以编程方式找出是否对Java类进行了修补?
[英]Figuring out programmatically if a Java class was patched?
问题描述
Is it possible to figure it out programmatically, if anybody patched a class of a compiled code, especially in Android? 
如果有人修补一类已编译的代码,尤其是在Android中,是否可以通过编程方式解决? Example: My building (eg an .apk) contains a class PiracyCheck.class. 示例:我的建筑物(例如.apk)包含一个PiracyCheck.class类。 Is it possible to run at compile time some kind of 'checksum' of that class (executed by another class)? 是否可以在编译时运行该类的某种“校验和”(由另一类执行)? I imagine that I get any value from it, let's say abcdefg. 我想我可以从中获得任何价值,例如abcdefg。 If anybody patches this class, the checksum would be suddenly 123456 instead of abcdefg. 如果有人修补此类,则校验和将突然变为123456,而不是abcdefg。 I verify the checksum on a backend server. 我在后端服务器上验证校验和。 If the checksum was correct, then proceed, if not, abort. 如果校验和正确,则继续,否则,中止。 or there any better solutions to achieve that? 还是有更好的解决方案来实现这一目标?
(btw: If a cracker wants to repackage and resign the app, I would already be on the safe side, because I also check the signature, but I'm sure that anybody can bypass this check by decompiling and editing the bytecode itself, that means, a resign is not needed and the certificate won't change then). (btw:如果破解者想要重新打包并为应用程序重新签名,那么我已经很安全了,因为我还检查了签名,但是我敢肯定,任何人都可以通过反编译和编辑字节码本身来绕过此检查,表示不需要辞职,证书也不会更改)。
1 个解决方案
解决方案1
0 已采纳 2018-11-17 11:20:21
You can do some of those things. 您可以做一些这样的事情。 But you can't put them together into a system that will prevent someone from running a "cracked" version of your code. 但是您不能将它们组合到一个系统中,该系统将阻止某人运行代码的“破解”版本。
Is it possible to run at compile time some kind of 'checksum' of that class (executed by another class)?
If is possible to generate a cryptographic checksum of a class at compile time, record on the server side, or in the ".apk", or both. 如果有可能在编译时生成类的加密校验和,请在服务器端或“ .apk”中或两者中进行记录。
It is also possible to compute the such checksum on the client side. 也可以在客户端计算这种校验和。
What you can't do is force either the Android platform, or the hacked ".apk" to generate a truthful checksum: 您无法执行的是强制Android平台或被黑的“ .apk”生成真实的校验和:
I don't think that the Android platform provides this functionality, and if it did, it could be subverted on a "rooted" device.
我认为Android平台不提供此功能,如果可以,则可以在“有根”设备上进行颠覆。 Naturally, if someone went to the trouble of hacking your ".apk", they could subvert any "self checksumming" code in the ".apk" to deliver the original checksum rather than the checksum of the actual code.
自然,如果有人麻烦破解您的“ .apk”,他们可以颠覆“ .apk”中的任何“自我校验和”代码以提供原始校验和,而不是实际代码的校验和。
Either way, your server will see the checksum that it is expecting, rather than a valid checksum of the actual code. 无论哪种方式,您的服务器都会看到它期望的校验和,而不是实际代码的有效校验和。 It will be fooled. 它将被愚弄。
Basically, if you need to execute your code on a platform that is effectively in the control of the user, you cannot prevent the user from subverting your code. 基本上,如果您需要在有效控制用户的平台上执行代码,则不能阻止用户破坏您的代码。 The best you can hope for is to make it hard work for someone with the appropriate skills to do this. 您所希望的最好的办法就是使具有适当技能的人很难做到这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.