bgnahm wrote:What stops me from running your code on a self-compile JVM which changed ClassLoader.defineClass() to simply dump the byte that's passed in? That way I've easily broken your entire "protection".
currently I'm working on a protection system which will be able to protect ( encrypt ) on method level. This means you can select a method from a class which you want to protect and only this method will be protected from reverse engineering.
bgnahm wrote:Then I can go on and dump a stacktrace together with the bytecode and I'll have a pretty good idea which method you're trying to re-build.
You will not gain anything from it, than having a randomly generate class which only contains one single method from a class which can have 1000s of methods.
bgnahm wrote:You change visibility on a Method object or a Field object.
... the problem is changing the visibility seems to have no effect
After I changed the visibility to public each access to a private field triggers an IllegalAccessException, what implies that changing the visibility of an already instanciated class is not possible.
Any hints what i do wrong or how i can solve the problem.
The bytecode from the selected method is cut out and saved somewhere.To get around this
1. the original bytecode is loaded by identifying the caller via Reflection.getCallingClass(2); This returns a class object of the calling class. In my case it is the class where the original method was cut out.
Hehe. You obviously do not work in the DRM business
or even in a security related area.Wrong.
I do for a well known company. Nobody said that this will be uncrackable and I totally agree with you that as long as code is executed in a certain environment you can crack it. But there is also one thing for sure: The more more work a cracker will have to invest in order to crack an application the less crackers have the motivation to do so. BTW, i do not develop that protection system for "my" application. Its a system for our customers and we have similar systems for different architectures like .Net, intel processor, arm and so on. This method will definitivly work ( coupled together with our hard or software key system ). We have experience in .NET and the success legitimates the effort we invest.All very well. While personally I don't think it's a good idea to go that path, it's perfectly valid to do it as long as you are aware of its limits. I was just trying to make sure that you knew those limits before you went there (remember: all I knew about you was that post).
Maybe one day you will face a application protected by our system. If it will happen tell me how long it took you ;)I have no interest to break such a protection scheme. Usually it isn't legal and more often than not the results wouldn't be worth the invested time.
bgnahm wrote:And how do you define "more work". Unless missing something doesn't seem to be secure. Unless you have a different definition of security.
Nobody said that this will be uncrackable and I totally agree with you that as long as code is executed in a certain environment you can crack it. But there is also one thing for sure: The more more work a cracker will have to invest in order to crack an application the less crackers have the motivation to do so.
JoachimSauer wrote:A little correction for completeness sake: I would be interested in attempting to break such a protection out of curiosity, but the legal issues and my limited time makes it unlikely that I'll do so in the near future.Maybe one day you will face a application protected by our system. If it will happen tell me how long it took you ;)I have no interest to break such a protection scheme. Usually it isn't legal and more often than not the results wouldn't be worth the invested time.
@JoachimSauer: There is no need to absolutely secure the code of a certain application.
Because if you do so there is no need for a business at all.I can't follow that line of thought, sorry.
Es geht nicht darum die perfekte Sicherheit zu schaffen, die gibt es nicht in einer Realität in der eine Applikation auch benutzt werden soll.Einfach: Web-Anwendungen können ohne weiteres genutzt werden ohne dass jemand den Code zu sehen bekommt.
bgnahm wrote:I'll keep my answer english for the benefit of other readers ;-)
@JoachimSauer: Ich habe mich da schlecht ausgedrückt...."in einer Realität in der nicht jede Applikation eine Web-Application ist und unser Kunden ihre Standalone-Applications schützen wollen."
Ich hoffe damit wird das Problem klarer, wobei es hier wohl schon fast um eine "religiöse" Frage geht.No problem, I'll let it rest from here on. As I said: personally I don't think this is the correct approach, but I won't stop anyone from trying it unless that someone thinks that he's able to achieve perfect security this way. Then I'll try to teach them the limits of this approach.