CRACKING STRING ENCRYPTION IN JAVA OBFUSCATED BYTECODE PDF
Advanced obfuscation techniques make de-compiled Java programs not re- compilable, thus to crack the target. mechanism of AspectJ  to render code obfuscation and string  Roubtsov, V., Cracking Java byte-code encryption, . Difficult to implement. – Of little benefit: The bytecode has to run! • No public/ private crypto offered. – Can it be implemented? • String encryption uses XOR type. string encryption. The latest version was released June 23, . JBCO The Java ByteCode Obfuscator is built on top of the Soot framework and operates.
|Published (Last):||13 November 2014|
|PDF File Size:||19.59 Mb|
|ePub File Size:||5.82 Mb|
|Price:||Free* [*Free Regsitration Required]|
Wouldn’t it be feasible to use asymmetric encryption to face this problem?
I mean, wouldn’t it be possible for Oracle to equip the JVM with a certificate and a ClassLoader capable of decrypt encrypted class files using the private key of this certificate? Of course, the classes would have been encrypted using the public key of this “unique oracle certificate”. I suppose that maybe it is not mathematically possible to protect this private key inside the JVM encrypting it in turn If you use symmetric algorithms and store the key in the JVM, it will be trivial to reverse engineer and find shring.
If you employ obfuscation to hide them, it becomes less trivial, but it can still be done. With public key crypto, the key doing the decrypting needs to be stored somewhere again. This is essentially a key storage problem nava the only difficult to reverse engineer problems are in hardware; even then, they get broken.
My answer on IT security concerning effective DRM protection methods covers this in a little more detail. If the private key is inside the JVM it will take literally minutes to hackers and crackers to get what that key is using reverse engineering.
Besides, classloader will probably be very slow if it has to use asymmetric encryption every time it needs to load a class. In any case, it’s impossible to protect private certificate at the client machine e. How do you imagine it?
If it was a plain text file, obviously it could be extracted. Obfuscared it was encrypted, the “second level” key would have to be on client machine as well so that JVM could use the private cert for code protection. So you would be able to extract that key, and consequently the private cert, as well.
If you have the complete program this is not hard to extract for a programmer. Any platform which can actually do this, has the key outside of reach for programmers.
Why not encrypt the Java bytecode instead of obfuscate it? Looking at the of effort some oragnizations do to obfuscate Java bytecode to avoid others to decompile it and extract secret information from the code, taking in account the limitations of this practice: The private key would be inside the JVM.
It is in general impossible to secure anything when the attacker is also the receiver or has full control over the receiver and all his secrets. At best, you can only delay a determined attacker.
Pablo Santa Cruz k 23 Even if it is feasible technically, it has important drawbacks, like multiple points of failures.
That’s true and definitely interesting. But it will make the classloader reaaaally slow.
cryptography – Why not encrypt the Java bytecode instead of obfuscate it? – Stack Overflow
I guess it could be cradking for certain scenarios where you really, really, really need to protect a Class’ content. Then the ClassLoader would efficiently decrypt this simmetric key, and use it the same way https works.
For the reverse engineering of the JVM to get the private key Butit’s still orders of magnitude slower than just opening and loading an unencrypted class. Let’s say you use this technique to encrypt Eclipse plugins. It will probably take four or five times obfuscatdd time it takes now to launch the venerable IDE Of course, it would be applicable to concrete cases not eclipse and only sensible classes would be encrypted election of the developer, of course.
Protect Your Java Code — Through Obfuscators And Beyond