Home/ Questions/Q 8119899
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T04:57:00+00:00

I’ve coded a Java app and I plan to distribute it online. Each release

  • 0

I’ve coded a Java app and I plan to distribute it online. Each release will be locked with a secret serial key I made.

I need to secure my jar file from decompiler etc. Here is what I’ve done so far:

  1. User enters his serial key into a form
  2. The serial is sent to my dev server through a php script
  3. The script generates a new jar bin file which is encrypted in AES 128
  4. My “loader” downloads the jar file as bytes and decrypts it.
  5. It invokes the main method.
  6. User can use the app as he like to
  7. User close the app
  8. The cache is cleared and everything returns to step 1 or before.

I’ve made the steps 1 to 3, but I need to know if it is possible to make a custom classloader that grabs bytes from HTTP, decrypts them and invokes the main method. As the file is fully crypted (saved as bin on the PHP server), I can’t use a basic class loader. About step 8, is it possible to unload content from the computer’s memory?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, you can provide to a classloader the bytes you grab. I do it in a similar problem :

    public class SecureClassLoader extends URLClassLoader {

    @Override
    protected Class<?> findClass(final String name) throws ClassNotFoundException {
        if (isEncrypted(name)) {
            final String resourceName = name.replace('.', '/') + ".class";
            URL url = findResource(resourceName);
            if (url != null) {
                byte[] classBytes = null;
                try {
                    classBytes = EncryptionUtil.decryptBytes(url, key);
                    return defineClass(name, classBytes, 0, classBytes.length);
                } catch (ClassFormatError e) {
                    log.severe("Bad format for decrypted class " + name);
                    throw new EncryptedClassNotFoundException(name, e);
                } catch (InvalidKeyException e) {
                    throw new EncryptedClassNotFoundException(name, e);
                } catch (IOException e) {
                    throw new EncryptedClassNotFoundException(name, e);
                }
            }
        }

        // default loader
        try {
            return super.findClass(name);
        } catch (ClassNotFoundException e) {
            throw new EncryptedClassNotFoundException(name, e);
        }
    }

    private boolean isEncrypted(String className) {
        /// some things
    }
}

    But this won’t be sufficient to protect your code. At the very least, don’t use the same bytes for two users (you seem to do it). And obfuscate your code (I use proguard). This will protect you against ordinary hackers, not the best ones.

    • 0