Home > Archive > Java Security > March 2004 > Java decompilation problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Java decompilation problem
|
|
| Grzegorz Tańczyk 2004-03-27, 12:31 am |
| Hello
First I want to explain what I want to do. I have some experiment
simulator. It takes init data and gives two number result. Users on
www can add new/modify init data records. Simulator at deadline
stars processing this data and assigns result numbers to each of
them. That is a big abstraction of that what I really want to do :-)
Simulator is written in Java and here my simple idea starts. I want
to put simulator in java applet which will get initdata record from
server and send result numbers to server. I will put small rect
somewhere on the www, and when visitor will browse ower the site he
will automaticaly help to speed up result numbers calculation
process. It works in simple way:
1. applet gets unprocessed data from some address. Server marks this initdata as
"beign externally processed".
2. applet makes experiment simulation
3. if he have result number he sends it with initdataID to server.
Server marks this initdata as "processed".
Also server makes internall simulations, but 100 visitors computers
are better than one computer :)
And now the PROBLEM :|
Java Applet can be decompiled and some ugly person can modify it and
destroy simulation process. How to avoid this situation?
Java question: is there any way to make applet decompilation
impossible?
Need Your help! :D
--
Regards
Grzegorz
| |
| Roedy Green 2004-03-27, 12:31 am |
| On Fri, 26 Mar 2004 18:11:35 +0000 (UTC), "Grzegorz Tańczyk"
<goliatus_NIECHE_SPAMU_@mmogspot.com> wrote or quoted :
> Java question: is there any way to make applet decompilation
> impossible?
No. But you can natively compile an Application that talks on the web.
see http://mindprod.com/nativecompiler.html
http://mindprod.com/jgloss/obfuscator.html
Natively compiled code is almost as hard as C++ to decompile.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Roedy Green 2004-03-27, 12:31 am |
| On Fri, 26 Mar 2004 18:11:35 +0000 (UTC), "Grzegorz Tańczyk"
<goliatus_NIECHE_SPAMU_@mmogspot.com> wrote or quoted :
> Java question: is there any way to make applet decompilation
> impossible?
here is another technique that gets a similar result.
You reissue a slightly different version of the applet each day. Old
versions cease to work.
You send your poor hacker back to the drawing board each day.
See http://mindprod.com/jgloss/obfuscator.html for the art of
technical warfare.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Grzegorz Tańczyk 2004-03-27, 12:31 am |
| Roedy Green <look-at-the-website@mindprod.com> wrote in news:oi5960l7rtj5cet3cblj46kjaddapit72l@
4ax.com:
<quote>You can't use native compilers on Applets. In theory you could compile your app as a DLL and
make pure java hooks in to it. You would have to design your app as a dll, sign it, arrange for installation of
the DLL. The game is hardly worth the candle.</quote>
> On Fri, 26 Mar 2004 18:11:35 +0000 (UTC), "Grzegorz Ta?czyk"
> <goliatus_NIECHE_SPAMU_@mmogspot.com> wrote or quoted :
>
>
> No. But you can natively compile an Application that talks on the web.
> see http://mindprod.com/nativecompiler.html
> http://mindprod.com/jgloss/obfuscator.html
> Natively compiled code is almost as hard as C++ to decompile.
>
> --
> Canadian Mind Products, Roedy Green.
> Coaching, problem solving, economical contract programming.
> See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Grzegorz Tańczyk 2004-03-27, 12:31 am |
| Roedy Green <look-at-the-website@mindprod.com> wrote in
news:hn5960d5obg4j3lbvbcig0bs4o05u3n101@
4ax.com:
I thought about checking in serverside that does request comes from applet lanuched
on mywebsite. Is such info sent by browser in request params?
> On Fri, 26 Mar 2004 18:11:35 +0000 (UTC), "Grzegorz Ta?czyk"
> <goliatus_NIECHE_SPAMU_@mmogspot.com> wrote or quoted :
>
>
> here is another technique that gets a similar result.
>
> You reissue a slightly different version of the applet each day. Old
> versions cease to work.
>
> You send your poor hacker back to the drawing board each day.
>
> See http://mindprod.com/jgloss/obfuscator.html for the art of
> technical warfare.
>
> --
> Canadian Mind Products, Roedy Green.
> Coaching, problem solving, economical contract programming.
> See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Michael Amling 2004-03-28, 12:02 am |
| Grzegorz Tańczyk wrote:
> Hello
>
> First I want to explain what I want to do. I have some experiment
> simulator. It takes init data and gives two number result. Users on
> www can add new/modify init data records. Simulator at deadline
> stars processing this data and assigns result numbers to each of
> them. That is a big abstraction of that what I really want to do :-)
>
> Simulator is written in Java and here my simple idea starts. I want
> to put simulator in java applet which will get initdata record from
> server and send result numbers to server. I will put small rect
> somewhere on the www, and when visitor will browse ower the site he
> will automaticaly help to speed up result numbers calculation
> process. It works in simple way:
> 1. applet gets unprocessed data from some address. Server marks this initdata as
> "beign externally processed".
> 2. applet makes experiment simulation
> 3. if he have result number he sends it with initdataID to server.
> Server marks this initdata as "processed".
>
> Also server makes internall simulations, but 100 visitors computers
> are better than one computer :)
This plan sounds like http://www.md5crk.com/.
>
> And now the PROBLEM :|
>
> Java Applet can be decompiled and some ugly person can modify it and
> destroy simulation process. How to avoid this situation?
>
> Java question: is there any way to make applet decompilation
> impossible?
Not really. You can try, but, unlike SSL, it can't be made secure.
--Mike Amling
| |
| Grzegorz Tańczyk 2004-03-28, 12:02 am |
| Michael Amling <nospam@nospam.com> wrote in
news:Cyi9c.40735$PY.1412@newssvr26.news.prodigy.com:
> This plan sounds like http://www.md5crk.com/.
Same way, but my goal is to make enjoyable internet game ;)
| |
| Roedy Green 2004-03-28, 12:02 am |
| On Fri, 26 Mar 2004 22:33:46 +0000 (UTC), "Grzegorz Tańczyk"
<goliatus_NIECHE_SPAMU_@mmogspot.com> wrote or quoted :
>I thought about checking in serverside that does request comes from applet lanuched
>on mywebsite. Is such info sent by browser in request params?
You can set up a login mechanism. You can authenticate based on the
sending IP.
The HTTP server will let you set up password protected directories
where you keep your Applet.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
|
|
|
|
|