Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 48
Like Tree1Likes

Thread: Decompiling Java class and breaking cipher

  1. #21
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Queen - Bohemian Rhapsody Live Lyrics (Legendado em Inglês) - YouTube Somehow I understood, I think it's easier to be terrorist and kill people rather than program Java or C, it is interesting, but when you have a lot of questions to answer, nor professor nor books can't help, only internet, which takes your time(sometime months) to solve something...
    I knew from beginning that it is client side, but I'm really deep in the hole. What I suppose to do, when I know that anyone can hack this?
    For example there a games that are made by adobe flash(client side) and integrated to the web, how do they protect every value/variable alteration?
    For example if someone want to change money: if he changes it immediately changes back to the previous value...? How?
    Or maybe create encrypted password in plain text file, then get it on applet and restrict that file from using outside? Or no... hacker can still create his own program... to manage things....
    Last edited by rajma; 11-20-2013 at 01:58 PM.

  2. #22
    jim829 is offline Senior Member
    Join Date
    Jan 2013
    Location
    United States
    Posts
    2,936
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    Have you considered instead of sending the key to the applet you send the cypher text to the server and decrypt it there and then send it back to the applet? This is no different than decrypting it locally since you eventually have the data as clear text. But it does protect the key (unless you have access to the server). And people hack games all the time, regardless of how well they are protected. This is why it is important to protect the key, algorithm, and clear text. All you can do is make it difficult, not impossible -- which I believe has already been stated several times.

    Regards,
    Jim
    The Java Tutorial | SSCCE | Java Naming Conventions
    Poor planning our your part does not constitute an emergency on my part.

  3. #23
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by rajma View Post
    [url=http://www.youtube.com/watch?v=u8lkqanptv4]which takes your time(sometime months) to solve something...
    Yep.

    I knew from beginning that it is client side, but I'm really deep in the hole. What I suppose to do, when I know that anyone can hack this?
    Well to start with, you should have not "just used an applet", you should have studied up on the implications of using applets. You're in the hole and YOU dug it by researching security AFTERWARDS in stead of doing so right at the start.

    For example there a games that are made by adobe flash(client side) and integrated to the web, how do they protect every value/variable alteration?
    For example if someone want to change money: if he changes it immediately changes back to the previous value...? How?
    You'd have to ask those people. Its a difficult problem to solve indeed and people make (a great deal of) money coming up with solutions for it, all of which fail at some point because hackers are always smarter.


    You can't prevent, you can only minimize.

    - do EVERYTHING on the server and keep the client as thin as possible; the next evolutionary step there is to actually start streaming games in stead of installing/running them locally
    - encrypt (critical) communications between the client and the server
    - maintain a state on both the client and the server and validate that the two are in sync
    - make sure that there are repercussions in place when someone does abuse the system anyway, possibly legal ones. This is to help persuade at least some people not even to bother; plenty still will.

    Take Blizzard as an example - not exactly the smallest game development company in the world with popular games such as Diablo and World of Warcraft. Even THEIR games are hacked and abused, regularly. If not inside the game then outside it, by selling gold, items and accounts through alternate means such as eBay. And they respond to that by correcting what the hackers/abusers do and to make sure they cannot do it again, by banning accounts and taking legal action.
    Last edited by gimbal2; 11-20-2013 at 02:12 PM.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  4. #24
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    But jim829 , hacker can write his own program(same applet), without ciphers and other security functions. There are also another issue, maybe, I don't really know if it works, for example calling Servlet function from Applet, if you want something to save, for example to database, you must use UpdateSomething(value, value) to get your data saved and then on Servlet check those values ...?

    You'd have to ask those people. Its a difficult problem to solve indeed and people make (a great deal of) money coming up with solutions for it, all of which fail at some point because hackers are always smarter.
    They won't tell me

    Anyway thank you guys for the answers!
    Last edited by rajma; 11-20-2013 at 02:26 PM.

  5. #25
    jim829 is offline Senior Member
    Join Date
    Jan 2013
    Location
    United States
    Posts
    2,936
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by rajma View Post
    They won't tell me!
    Of course not. Because, their protections only make it difficult, not impossible to hack. If they told you what they did or how they did it, then it would be self defeating.

    Regards,
    Jim
    The Java Tutorial | SSCCE | Java Naming Conventions
    Poor planning our your part does not constitute an emergency on my part.

  6. #26
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,450
    Rep Power
    19

    Default Re: Decompiling Java class and breaking cipher

    Is your applet really so important that you think someone will bother to actually try and break into it?
    Please do not ask for code as refusal often offends.

  7. #27
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    Its already difficult enough to persuade people to TRY the games you make I can say from experience!
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  8. #28
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Tolls it's a rhetorical question, I believe that no one want to break it, but time will tell, otherwise I want to learn more about security, I think it will be usefull in future.

  9. #29
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,450
    Rep Power
    19

    Default Re: Decompiling Java class and breaking cipher

    OK, well you have your answer.
    Short of sticking all the important code on a server and having someone register/login in order to use it, there is nothing you can do.
    If it's on the client, or is read by the client, it is visible to a hacker.
    Please do not ask for code as refusal often offends.

  10. #30
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by rajma View Post
    Tolls it's a rhetorical question, I believe that no one want to break it, but time will tell, otherwise I want to learn more about security, I think it will be usefull in future.
    That's a good way of thinking. The way you go about getting the information can use some work though. This will require a great deal of study on your part, expecting to get the answers in a forum post is asking too much. You have been given enough clues in which directions to investigate and do further reading, good luck!
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  11. #31
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Hey if you have some good tutorials or interesting texts to read about all those communications, security would you mind to share please?

  12. #32
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Sorry for bump, but I've found new idea for checking if the client running correct JWS(Java Web Start)(or Applet)(or just Runnable Java), for example:
    Server-side: MyServlet.jar, Game.jar
    Client-side: Game.jar
    Now if you establish connection new URL("http://blabla.com:8080/") in Game.jar and call for function that are in MyServlet.jar (for example UpdateMysqlTable), you can check validity of both Game.jar files that are in server-side and client-side, like md5 hash code or something, hows the idea? It is good? :)

    P.S. Everything depends on function that is called from servlet, because it checks if hacker not using his own java program, so he can't make new customized game and post new values/variable to database :)
    Last edited by rajma; 11-22-2013 at 12:25 PM.

  13. #33
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,450
    Rep Power
    19

    Default Re: Decompiling Java class and breaking cipher

    How do you send the client hashcode to the server?
    Where is it calculated?
    What's to prevent the hacker from simply sending the old hashcode from their hacked client?
    Please do not ask for code as refusal often offends.

  14. #34
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    pfeee you broke my dreams
    Okay, then in MyServlet.jar :
    Java Code:
    private passwordInServlet = encrypted(passwordInServlet) // it's just a fast example,don't look at syntax
    UpdateMysqlTable(statement, specialPasswordFromApplet){ if( passwordInServlet == specialPasswordFromApplet ) 
    statement("Update blabla"); }
    something like this...
    Last edited by rajma; 11-22-2013 at 01:04 PM.

  15. #35
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,450
    Rep Power
    19

    Default Re: Decompiling Java class and breaking cipher

    Again, as was stated earlier, if anything has to be transmitted from the client to identify itself as valid, then what is to prevent a hacker from simply ensuring that thing is sent?
    Any special password has to come from the client...that means it's accessible on the client.
    Please do not ask for code as refusal often offends.

  16. #36
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    To make matters worse, research what a "http sniffer" is. Any person who is willing to figure it out probably won't even need to decompile the applet to figure out what is sent.

    I'm amazed that the topic of encrypting the java .class file so it can't be decompiled hasn't come up yet, unless I overlooked it of course.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  17. #37
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    I'm over thinking I know :/ I need to get a rest a little bit. I need to find a real code about communications between server-client

  18. #38
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    You can also say that you're underthinking it. I mean if the world's brightest people can't make something that is secure, then why do you think you can figure something out without the necessary education and experience? I certainly can't and I don't try, I stay within the realm of being realistic.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  19. #39
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    I'm to curious, to mad that someone can break this, one friend just came to my web and broke everything in my JWS... just by downloading simple hacking programs...
    Really annoying! I'm obsessed with security. For example in PHP I do everything to protect the web from bugs, leaks, injections, every single, possible issue.
    Last edited by rajma; 11-22-2013 at 01:21 PM.

  20. #40
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,083
    Rep Power
    4

    Default Re: Decompiling Java class and breaking cipher

    PHP is in itself already a huge security flaw, its core development is totally uncontrolled and its API is not designed to be secure.

    PHP: a fractal of bad design - fuzzy notepad
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Decompiling java class files
    By ancr2001 in forum New To Java
    Replies: 11
    Last Post: 05-15-2012, 05:59 PM
  2. Problem with Cipher class in javax.crypto
    By vinayak.top in forum Advanced Java
    Replies: 4
    Last Post: 02-25-2011, 09:11 AM
  3. Correct architecture when breaking up a class?
    By porchrat in forum New To Java
    Replies: 17
    Last Post: 09-26-2010, 04:58 PM
  4. How to cipher a string without using Cipher class?
    By arnab321 in forum New To Java
    Replies: 1
    Last Post: 09-08-2009, 11:19 PM
  5. Java Decompiling Help
    By RyanOLP in forum New To Java
    Replies: 1
    Last Post: 11-27-2008, 04:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •