0

I have a Java client and a server and I want that everyone who connects to my server with the client uses the original client (not hacked or modified) (modifying is very easy by decompiling the code).

My idea: When the client connects to the server, the server sends a random hash to the client. One class of the client calculates a checksum of the jar-file and creates a new hashcode containing the hash from the server and the checksum. The client sends the new hash back to the server and the server checks if it is valid. Now I will just obfuscate this one class, or I will use another strong protection, that nobody can fake the checksum of the jar-file.

My question is: What do you think about it? Will it work how I imagine it?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
stonar96
  • 1,359
  • 2
  • 11
  • 39
  • You will not succeed in obfuscating your class. Any security founded on protecting the client from attack will fail. –  Oct 28 '14 at 19:59
  • http://www.excelsiorjet.com/ wont this work? – stonar96 Oct 28 '14 at 20:02
  • 1
    You'll notice no-one sells/provides a solution which says "100% protection from reverse engineering". Care to speculate why this may be? (Clue:All code can be reverse engineered.) –  Oct 28 '14 at 20:03
  • This is a fundamental problem. Anything that can be viewed can be copied. Anything that can be run can be decompiled. This is why IP protection strategies are moving toward legal rather than technical solutions. There is not an cannot be any technical solution. The closest thing to a technical solution would be to view or run your content on a purpose-made, hermetically-sealed device with a tamper sensor and self-destruct mechanism. – Kevin Krumwiede Oct 28 '14 at 20:06
  • So in my case all depends on the protection of "reverse engineering"? – stonar96 Oct 28 '14 at 20:06
  • Yes. You can make it as hard as possible. You can delay the inevitable. But if it runs on a cpu then people can step through the code and observe what it's doing. –  Oct 28 '14 at 20:09
  • With Java, you don't even need to resort to that. You can decompile any jar into code with meaningless identifiers like 'a', 'b', etc. The names of public classes, methods, and fields can't be obfuscated, so you just start from there and refactor names until things start to make sense. It takes a few hours at most. I've had to do this with libraries that were very poorly documented, just to figure out how their public methods are supposed to be used. It would be very easy to find out how this proposed system works, find out the checksum of the original jar, and fake it. – Kevin Krumwiede Oct 28 '14 at 20:14
  • 1
    The attacker can also let the original JAR handle any checksum calculations and then do anything it wants, with a Man-In-The-Middle attack. You can spend a lot of time trying to come up with a solution, but it won't work. So the question boils down to: how important is your program? – Kayaman Oct 28 '14 at 20:23
  • In my case the rest of the code is open source, I just want to protect the server from modified clients. If I use something like Excelsior JET and not just obfuscation, a hacker then has to fake the checksum and has to find out how the calculation of the new hash works. This would not be that easy. right? – stonar96 Oct 28 '14 at 20:24
  • @stonar96 It would be pretty simple. You'd just just make any modification to `hacked.jar`, plus a modification to read from `original.jar` instead of `hacked.jar` when calculating the checksum. – that other guy Oct 28 '14 at 20:42
  • @that other guy but you can't simply modify the calculation of the checksum because you would need the code of the calculation of the checksum and a hacker will not know how to generate the new hash which contains the checksum and the hash from the server (provided: there is a optimal "decompile-protection" for this one class). – stonar96 Oct 29 '14 at 10:09
  • All that you will be checking this way is whether the original jar file is still present on the end user system. You cannot check whether it is your original app that does the check sum calculation, whether it runs on an unmodified JVM, whether it runs not under a control of an agent that can modify its behavior at will, and so on. – Dmitry Leskov Oct 29 '14 at 12:25
  • @stonar96 Decompilation is purely for the human programmer's convenience, it's not required for modification or analysis. You can also just modify the JVM and feed your class the original, pristine data rather than the hacked data, as Dmitry points out. – that other guy Oct 29 '14 at 16:04

0 Answers0