Java JAR保护
[英]Java JAR protection
问题描述
I've coded a Java app and I plan to distribute it online. 
我已经编写了Java应用程序的代码,并打算在线分发它。 Each release will be locked with a secret serial key I made. 每个发行版都将使用我制作的秘密串行密钥进行锁定。
I need to secure my jar file from decompiler etc. Here is what I've done so far: 我需要从反编译器等保护我的jar文件。这是到目前为止我所做的:
- User enters his serial key into a form 用户将其序列号输入表单
- The serial is sent to my dev server through a php script 该序列通过php脚本发送到我的开发服务器
- The script generates a new jar bin file which is encrypted in AES 128 该脚本生成一个新的jar bin文件,该文件在AES 128中加密
- My "loader" downloads the jar file as bytes and decrypts it. 我的“加载程序”将jar文件下载为字节并解密。
- It invokes the main method. 它调用main方法。
- User can use the app as he like to 用户可以随意使用该应用
- User close the app 用户关闭应用程序
- The cache is cleared and everything returns to step 1 or before. 清除缓存,一切返回到步骤1或之前。
I've made the steps 1 to 3, but I need to know if it is possible to make a custom classloader that grabs bytes from HTTP, decrypts them and invokes the main method. 我已经完成了步骤1到3,但是我需要知道是否有可能创建一个自定义类加载器,该类加载器从HTTP抓取字节,解密并调用main方法。 As the file is fully crypted (saved as bin on the PHP server), I can't use a basic class loader. 由于文件已完全加密(在PHP服务器上另存为bin),所以我不能使用基本的类加载器。 About step 8, is it possible to unload content from the computer's memory? 关于步骤8,是否可以从计算机的内存中卸载内容?
2 个解决方案
解决方案1
5 2012-06-21 11:55:52
Yes, it is possible, but it's also useless. 是的,有可能,但也没有用。
Your classloader will be the weakest point of your security system. 您的类加载器将是安全系统的最薄弱点。 It cannot be encrypted, thus it will be relatively easy to decompile it. 它无法加密,因此反编译起来相对容易。
Now, as there is a place in the Classloader where you must have a decrypted class in a form of bytearray, the only thing an attacker will have to do, is to dump this byte array to a file. 现在,由于在类加载器中必须有一个必须以字节数组形式存储的解密类,因此攻击者唯一要做的就是将该字节数组转储到文件中。
Referring to dystroy 's code: 参考dystroy的代码:
classBytes = EncryptionUtil.decryptBytes(url, key);
// In this moment, classBytes contains unencrypted class.
// If an attacker adds:
//
// FileOutputStream fos = new FileOutputStream("some.name");
// fos.write(classBytes);
// fos.close();
//
// he will destroy all your security.
return defineClass(name, classBytes, 0, classBytes.length);
解决方案2
0 已采纳 2012-06-21 11:56:14
Yes, you can provide to a classloader the bytes you grab. 是的,您可以将获取的字节提供给类加载器。 I do it in a similar problem : 我在类似的问题中这样做:
public class SecureClassLoader extends URLClassLoader {
@Override
protected Class<?> findClass(final String name) throws ClassNotFoundException {
if (isEncrypted(name)) {
final String resourceName = name.replace('.', '/') + ".class";
URL url = findResource(resourceName);
if (url != null) {
byte[] classBytes = null;
try {
classBytes = EncryptionUtil.decryptBytes(url, key);
return defineClass(name, classBytes, 0, classBytes.length);
} catch (ClassFormatError e) {
log.severe("Bad format for decrypted class " + name);
throw new EncryptedClassNotFoundException(name, e);
} catch (InvalidKeyException e) {
throw new EncryptedClassNotFoundException(name, e);
} catch (IOException e) {
throw new EncryptedClassNotFoundException(name, e);
}
}
}
// default loader
try {
return super.findClass(name);
} catch (ClassNotFoundException e) {
throw new EncryptedClassNotFoundException(name, e);
}
}
private boolean isEncrypted(String className) {
/// some things
}
}
But this won't be sufficient to protect your code. 但这还不足以保护您的代码。 At the very least, don't use the same bytes for two users (you seem to do it). 至少,不要为两个用户使用相同的字节(您似乎这样做了)。 And obfuscate your code (I use proguard). 并混淆您的代码(我使用proguard)。 This will protect you against ordinary hackers, not the best ones. 这样可以保护您免受普通黑客的攻击,而不是最优秀的黑客。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.