mailing list archives
Re: Code Cracking in Java
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 12 May 2004 14:39:52 +0200
Chitresh Sen wrote:
[ ... a long essay about decompiling client-side java applications, and
reverse engineering them to bypass client-side checks ... ]
In the above section I mentioned the vulnerabilities related to Java
but these vulnerabilities can be taken care. Obfuscation can be used
to scramble class files so that it becomes hard to understand the
decompiled source code; there are tools available for obfuscation.
The solution for byte code manipulation can be taken care by
implementing hashing for a package and before starting an application
the hash should be calculated and compared with the server side
precalculated hash, if both of them match then only allow further
Unfortunately, as you have demonstrated, it is not possible to control
what happens on the client. This recommendation will only be bypassed by
further reverse engineering, or byte code modification.
Other way to solve the problem is to implement server side
checks no doubt it will affect the performance of server.
The ONLY way to solve this problem is to implement server side checks.
No doubt it may affect the performance of the server (but then so does a
client executing SQL-injection attacks, etc)
Writing up the resources that you used to perform these modifications
would be valuable, I think. For example, the location of the opcode
lists, etc would assist other people to perform similar activities.
Suggestions and Comments are Welcome!
*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"