Can you break this jar? Hacking challenge!

wonder

Expert
Licensed User
Longtime User


Can you break this jar?
So, I spent the weekend cooking up a "Data Integrity Protection" library in B4J.
In theory, any changes to the original source and/or compiled code should completely invalidate its use. As an example, such changes could be removing an ad banner.
It shouldn't matter if the jar file was directly hacked or if it was reversed engineered, my solution should provide the same level of protection.
UPDATE:
Regarding Erel's concerns, I decided to recompile the app without using obfuscation at all. In case this library is ever released, you should know that its cornerstone rests on a master password. You, the developer, should be the one to decide the method of embedding/providing this password to the application (not to the user). The only two ways that come to my mind would be either via obfuscation or http request/authentication.

That said, the goal of this challenge is to help me understand how strong can this library be, assuming that the user/hacker doesn't get his hands on the master password.

Because it would be very bad for us all to have anyone messing with the default obfuscation method, I'm providing you this app's master password: 123456

The challenge:
Consider a small app, sponsored by McDonald's, that reveals the hidden location of Atlantis, given that you're able provide a certain secret code.
Your mission, should you choose to accept it, is to:
1. Remove the McDonald's ad.
2. Obtain the secret code.

Remember, although the master password was provided above, you have to pretend you have no access to it. Everything else is yours to hack.

How to do it?
You can either use a Hex Editor and make direct changes the compiled class file or reverse engineer it using one of the many decompiler available on-line.
To make things easier, I'll even provide part of the source code:
B4X:
Dim HackMe as String
...
...
HackMe = "Hack me if you can!"
...
...
If HackMe <> "Hack me if you can!" Then
    label1.Text = "Congratulations! Your secret code is: " & [...]
End If

Jar File: http://www.ninjadynamics.com/stuff/hackme.zip

Unzip both files to your directory of choice.
Run the app from the command line (java -jar hackme.jar 123456) or use the batch file.
Tools:

May the odds be always in your favor! Happy hacking!

@Roycefer, @MarcoRome, @Informatix, I'd like to draw your attention to this thread.
 
Last edited:

wonder

Expert
Licensed User
Longtime User
Small request, please make sure not to expose the string obfuscation methods.
No worries, I won't reveal anything, Erel!
If you feel this thread is improper and/or insecure, please proceed to close/delete it.
 

sorex

Expert
Licensed User
Longtime User
will have a look at it when I get home, my "work" day just ended.
 

wonder

Expert
Licensed User
Longtime User
Alright, the challenge is back. Please read the UPDATE section and remember that using the master password is cheating.

If this proves to be too easy or uninteresting, sorry for wasting your time.
On the other hand, if anyone thinks this lib could be useful, I will extend it to B4A.

By the way, the "secret code" has nothing to do with the master password.
They're two entirely different things.
 
Last edited:

sorex

Expert
Licensed User
Longtime User
the master password is the one in the batch file?

do I need to start with the batch file or not?
 

sorex

Expert
Licensed User
Longtime User
the key 2..............................7

the ocean is deep too
 

Informatix

Expert
Licensed User
Longtime User
At first glance, the idea is good (it seems that's the one I exposed in two public posts) but the implementation is full of errors. The protection scheme is very clear by reading the code and all is given to ease the hacker work. If I find some time, I will hack it. Should be not difficult.
 

Informatix

Expert
Licensed User
Longtime User
Thank you! I believe @sorex broke it as well, I just don't know to what level yet.
Either way, it was fun while it lasted.
The main problem of your protection scheme is that nothing is hidden and you use only B4x libraries which are not protected nor obfuscated, and easy to replace by a hacked version. The minimal protection, for example, is to use reflection to hide what you call, with all strings obfuscated. However all hackers know that and there are tools to analyse what's called by your app at runtime. There are other errors in your code that ease the hacking. I created a guide that explains how to avoid these errors and really protect your Android app (ProtectMyApp). It's not free as it required a lot of work and readings to find a really secure solution. I attach to this post a basic example that anybody can try to hack (try to change anything but the beach image must be still displayed).

EDIT: I fixed a bug in the attached APK so I uploaded a new version.
 

Attachments

  • HelloWorld_final.apk
    373.3 KB · Views: 181
Last edited:

sorex

Expert
Licensed User
Longtime User
Thank you! I believe @sorex broke it as well, I just don't know to what level yet.

I gave 2 hints in post #10 that I only can know when having broken the code or this aswell...
 

Attachments

  • app.png
    5.7 KB · Views: 231
Cookies are required to use this site. You must accept them to continue using the site. Learn more…