Can you break this jar? Hacking challenge!

[wonder]

Can you break this jar?

So, I spent the weekend cooking up a "Data Integrity Protection" library in B4J.
In theory, any changes to the original source and/or compiled code should completely invalidate its use. As an example, such changes could be removing an ad banner.
It shouldn't matter if the jar file was directly hacked or if it was reversed engineered, my solution should provide the same level of protection.
​

UPDATE:

Regarding Erel's concerns, I decided to recompile the app without using obfuscation at all. In case this library is ever released, you should know that its cornerstone rests on a master password. You, the developer, should be the one to decide the method of embedding/providing this password to the application (not to the user). The only two ways that come to my mind would be either via obfuscation or http request/authentication.

That said, the goal of this challenge is to help me understand how strong can this library be, assuming that the user/hacker doesn't get his hands on the master password.

Because it would be very bad for us all to have anyone messing with the default obfuscation method, I'm providing you this app's master password: 123456​

The challenge:

Consider a small app, sponsored by McDonald's, that reveals the hidden location of Atlantis, given that you're able provide a certain secret code.
Your mission, should you choose to accept it, is to:
1. Remove the McDonald's ad.
2. Obtain the secret code.

Remember, although the master password was provided above, you have to pretend you have no access to it. Everything else is yours to hack.
​

How to do it?

Spoiler

You can either use a Hex Editor and make direct changes the compiled class file or reverse engineer it using one of the many decompiler available on-line.
To make things easier, I'll even provide part of the source code:

Dim HackMe as String
...
...
HackMe = "Hack me if you can!"
...
...
If HackMe <> "Hack me if you can!" Then
    label1.Text = "Congratulations! Your secret code is: " & [...]
End If

Jar File: http://www.ninjadynamics.com/stuff/hackme.zip

Unzip both files to your directory of choice.
Run the app from the command line (java -jar hackme.jar 123456) or use the batch file.
​

Tools:

Hex Editor: http://mh-nexus.de/en/hxd/
Decompiler: https://github.com/java-decompiler/jd-gui​

May the odds be always in your favor! Happy hacking!

​

@Roycefer, @MarcoRome, @Informatix, I'd like to draw your attention to this thread.

 

[Erel]

Small request, please make sure not to expose the string obfuscation methods.

 

[wonder]

Small request, please make sure not to expose the string obfuscation methods.

No worries, I won't reveal anything, Erel!
If you feel this thread is improper and/or insecure, please proceed to close/delete it.

 

[sorex]

We need to type in a code?

 

[sorex]

will have a look at it when I get home, my "work" day just ended.

 

[wonder]

-= REOPENED =-

Thank you for the interest guys!!
Due to some security concerns, I'm suspending this challenge for now.
It should be reopened by tomorrow.

 

[sorex]

tomorrow is here and my fingers are itching!

 

[wonder]

Alright, the challenge is back. Please read the UPDATE section and remember that using the master password is cheating.

If this proves to be too easy or uninteresting, sorry for wasting your time.
On the other hand, if anyone thinks this lib could be useful, I will extend it to B4A.

By the way, the "secret code" has nothing to do with the master password.
They're two entirely different things.

 

[sorex]

the master password is the one in the batch file?

do I need to start with the batch file or not?

 

[sorex]

the key 2..............................7

the ocean is deep too

 

[Informatix]

At first glance, the idea is good (it seems that's the one I exposed in two public posts) but the implementation is full of errors. The protection scheme is very clear by reading the code and all is given to ease the hacker work. If I find some time, I will hack it. Should be not difficult.

 

[wonder]

Thanks!!
This is my first attempt at something like this. I never expected any real success, but it was fun to believe I might have had something good.

 

[Informatix]

I just realized that's not an Android app so apktool (disassembler) does not work and I know nothing to B4J so I don't know how to repackage the files as expected. But I will explain in private how it can be hacked easily with a disassembler.

 

[Informatix]

I think that I broke the protection of your app. I sent everything in private.

 

[wonder]

Thank you! I believe @sorex broke it as well, I just don't know to what level yet.
Either way, it was fun while it lasted.

 

[Informatix]

Thank you! I believe @sorex broke it as well, I just don't know to what level yet.
Either way, it was fun while it lasted.

The main problem of your protection scheme is that nothing is hidden and you use only B4x libraries which are not protected nor obfuscated, and easy to replace by a hacked version. The minimal protection, for example, is to use reflection to hide what you call, with all strings obfuscated. However all hackers know that and there are tools to analyse what's called by your app at runtime. There are other errors in your code that ease the hacking. I created a guide that explains how to avoid these errors and really protect your Android app (ProtectMyApp). It's not free as it required a lot of work and readings to find a really secure solution. I attach to this post a basic example that anybody can try to hack (try to change anything but the beach image must be still displayed).

EDIT: I fixed a bug in the attached APK so I uploaded a new version.

 

[sorex]

Thank you! I believe @sorex broke it as well, I just don't know to what level yet.

I gave 2 hints in post #10 that I only can know when having broken the code or this aswell...