Re: Code Cracking in Java

[Rogan Dawes <discard () dawes za net>]

Chitresh Sen wrote:

[ ... a long essay about decompiling client-side java applications, and 
reverse engineering them to bypass client-side checks ... ]
> In the above section I mentioned the vulnerabilities related to Java 
> but these vulnerabilities can be taken care. Obfuscation can be used 
> to scramble class files so that it becomes hard to understand the 
> decompiled source code; there are tools available for obfuscation.
>
> The solution for byte code manipulation can be taken care by 
> implementing hashing for a package and before starting an application 
> the hash should be calculated and compared with the server side 
> precalculated hash, if both of them match then only allow further 
> execution. 

Unfortunately, as you have demonstrated, it is not possible to control 
what happens on the client. This recommendation will only be bypassed by 
further reverse engineering, or byte code modification.

> Other way to solve the problem is to implement server side 
> checks no doubt it will affect the performance of server.

The ONLY way to solve this problem is to implement server side checks. 
No doubt it may affect the performance of the server (but then so does a 
client executing SQL-injection attacks, etc)

> Suggestions and Comments are Welcome!
Writing up the resources that you used to perform these modifications 
would be valuable, I think. For example, the location of the opcode 
lists, etc would assist other people to perform similar activities.

> Thanks!
>
> Chitresh Sen

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"