堆栈内存溢出
  简体   繁体   English

如何检查我的 jar 文件没有被修改?

[英]How to check that my jar file is not modified?

 原文  2020-04-18 01:21:07       java/ security

问题描述

I hope you're doing well in these complicated times, good containment all around:D我希望你在这些复杂的时期做得很好,周围都有很好的遏制:D

So I come to my problem, currently I'm working on a game in Java and I know that it's possible to modify the jar file of my game which annoys me a little bit because it can give cheating possibilities for malicious players... I had thought of a solution even if it's not infallible, it would be to make sure to check if the jar file has not been modified.所以我遇到了我的问题,目前我正在开发 Java 的游戏,我知道可以修改我的游戏的 jar 文件,这让我有点恼火,因为它会给恶意玩家带来作弊的可能性......我已经想到了一个解决方案,即使它不是万无一失的,那就是确保检查 jar 文件是否未被修改。 But the problem is that I don't know how to check this, I had thought of a system that would check the point of the file even if I doubt it would be the best solution.但问题是我不知道如何检查这一点,我曾想过一个系统会检查文件的点,即使我怀疑它是否是最好的解决方案。

If you have any other ideas to secure my game I would be interested:D如果您有任何其他想法来保护我的游戏,我会很感兴趣:D

3 个解决方案

解决方案1
 3 已采纳  2020-04-18 05:24:34

It is possible to check if a JAR file on your machine has been modified.可以检查您机器上的 JAR 文件是否已被修改。 Simply compare a cryptographic hash of the current JAR file with a previously recorded hash for a pristine copy.只需将当前 JAR 文件的加密 hash 与先前记录的 hash 进行比较即可获得原始副本。 (Or just do a byte-by-byte comparison with the pristine copy.) (或者只是与原始副本进行逐字节比较。)

But you can't do this for JAR file on the user's machine :但是您不能对用户机器上的JAR 文件执行此操作:

  • You can't login to the user's machine and access their file system to look at the JAR file.您不能登录到用户的机器并访问他们的文件系统来查看 JAR 文件。 (Even if you could, there is no guarantee that you would see the file that the cheater is actually using.) (即使可以,也不能保证您会看到作弊者实际使用的文件。)
  • If your application (running on the user's machine) tries to report on the integrity of its JAR files, this can be defeated by the cheater.如果您的应用程序(在用户机器上运行)试图报告其 JAR 文件的完整性,这可能会被作弊者打败。 All they need to do is to modify the JAR file containing the reporting code to report a fake hash.他们需要做的就是修改包含报告代码的JAR文件以报告hash。

Basically, there is no reliable way to detect that a cheater is running a modified JAR... apart from detecting the anomalous behavior of the cheat itself.基本上,除了检测作弊本身的异常行为之外,没有可靠的方法来检测作弊者正在运行修改后的 JAR...。

But think of it this way.但是这样想。 If there was a good (reliable, no circumvention) mechanism for detect that a cheater is running a modified client, then cheats would not be a problem in the many online games that exist out there.如果有一个好的(可靠的,没有规避的)机制来检测作弊者正在运行修改过的客户端,那么在现有的许多在线游戏中作弊就不会成为问题。 And (by extension) there would be no way to defeat software license enforcement schemes... because software vendors would use a similar mechanism.并且(通过扩展)没有办法击败软件许可证执行计划......因为软件供应商将使用类似的机制。

So, my advice would be not waste too much time on this approach.所以,我的建议是不要在这种方法上浪费太多时间。 It only works against people with limited technical expertise or limited motivation.它仅适用于技术专长或动机有限的人。

The only way to completely prevent cheats is to control the platform on which the client runs.完全防止作弊的唯一方法是控制客户端运行的平台 That is usually impractical.这通常是不切实际的。

解决方案2
 1  2020-04-18 02:07:52

In regards to your question about other ideas, the best thing you can do is validate everything from the client .关于你关于其他想法的问题,你能做的最好的事情就是验证来自客户的一切 One thing you should always remember is that the client cannot be trusted because you cannot verify anything from it.您应该永远记住的一件事是客户端不能被信任,因为您无法从中验证任何内容。 All you can do is store the state on a remote server and when the client tells you something, validate it, and give a response if necessary or prevent the action if necessary.您所能做的就是将 state 存储在远程服务器上,当客户端告诉您某些事情时,对其进行验证,并在必要时给出响应或在必要时阻止该操作。

解决方案3
 0  2020-04-18 01:40:02

You will need to somehow find out where the jar file is: Java - Search for files in a directory您将需要以某种方式找出 jar 文件的位置: Java - 在目录中搜索文件

Then you can check for the last modified date of the file: https://www.boraji.com/java-get-last-modified-date-of-a-file然后您可以检查文件的最后修改日期: https://www.boraji.com/java-get-last-modified-date-of-a-file

However, I would not consider this a very powerful defense against cheating, because one can modify the jar file and remove the validation of the file date.但是,我不会认为这是对作弊的非常强大的防御,因为可以修改 jar 文件并删除文件日期的验证。

You will need to think about the kind of cheating that can occur and to come up with other security measures as well.您将需要考虑可能发生的作弊类型,并提出其他安全措施。

EDIT编辑

As Dave Thompson pointed out, the modified timestamp can be changed as well, which makes the modification of the jar file unnecessary, even though reverse engineering is still needed by the hackers, because that's how they find out what the rules of the application are.正如 Dave Thompson 所指出的,修改后的时间戳也可以更改,这使得 jar 文件的修改变得不必要,即使黑客仍然需要逆向工程,因为这是他们找出应用程序规则的方式。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何检查jar文件的大小? - How do I check the size of my jar file? 如何自动将修改后的类文件更新为目标.jar文件? - How to update only modified class file into destination .jar file automatically? 如何检查JAR中是否存在JAR文件和特定文件? - How to check existence of a JAR file and a specific file inside JAR? 我使用 Maven 打包的 jar 是否会有我修改后的 jar 依赖项? - WIll my packaged jar using Maven have my modified jar dependencies? 如何在Java jar文件中检查CVE - How to check for CVE s in java jar file 如何检查 JAR 文件是否有效? - How can I check if a JAR file is valid? 如何检查jar文件依赖项 - How do I check jar file dependencies 执行期间修改了JAR文件 - JAR file gets modified during execution 如何检查文件是否在程序外部被修改? - How to check if a file has been modified outside the program? 如何使用jsoup检查网站上pdf文件的上次修改时间 - How to check last modified time of a pdf file on a website using jsoup
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM