I want to prevent decompiling for my game client.
Is there a option I can some how protect the .jar file with .htaccess or any other method so the client (Browsing user, that loads the client via a applet) won't be able to get the file & decompile it.
I always wondered if there is a solution for this, is there? Maybe creating a crypt code, and whenever the server tries to get the client jar, it will send a crypt code via GET, if the crypt code matches, it will load the client from that page, I don't know, there should be a solution ?
Thanks!
For a browser to execute an applet, it needs to download the jar file containing the applet code. An if it downloads it, it's available for decompilation. To protect you against that, you can obfuscate the byte-code, or not use an applet at all, and simply use a traditional web application, where the code is at server-side, and the client only see HTML and JavaScript code.
No. You could stop the browser getting the file, but then it would be unable to run it.
Maybe creating a crypt code, and whenever the server tries to get the client jar, it will send a crypt code via GET, if the crypt code matches, it will load the client from that page,
The user could see the code and still get the file.
There is nothing you can do to prevent the user getting hold of the unencrypted bytecodes.
NOTHING.
The user's machine needs the applet's bytecodes in unencrypted form in order to execute them. Since a user (with sufficient knowledge) has totally control over what his machine does, you can assume that control will extend to allowing him / her to intercept the bytecodes at some point where they have been decrypted.
And if the user can intercept the applet's bytecodes, then he / she can change them to defeat any clever stuff you put into the code. And that includes changing the bytecodes to defeat any measure that you use to detect changes to the bytecodes.
"just make it so they have to use it in the browser then check if they are accessing it from our url" Could that work?
Nope. The user can modify the applet to remove that check.
"you could also make php create a session variable with a hash in and check if that hah is present and matches our hashing algorithm"
Nope. The user can modify the applet to remove that check too.
I don't know, there should be a solution ?
Unfortunately, there is no practical solution ... apart from running everything that needs protecting on the server side.
By the way, this problem is not unique to Java. Someone with the technical knowledge and the motivation can defeat any tamper protection measures in Javascript too, or even in native code plugins that you get the user to install (if he is foolish enough).
Related
I am writing a web based version control system and when a user checks out a code file it is automatically copied to a shared network folder that they have access to. I would then like to automatically open that file on their computer with whatever their default program is for that file type. I do not want the user to have to download and then open the file as it needs to all be automated.
I tried writing a java applet but am hitting some road blocks and before I go further would like to know what people think would be the easiest or best way of implementing this functionality. I would prefer the user to not have to install a piece of software prior to using the system. That was my purpose in initially trying an applet.
I appreciate any advice or recommendations.
I decided to go with writing a client-side protocol handler that I could invoke by redirecting the browser to "myprotocol:data". Unfortunately it involves some client-side setup as they need the protocol handler but it is very simple, basic, and lightweight as well as event driven so no listener is necessary.
So I am creating a JApplet Game, and I am saving the users info to a .txt file in the APPDATA. Is there a safer way to save their info, that won't allow them to edit it to cheat?
Basically, the only way to prevent cheating is to have a server under your control calculate the score and otherwise enforce game rules. If you were writing a peer-to-peer game, there might be some protocol to allow users to determine if another player was cheating without involving you. ACM sigecom regularly publishes research about such protocols. However, because of the restrictions of the applet security model, users would need to grant your applet special permission for it to talk directly to other users anyway.
Speaking of that, I would advise against "saving the user's info to a .txt file". %APPDATA% is Windows-only, thus breaking "write once run anywhere"; and the default applet sandbox does not allow reading or writing local files, so you'd have to sign the applet and convince your users that it was special enough to merit such elevated privileges.
However, you do have a few options for applet/server communication:
REST calls using java.net.URL
SOAP calls (there are several libraries for this)
RMI (only if the server is written in Java)
Your own custom protocol over TCP
Applets can't read and write cookies directly, but JavaScript can, and JavaScript can call methods on applets. One last way to pass information from the server to the applet (but not back out) is through PARAM tags. You could even pass initial game-state data signed by the server's private key and base64 encoded in a PARAM tag; which would prevent anyone from "editing" it, although I can't think of any way to completely prevent cheating if something about the game-state is supposed to be hidden from the player but known within the applet code.
I'm looking for a elegant way to create a queue for serving up batch compiled applets.
I have hacked together a SQL and PHP script to handle this but it chokes under mild loads.
is there an existing system that can handle taking a list in SQL and serve the applets in descending order each time it is requested. I'm also trying to handle this all server side as well.
The trick would be getting file001, then file002 ++ ect. to get served each time a web page is loaded. I'm batch creating applets that has a slightly modified background and I'm trying to serve a never been used applet waiting in the queue to load each time the a page is requested.
Is there a applet server I can tweak or does look like something that needs to be built?
No, I have never heard of a "batch compile applet server".
Could you maybe explain in more detail why you feel this is necessary?
Why don't you just use the same class and pass parameters to it?
That said, you can do compilation on demand quite well with e.g. ant and / or CruiseControl. You could put the pre-compiled applets into a directory. Then your PHP frontend just needs to keep track of what applet it delivered last, and fetch the next one the next time.
Still, this sounds rather complicated to me; so maybe you could explain your motivation.
In particular, why do you want a new applet on every reload? Would that not be rather confusing? Why not offer a link for each variant, so the user can choose?
I have a java applet, I want to make sure that nobody use it outside a specific url. How can I achieve that?
The applet connects to a Java server for data exchange. I want to check on the server side the page url that contains the applet. Is that possible?
I have a java applet, I want to make sure that nobody use it outside a specific url. How can I achieve that?
You can't.
You can make it less easy.
Plain Java is trivially decompiled and manipulated by any decent developer. Even after obfuscation, it wouldn't be very difficult to circumvent any protection; changing "boolean checkAppletOrigin()" to always return true is not very difficult.
Think about what you are trying to achieve, and you might be able to find an alternative solution.
In your applet you can call the applet method getCodeBase() which will give you what URL the applet is running on pass that along with the data passed to the server that will give you a check that the applet is being run from where you wanted.
There are a few problems such that the web traffic to the server if not encrypted or protect somehow could be spoofed and this check could be gotten around. But it would be much harder to do then just reposting the applet somewhere new.
I need to create an application "dll, script or exe" which when the user upload on a folder on his server using his ftp, it will automatically run on the current folder and do some image manipulations in the folder images,
My Question is how to make something like this, which the user will not need to configure anything on his server, all what he want is upload in the right folder, and it will run automatically and keep running
Is it possible? How do it? Which Language to use?
UPDATE: I am targeting shared hosting server, which the user have no way to configure his server OS, about the OS, lets start saying its just windows.
I know that "Not possible" may be the right answer, and also "its a virus" may be another answer, i just want to know if its possible or should i think in another new way.
Everything I have read in this question screams "security vulnerability exploit". Since it's one of the main things hosting companies are making sure doesn't happen, I would say your chances are very slim to have that work.
However, if it's a web server, with something like CGI or PHP enabled, you could leverage that by uploading a CGI or PHP script in a place it can be run, and then calling it through a browser, thus doing whatever file manipulations you need... Things like safe mode, reserved or virtual directories could get in the way, but I think there is a better chance of that working.
Hmmm... is this a Window's or Linux machine? If this were on Windows, I would say create a C# service that uses FileSystemWatcher to listen for changes to the FTP folder and do your processing. As a service, it has no user interface and can run automatically on bootup.
Yes, there is!
http://en.wikipedia.org/wiki/Self_(programming_language)
One way I can think of is to use C# directory monitor. So whenever it found out a file is created in the folder it opens it up, checks the file type and executes it if it is an executable. However, you do have to watch out for incomplete file uploads though.
which the user will not need to configure anything on his server
What's the rationale of this requirement?
What's wrong with doing an initial configuration?
What's the target server? Is it linux, window, both?
Please be more specific.