Classfile encrypt/decrypt

Henrik Buestad henrik at buestad.net
Wed May 3 06:43:18 UTC 2023 

The goal is to make it as hard as possible to break into our app and 
disable licence checking.
What is best? (We have a tiny userbase of less than 100)
1) classfile obfuscation (and which tool is best for this)
2) AES encryption of classfiles where we hide the key inside the 
jvm.dll. (decrypt the bytes in jvm.cpp in jvm_define_class_common() line 
846 in jdk17u)
3) both?

I guess any lock can be picked, this is just a question of adding a 
"slightly bigger pad-lock" than just having compiled class files.

Henrik

Den 2023-04-28 21:52, skrev Alejandro Revilla:
> This reminds me Bruce Schneier's quote:
> 
>> "Anyone, from the most clueless amateur to the best cryptographer,
>> can create an algorithm that he himself can't break."
> 
> You can encrypt a class, but a) your private key will be somewhere
> obfuscated in your code and b) once decrypted, you can dump it from
> memory.
> 
> Maybe in the future, the Panama project will facilitate running
> certain tasks within, for instance, an SGX enclave or other TEE
> environments.
> 
> -- at apr [1]
> 
> On Fri, Apr 28, 2023 at 10:32 AM Raffaello Giulietti
> <raffaello.giulietti at oracle.com> wrote:
> 
>> Hi,
>> 
>> IIUC, the decryption key is distributed in some form with the
>> desktop
>> application.
>> What is unclear to me is how the key is protected in turn.
>> 
>> Greetings
>> Raffaello
>> 
>> On 2023-04-28 07:12, Henrik Buestad wrote:
>>> Hi
>>> 
>>> I don't know if this is the right place to post this, so have me
>> excused.
>>> 
>>> This might be naive, or a good idea?
>>> 
>>> I have an issue with .class files in a desktop application. They
>> can be
>>> reverse enginered. Using GraalVM is unfortunately not an option
>> since we
>>> need to be able to load custom classes runtime.
>>> 
>>> I thought of an idea to be able to encrypt .class files using RSA
>> and
>>> then have a custom JDK VM with a natively compiled decrypter with
>> a
>>> private key. (The private key could be a configure option). I then
>> just
>>> need to tap into the code where the .class file is read from disk
>> and
>>> check if it starts with CAFEBABE. If not run it through the
>> decrypter.
>>> 
>>> Can somebody point me to which source file(s) I should start to
>> mess
>>> around in? I mean where is the classloader reading the .class file
>> from
>>> disk?
>>> 
>>> As I said, this might be naive😅
>>> 
>>> Best regards,
>>> Henrik Buestad
>>> 
> 
> 
> Links:
> ------
> [1] http://twitter.com/apr

More information about the jdk-dev mailing list