of course, some game designs are more prone to this than others.

Offline ddyer
« Reply #16 - Posted 2007-07-03 09:06:54 »

If your game is a shooter or mmog, where the client has information that the user is not supposed
to have access to, you ultimately cannot win.  You can only delay and make it harder.   You should
install tripwires based on the idea that hackers will try easy things first, and if they don't seem to
raise any alarm bells, might be happy with their work.   One of my favorite tricks is to degrade, but
not shutdown, clients that trip your alarms.  They'll get frustrated and go home - probably badmouthing
your software all the way.
Offline princec

JGO Kernel


Medals: 391
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #17 - Posted 2007-07-03 12:34:50 »

You never want people badmouthing your software.

Cas Smiley

Offline keldon85

Senior Member


Medals: 1



« Reply #18 - Posted 2007-07-03 18:47:29 »

You never want people badmouthing your software.

Cas Smiley
Unless they have the inability to speak, then you have encouraged a miracle  Cool

Offline dayrinni

Junior Member





« Reply #19 - Posted 2007-07-04 02:28:22 »

In case you haven't thought about it already, here are two things to keep in mind: memory-editing tools and pixel-clicking bots. I had to deal with both of those for a simple game with high scores.

The memory-editing tools (like tsearch and Cheat Engine) allowed anyone to give themselves any score they wanted, usually within 5 minutes or so, no decompiling necessary. I fixed this problem by keeping certain variables (score, level, etc) encrypted in memory.

The pixel-clicking bots are a whole different problem. I didn't even bother trying to detect bots because, for one, it would be difficult. Second, as far as I could tell, there was only one person who created a bot and he was actually a kind person who stopped using it. Of course, some game designs are more prone to this than others.



I was very careful to ensure that the server only was the sender of important data. It never ever takes data from the player and uses that to update itself. This wasn't the case with the thick client and is still with the thin client. The thin client now is purely a storage mechanism for the player. Though, I did not think of the pixel-clicking bots. Do you happen to have some sort of additional information about this handy? I'm going to google it and see what I can come up with.

If your game is a shooter or mmog, where the client has information that the user is not supposed
to have access to, you ultimately cannot win.  You can only delay and make it harder.   You should
install tripwires based on the idea that hackers will try easy things first, and if they don't seem to
raise any alarm bells, might be happy with their work.   One of my favorite tricks is to degrade, but
not shutdown, clients that trip your alarms.  They'll get frustrated and go home - probably badmouthing
your software all the way.


That's a great idea and I am going to do something like that in order to make it so they are more apt to get discouraged.

This thread has a lot of good information in it! Keep it coming!
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

Pippogeek (40 views)
2014-09-24 16:13:29

Pippogeek (31 views)
2014-09-24 16:12:22

Pippogeek (21 views)
2014-09-24 16:12:06

Grunnt (47 views)
2014-09-23 14:38:19

radar3301 (29 views)
2014-09-21 23:33:17

BurntPizza (65 views)
2014-09-21 02:42:18

BurntPizza (37 views)
2014-09-21 01:30:30

moogie (44 views)
2014-09-21 00:26:15

UprightPath (53 views)
2014-09-20 20:14:06

BurntPizza (55 views)
2014-09-19 03:14:18
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!