Possibe/Easy to decompile a Jar file?

Dont want to do it, just is it possible?

  • (2 Pages)
  • +
  • 1
  • 2

18 Replies - 2100 Views - Last Post: 30 August 2009 - 06:55 PM Rate Topic: -----

#1 toggle  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 36
  • Joined: 14-August 09

Possibe/Easy to decompile a Jar file?

Post icon  Posted 26 August 2009 - 12:23 PM

Hello.

I have finally finished a huge project I have been working on for several months. The problem is I rather stupidly left usernames and passwords to the databases that the software connects to via JDBC. To be honest, I cant be bothered to do a work around or mess around with encryption.

Question is. Since it is inside the source code, once compiled into a JAR, MSI, EXE ect file, can a user decompile it back to source code and get all the username and passwords to the databases?

While we are on the subject. If it's possible to decompile those types of files couldnt anyone just steal your work by decompiling it, slapping on their name, recompiling it and selling it as their own?


Thank you

Is This A Good Question/Topic? 0
  • +

Replies To: Possibe/Easy to decompile a Jar file?

#2 syfran  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 83
  • View blog
  • Posts: 1,103
  • Joined: 12-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 12:39 PM

My guess would be yes, they could get probably get the username and password out of it.
Was This Post Helpful? 0
  • +
  • -

#3 prankster  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 67
  • Joined: 31-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 12:57 PM

I know for a fact that you can decompile a .jar file because I have done it (on my own software of course :D) It is a very simple thing to do. Anyone with a computer that knows how to google can find software that will decompile a .jar. The best thing you can do would be to secure your info, or obfuscate your data.
Was This Post Helpful? 0
  • +
  • -

#4 toggle  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 36
  • Joined: 14-August 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 01:42 PM

hmmm, thing is im connecting to remote servers using JDBC with the username/passwords inside the program (as they are needed for connection).

Only thing I can think of is to just make those accounts read only so even if someone does find them out, no destruction can come from it.

Rather annoying thing is, if someone can decompile a JAR they could easily change around a few if statements and unlock the full program. I guess I will just have to distribute in exe, msi etc.
Was This Post Helpful? 0
  • +
  • -

#5 Tanira  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 102
  • Joined: 30-May 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 02:53 PM

View Posttoggle, on 26 Aug, 2009 - 12:42 PM, said:

hmmm, thing is im connecting to remote servers using JDBC with the username/passwords inside the program (as they are needed for connection).

Only thing I can think of is to just make those accounts read only so even if someone does find them out, no destruction can come from it.

Rather annoying thing is, if someone can decompile a JAR they could easily change around a few if statements and unlock the full program. I guess I will just have to distribute in exe, msi etc.


Hmm whenever I write programs involving usernames and passwords, I store those usernames and passwords in a .txt file of some sort. Not in the actual code. I don't know if that's safer or not. Just a suggestion.
Was This Post Helpful? 0
  • +
  • -

#6 prankster  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 67
  • Joined: 31-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 03:08 PM

View PostTanira, on 26 Aug, 2009 - 01:53 PM, said:

Hmm whenever I write programs involving usernames and passwords, I store those usernames and passwords in a .txt file of some sort. Not in the actual code. I don't know if that's safer or not. Just a suggestion.


NOOOOOO, never put you passwords in a plain text file. The only time it would be safe to put them in a text file is if you are using some sort of encryption, and just checking to see if the encrypted strings match. Storing the password to something in plain text in a .txt file is a definite no.
Was This Post Helpful? 0
  • +
  • -

#7 prankster  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 67
  • Joined: 31-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 03:14 PM

Here is a link to a snippet that makes using MD5 extremely easy:

http://www.dreaminco...snippet4039.htm
Was This Post Helpful? 0
  • +
  • -

#8 mostyfriedman  Icon User is offline

  • The Algorithmi
  • member icon

Reputation: 727
  • View blog
  • Posts: 4,473
  • Joined: 24-October 08

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 03:29 PM

Quote

I guess I will just have to distribute in exe, msi etc.


still the application can be reverse engineered
Was This Post Helpful? 0
  • +
  • -

#9 syfran  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 83
  • View blog
  • Posts: 1,103
  • Joined: 12-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 04:18 PM

Will the different people you distribute it to need to access your specific server?
Was This Post Helpful? 0
  • +
  • -

#10 pbl  Icon User is offline

  • There is nothing you can't do with a JTable
  • member icon

Reputation: 8343
  • View blog
  • Posts: 31,890
  • Joined: 06-March 08

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 04:40 PM

DJ Java decompiler is free and works very well
Was This Post Helpful? 1
  • +
  • -

#11 Tanira  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 102
  • Joined: 30-May 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 04:40 PM

View Postprankster, on 26 Aug, 2009 - 02:08 PM, said:

View PostTanira, on 26 Aug, 2009 - 01:53 PM, said:

Hmm whenever I write programs involving usernames and passwords, I store those usernames and passwords in a .txt file of some sort. Not in the actual code. I don't know if that's safer or not. Just a suggestion.


NOOOOOO, never put you passwords in a plain text file. The only time it would be safe to put them in a text file is if you are using some sort of encryption, and just checking to see if the encrypted strings match. Storing the password to something in plain text in a .txt file is a definite no.


Well of course I use encryption. o.o But more meaningfully as long as I keep the passwords and usernames cut off from the users how would it get cracked?
Was This Post Helpful? 0
  • +
  • -

#12 syfran  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 83
  • View blog
  • Posts: 1,103
  • Joined: 12-July 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 04:45 PM

My question is if the client side must access the database is it even possible to keep the password/username secure, even with encryption?
If you already have a server, could it really hurt to make some sort of delegate program on it to access the database without security issues?
Was This Post Helpful? 0
  • +
  • -

#13 virgul  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 269
  • Joined: 18-March 09

Re: Possibe/Easy to decompile a Jar file?

Posted 26 August 2009 - 11:23 PM

Put the software up here, or give us a download link, I am curious as to how long it will take someone to produce your passwords.

If you still have the src code then you should be able to give us a different version then the release version.


This would be for your knowledge and for some fun. Also you can see if it is doable by a normal programmer.
~Just a thought...
Was This Post Helpful? 0
  • +
  • -

#14 toggle  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 36
  • Joined: 14-August 09

Re: Possibe/Easy to decompile a Jar file?

Posted 27 August 2009 - 05:42 AM

View Postvirgul, on 26 Aug, 2009 - 10:23 PM, said:

Put the software up here, or give us a download link, I am curious as to how long it will take someone to produce your passwords.

If you still have the src code then you should be able to give us a different version then the release version.


This would be for your knowledge and for some fun. Also you can see if it is doable by a normal programmer.
~Just a thought...


heh it wouldnt be hard. As long as you can decompile the JAR into its original source you only need to go the class "connection" and there you have the URL, Username and Password.
Oh well, I guess its with all programs. If a community wants to break the security of a program so badly they will always succeed. take for example software/games by giant corporations investing thousands if not millions into protecting their software and it always gets bypassed. I'm unsure how a individual begineer developer will have any other outcome


Ill just monitor the database on the server and just take appropriate action if there are 10 accounts called joesAccount online at the same time.

This post has been edited by toggle: 27 August 2009 - 05:43 AM

Was This Post Helpful? 0
  • +
  • -

#15 virgul  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 269
  • Joined: 18-March 09

Re: Possibe/Easy to decompile a Jar file?

Posted 27 August 2009 - 11:59 AM

Host the passwords and accounts outside of the program, not to say on the persons computer but rather on your server. There you can manage 1 set of accounts and passwords and have the program access that for the login info.

so instead of having it go to, for example. ../src/connection then get the passwords from the local file, have it connect to a different part of your server that doesn't require a password to connect to. From here you can have your acct's and pass's encrypted or not, because you have just added an extra layer of security.

This is also a really good way to do it because now if you make new accounts you don't need to, depending on how you modeled your software, create a version for that person or release a patch for that password/account(which is the most insecure way in my opinion)
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2