Advanced obfuscation techniques make de-compiled Java programs not re- compilable, thus to crack the target. mechanism of AspectJ  to render code obfuscation and string  Roubtsov, V., Cracking Java byte-code encryption, . Difficult to implement. – Of little benefit: The bytecode has to run! • No public/ private crypto offered. – Can it be implemented? • String encryption uses XOR type. string encryption. The latest version was released June 23, . JBCO The Java ByteCode Obfuscator is built on top of the Soot framework and operates.
|Genre:||Health and Food|
|Published (Last):||7 July 2011|
|PDF File Size:||14.24 Mb|
|ePub File Size:||18.3 Mb|
|Price:||Free* [*Free Regsitration Required]|
Cracking obfuscated Java Code – Adwind 3 | boredliner
Looking at the of effort some oragnizations do to obfuscate Java bytecode to avoid others to decompile it and extract secret information from the code, taking in account the limitations of this practice:.
Wouldn’t it be feasible to use asymmetric encryption to face this jqva I mean, wouldn’t it be possible for Oracle to equip the JVM with a certificate and a ClassLoader capable of decrypt encrypted class files using the private key of this certificate? Of course, the classes would have been encrypted obfscated the public key of this “unique oracle certificate”. I suppose that maybe it is not mathematically possible to protect this private key inside the JVM encrypting it in turn If you use symmetric algorithms and store the key in the JVM, it will be trivial to reverse engineer and find those.
If you employ obfuscation to hide them, it becomes less trivial, but it can still be done.
cryptography – Why not encrypt the Java bytecode instead of obfuscate it? – Stack Overflow
With public key crypto, the key doing the decrypting needs to be stored somewhere again. This is essentially a key storage problem and the only difficult strung reverse engineer problems are in hardware; even then, they get broken. My answer on IT security concerning effective DRM protection methods covers this in a little more detail. If the private key is inside the JVM it will take literally minutes to hackers and crackers obfuscwted get what that key is using reverse engineering.
Besides, classloader will probably be very slow if it has to use asymmetric encryption every time it needs to load a class. In any case, it’s impossible to protect private certificate at the client machine e.
How do you imagine it? If it was a plain text file, obviously it could be extracted. If it was encrypted, the “second level” key would have to be on client machine as well so that JVM could use the private cert for code protection.
So you would be able to extract that key, and consequently the private cert, as well. If you have the complete program this is not hard to extract for obfusczted programmer.
Any platform which can actually do this, has the key outside of reach for programmers. You might find this story about getting the private key from an Airport Express interesting: If code is encrypted it must be decrypted at some point. It is a simple tautology. Obfuscation however is in many cases irreversible.
It is in obfuscatee impossible to secure anything when the attacker is also the nytecode or has full control over the receiver and all his secrets.
At best, you can only delay a determined attacker. Pablo Santa Cruz k 23 Even if it is feasible technically, it has important drawbacks, like multiple points of failures. That’s true and definitely interesting.
But it will make the classloader reaaaally slow. I guess it could be useful for certain scenarios where you ovfuscated, really, really need to protect a Class’ content. Then the ClassLoader would efficiently decrypt this simmetric key, and use it the same way https works. For the reverse engineering of the JVM to get the private key Butit’s still orders of magnitude slower than just opening and loading an unencrypted class.
Let’s say you use this technique to encrypt Eclipse plugins.
It will probably take four or five times the time it takes now to launch the venerable IDE Of course, it would be applicable to concrete cases not eclipse and only sensible classes would be encrypted election of the developer, of course.
For the signing scheme to be hard to break, the key needs to be inaccessible. Gryphius 53k 5 36 Sign up or log in Sign up using Google. Sign up using Facebook.
Protect Your Java Code — Through Obfuscators And Beyond