6

I'll get right to the point so you don't have to read a lot.

Basically, I have an AES-128bit Encrypted Jar file. I want to make a launcher so that I can load this encrypted Jar into memory and run it (using the key).

I have a simple Class Loader working although unless I decrypt it to a directory and run it, it obviously won't do what I am needing (decrypt & memory load).

TL;DR: I need to make an AES-128bit Encrypted Jar run in memory.

Any help is much appreciated, feel free to ask questions!

Improve this question
10
  • 2
    If you want your code to be that secure you probably shouldn't be writing it in one of the most easily decompiled languages out there. It's possible to write a jar loader but there's no way to stop people from just dumping it from memory. Commented Oct 22, 2011 at 10:17
  • It needs to be compiled in Java. Not because I can't code in other languages but more of, other languages don't support what I'm doing. Commented Oct 22, 2011 at 10:24
  • @0x5f3759d And the same is true for C, C#,.. well absolutely any language. It may take 5minutes longer, but in the end if someone wants the jar file he'll get the key easily enough (set a breakpoint for CreateFile and consorts in the debugger, maybe add one for ReadFile with the found fd and you'll get it easily enough). Though I don't really see the problem here - what stops you from reading the file in and decrypting it if you already have your classloader? I.e. what is your actual problem? Commented Oct 22, 2011 at 10:27
  • 1
    @Voo I'm not aware of anything that does even a remotely good job of decompiling compiled C/C++ code back to source files. You can of course look at the assembly but having nearly original code like Java/.NET provides makes decompiling much easier. Commented Oct 22, 2011 at 10:30
  • @0x5f3759df I'm not saying "decompile the whole program and look through millions of unreadable c lines", I'm saying "check when he opens/reads the file and follow the handful lines until he decodes it" - and that's trivial in both/all languages. Heck if you use an imported function to decode the file it's even more trivial. Commented Oct 22, 2011 at 10:31

2 Answers 2

Reset to default
8

For sample code on how to load a jar/class from byte[] (which should be the result you get after decrypting it in memory/no need to save it anywhere in the filesystem) see http://www.javaworld.com/javaworld/jw-10-1996/indepth/indepth.src.html

Basically you need to use defineClass to achieve what you want.

BUT beware that this offers no real security since all ends up (after decryption) as Java Byte code in memory and can thus be accessed/manipulated/saved etc.

A little bit of security would be possible by implementing a custom JVM and/or pre-JITing the code so that it is native... for some information see for example How to create encrypted Jar file?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks! I'll have a go at this at let you know how it works. I was also thinking that an easier option would be to create a temp file that contains the decrypted jar/bytes. I load the temp jar into memory then delete it from the temp folder.
you are welcome... please don't forget to upvote/mark as accepted any answer that was of help!
I need to get 15 reputation before I can up vote it. But I'll be sure to when I reach 15 rep!
1

This article is a good read that illustrates nicely why air-tight protection of your code is simply not possible. You can make it harder, very hard even by staying as low-level as possible, e.g. compile your code down to native instructions that are not (cleanly) representable using regular language constructs.

But you should keep in mind that in any case, ultimately your encrypted data will have to be decrypted using some key and this key will, even if only briefly, but the important point is that it will, end up in memory. There's no way around this with common operating systems and hardware. So as a hacker you can always fall back to fetching the key from memory and work your way backwards from there on. Not something that average users are capable of, but it is certainly possible.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.