Page 1 of 3 123 LastLast
Results 1 to 20 of 48
Like Tree1Likes

Thread: Decompiling Java class and breaking cipher

  1. #1
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Decompiling Java class and breaking cipher

    So I have code below that protects VARIABLES from hacking (such as CheatEngine) and it secures my code from that program, so the question is if I decompile .class files can someone look at that security code and break it? I mean AES , SHA encryption, can someone break that somehow if this applet is on WEB?
    P.S. Code works fine, this is small library.
    P.S.S. Source code and decompiled .class looks almost the same :( they can see how I encrypt :(
    Java Code:
    import java.security.InvalidKeyException;
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;
    import java.util.Arrays;
    
    import javax.crypto.BadPaddingException;
    import javax.crypto.Cipher;
    import javax.crypto.IllegalBlockSizeException;
    //import javax.crypto.KeyGenerator;
    import javax.crypto.NoSuchPaddingException;
    //import javax.crypto.SecretKey;
    import javax.crypto.spec.SecretKeySpec;
    
    public class EncString {
    	
    	SecretKeySpec key;
    	Cipher cipher;
    	private byte[] value_;
    	
    	public EncString(int intValue)
    	{
    		EncryptFunc(); 
    		
    		value_ = cryptToByte(intValue);
    	}
    	public EncString()
    	{
    		EncryptFunc(); 
    		
    		value_ = cryptToByte(0);
    	}
    	public int value()
    	{
    		int intVal = decryptToInt(value_);
    		return intVal;
    	}
    	public void set(int nval)
    	{
    		value_ = cryptToByte(nval);
    	}
    	private byte[] cryptToByte(int intValue)
    	{
    		byte[] encrypted = {};
    
    		try {
    			cipher = Cipher.getInstance("AES");
    		} catch (NoSuchAlgorithmException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchPaddingException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		// initialize for encrypting  
    		try {
    			cipher.init(Cipher.ENCRYPT_MODE, key);
    			
    			// Encrypting
    			//byte[] encrypted;
    			try {
    				encrypted = cipher.doFinal(Integer.toString(intValue).getBytes());
    				//strVal = new String(encrypted);
    			} catch (IllegalBlockSizeException e) {
    				// TODO Auto-generated catch block
    				e.printStackTrace();
    			} catch (BadPaddingException e) {
    				// TODO Auto-generated catch block
    				e.printStackTrace();
    			}
    		} catch (InvalidKeyException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		
    		return encrypted;
    	}
    	private int decryptToInt(byte[] ByteValue)
    	{
    		int intVal = 0;
    		
    		try {
    			cipher = Cipher.getInstance("AES");
    		} catch (NoSuchAlgorithmException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchPaddingException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		// initialize for decrypt
    		try {
    			cipher.init(Cipher.DECRYPT_MODE, key);
    
    			byte[] decrypted;
    			try {
    				decrypted = cipher.doFinal(ByteValue);
    				String afterEncryption = new String(decrypted);
    				intVal = Integer.parseInt(afterEncryption);
    			} catch (IllegalBlockSizeException e) {
    				// TODO Auto-generated catch block
    				e.printStackTrace();
    			} catch (BadPaddingException e) {
    				// TODO Auto-generated catch block
    				e.printStackTrace();
    			}
    		} catch (InvalidKeyException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		
    		return intVal;
    	}
    	private void EncryptFunc()
    	{
    		byte[] keyBytes = "AUSKey".getBytes();
    
    		try {
    			MessageDigest sha1 = MessageDigest.getInstance("SHA-256");
    			keyBytes = sha1.digest(keyBytes);
    		} catch (NoSuchAlgorithmException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		keyBytes = Arrays.copyOf(keyBytes, 16); // use only first 128 bit
    		key = new SecretKeySpec(keyBytes, "AES");  
    	}
    }
    Last edited by rajma; 11-16-2013 at 08:39 PM.

  2. #2
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    Yes, easily. One of the first things Bruce Schneier talks about in his book Applied Cryptography is that any encryption scheme that relies on the secrecy of its algorithm is automatically flawed. In well-designed systems, only the key needs to be kept secret. This principle implies that it is absolutely impossible to prevent anyone from reverse-engineering a runnable program. If you're sharing the key, then it can be accessed. And if you're not, then nobody can run your program. If it can be run, it can be cracked. If it can be viewed, it can be copied. No amount of obscurity will ever be more than a minor inconvenience... and apparently no amount of reasoning will ever make suits understand this.
    Get in the habit of using standard Java naming conventions!

  3. #3
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    So you mean for example if :
    Java Code:
    byte[] keyBytes = "AUSKey".getBytes();
    AUSKey is seen in decompiler he can hack my program...? :(((

  4. #4
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    Basically, yes. Trying to prevent people from decompiling or otherwise "hacking" your program is pretty much wasted effort.

    What are you trying to protect, anyway? Trying to keep people from cheating at a game or something?
    Get in the habit of using standard Java naming conventions!

  5. #5
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by kjkrum View Post
    Basically, yes. Trying to prevent people from decompiling or otherwise "hacking" your program is pretty much wasted effort.

    What are you trying to protect, anyway? Trying to keep people from cheating at a game or something?
    Yes, I want prevent from memory hacks and other annoying things associated with HACKS :(
    Currently protecting variables that no one can use CheatEngine program to higher values in game.

  6. #6
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    You need a more specific concern than "hacks". Is this a multiplayer game? Can the state you want to protect be kept on the server? And if it's not multiplayer, then who cares?
    Last edited by kjkrum; 11-17-2013 at 02:30 AM.
    Get in the habit of using standard Java naming conventions!

  7. #7
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    It is applet integrated to the web, it just a shooter game, you gain scores etc.. and then values/variables are sent to PHP via JSON

  8. #8
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    Big games like MMOs employ all kinds of complex strategies to prevent cheating, including encrypting all their communication and installing spyware to monitor other programs, and it still doesn't stop cheaters. There is no solution except to keep all state on the server and provide only essential information to the client. And that leads to unacceptable performance for most games.
    Get in the habit of using standard Java naming conventions!

  9. #9
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    I don't want to create new thread, I want to ask another question, how to do that
    Java Code:
    new URL("http://blabla.com/json_GetTownInfo.php");
    php file can be accessed only from host? If user access/writes this function from his own application then it won't work, how to do this?

  10. #10
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,848
    Rep Power
    5

    Default Re: Decompiling Java class and breaking cipher

    Its not a function, it is the creation of an URL object. First you'd have to figure out what goes wrong. If "it doesn't work" there is an exception, post that exception.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  11. #11
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    I mean like restricting php access in .htaccess, but sure it won't work if you allow .php only on your web host and disallow on other hosts, it just throws 403 forbidden. I'm asking if it's possible somehow allow to access .php from applet/JWS only if user runs it from my web host, not from desktop or other host...?

  12. #12
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,848
    Rep Power
    5

    Default Re: Decompiling Java class and breaking cipher

    The applet is not run from your web host, an applet executes on the local machine. It is only DOWNLOADED FROM your web host.

    The standard Java sandbox, as far as I know, only allows network connections to be made from an applet to its originating host.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  13. #13
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    okay, i've managed to use Servlet :) now I need idea, to protect
    Java Code:
    byte[] keyBytes = "AUSKey".getBytes();
    this key, i can send this key from servlet to applet, but still hacker can have this key, just connecting to the servlet URL and getting this key by simple functions that are included in applet( he can just look at the code of applet ), I don't want to make Tomcat apache server only for local access, I want it public, but I need to protect that key somehow, any ideas?
    Java Code:
    new URL("blabla.com:8080/servlet/blabla")
    connection.gettingfromservletKEY
    It's just example, I want apache servlet for public access, but with key protection

    There are a lot of games that do communication with public access to the server, but they somehow protect they variables and other stuff by encrypting data or sending keys. But I don't really know how, because I don't have their code.
    Last edited by rajma; 11-19-2013 at 09:33 PM.

  14. #14
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    As I said, you're wasting your time. If the applet can get the key, a hacker can get the key.

    If you had total control over the hardware, you might be able to achieve what you want. The key would be pre-loaded onto the client device, never transmitted over the network. The device would consist of custom hardware running a custom OS, and it would be hermetically sealed and have a self-destruct mechanism that would be triggered if the case were opened.
    Get in the habit of using standard Java naming conventions!

  15. #15
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    If you had total control over the hardware, you might be able to achieve what you want.
    What do you mean by this? Signing applet or what, please post some examples :)
    Last edited by rajma; 11-20-2013 at 10:08 AM.

  16. #16
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,931
    Rep Power
    19

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by rajma View Post
    What do you meant by this? Signing applet or what, please post some examples :)
    No, they mean total control over the hardware.
    Something you are not going to get.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  17. #17
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    Quote Originally Posted by rajma View Post
    What do you mean by this? Signing applet or what, please post some examples :)
    I mean, you distribute your program only on custom-manufactured hardware that will physically self-destruct if anyone tries to tamper with it to gain access to the encryption key. I'm not proposing that as a realistic solution; I'm trying to emphasize how pointlessly futile it is to try to do what you're trying to do.
    Get in the habit of using standard Java naming conventions!

  18. #18
    rajma is offline Member
    Join Date
    Nov 2013
    Posts
    20
    Rep Power
    0

    Default Re: Decompiling Java class and breaking cipher

    Sorry for misunderstanding, I still can't get it You mean rent a server and code an servlet?

  19. #19
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Decompiling Java class and breaking cipher

    I mean you commission Sony or Nintendo to create a special console for you that only runs your applet and self-destructs if someone tries to reverse engineer it.

    What you are trying to do is essentially impossible. And this is not a limitation of Java or any other specific technology. It's fundamentally, logically impossible.
    Last edited by kjkrum; 11-20-2013 at 01:18 PM.
    Get in the habit of using standard Java naming conventions!

  20. #20
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    3,848
    Rep Power
    5

    Default Re: Decompiling Java class and breaking cipher

    Errr, this thread has now deviated into a discussion about something which was originally not intended as a serious answer (I hope) :)

    Fact of the matter is: applets are insecure and no matter what measures are thrown at it, they stay that way mostly because they execute on the client machine which you cannot control. So if you want security, don't use them. In my honest opinion, of course.

    But what is often also true, is that more is expected than is actually needed. Is the problem really a problem? Let me rephrase: what is wrong with someone breaking it open (if they even want to make the effort, which is usually not true)? Should you care?
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

Page 1 of 3 123 LastLast

Similar Threads

  1. Decompiling java class files
    By ancr2001 in forum New To Java
    Replies: 11
    Last Post: 05-15-2012, 05:59 PM
  2. Problem with Cipher class in javax.crypto
    By vinayak.top in forum Advanced Java
    Replies: 4
    Last Post: 02-25-2011, 09:11 AM
  3. Correct architecture when breaking up a class?
    By porchrat in forum New To Java
    Replies: 17
    Last Post: 09-26-2010, 04:58 PM
  4. How to cipher a string without using Cipher class?
    By arnab321 in forum New To Java
    Replies: 1
    Last Post: 09-08-2009, 11:19 PM
  5. Java Decompiling Help
    By RyanOLP in forum New To Java
    Replies: 1
    Last Post: 11-27-2008, 04:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •