Classfile encrypt/decrypt

Wed May 3 22:59:28 UTC 2023

Just to not leave you hanging: Hiding keys inside the jvm.dll is
pretty much worthless, it would likely take less work to find than
your effort (especially since the JDK is open source, so it would be
trivial to place an initial break point). Against trivial attempts,
even renaming (with tool) is enough, and against non-trivial, you are
in a very difficult spot (even if you were to compile to native).

Henrik Buestad <henrik at buestad.net> ezt írta (időpont: 2023. máj. 3.,
Sze, 8:43):
>
> The goal is to make it as hard as possible to break into our app and
> disable licence checking.
> What is best? (We have a tiny userbase of less than 100)
> 1) classfile obfuscation (and which tool is best for this)
> 2) AES encryption of classfiles where we hide the key inside the
> jvm.dll. (decrypt the bytes in jvm.cpp in jvm_define_class_common() line
> 846 in jdk17u)
> 3) both?
>
> I guess any lock can be picked, this is just a question of adding a
> "slightly bigger pad-lock" than just having compiled class files.
>
> Henrik
>
> Den 2023-04-28 21:52, skrev Alejandro Revilla:
> > This reminds me Bruce Schneier's quote:
> >
> >> "Anyone, from the most clueless amateur to the best cryptographer,
> >> can create an algorithm that he himself can't break."
> >
> > You can encrypt a class, but a) your private key will be somewhere
> > obfuscated in your code and b) once decrypted, you can dump it from
> > memory.
> >
> > Maybe in the future, the Panama project will facilitate running
> > certain tasks within, for instance, an SGX enclave or other TEE
> > environments.
> >
> > -- at apr [1]
> >
> > On Fri, Apr 28, 2023 at 10:32 AM Raffaello Giulietti
> > <raffaello.giulietti at oracle.com> wrote:
> >
> >> Hi,
> >>
> >> IIUC, the decryption key is distributed in some form with the
> >> desktop
> >> application.
> >> What is unclear to me is how the key is protected in turn.
> >>
> >> Greetings
> >> Raffaello
> >>
> >> On 2023-04-28 07:12, Henrik Buestad wrote:
> >>> Hi
> >>>
> >>> I don't know if this is the right place to post this, so have me
> >> excused.
> >>>
> >>> This might be naive, or a good idea?
> >>>
> >>> I have an issue with .class files in a desktop application. They
> >> can be
> >>> reverse enginered. Using GraalVM is unfortunately not an option
> >> since we
> >>> need to be able to load custom classes runtime.
> >>>
> >>> I thought of an idea to be able to encrypt .class files using RSA
> >> and
> >>> then have a custom JDK VM with a natively compiled decrypter with
> >> a
> >>> private key. (The private key could be a configure option). I then
> >> just
> >>> need to tap into the code where the .class file is read from disk
> >> and
> >>> check if it starts with CAFEBABE. If not run it through the
> >> decrypter.
> >>>
> >>> Can somebody point me to which source file(s) I should start to
> >> mess
> >>> around in? I mean where is the classloader reading the .class file
> >> from
> >>> disk?
> >>>
> >>> As I said, this might be naive😅
> >>>
> >>> Best regards,
> >>> Henrik Buestad
> >>>
> >
> >
> > Links:
> > ------
> > [1] http://twitter.com/apr