Question about native deploy vs Excelsior JET and their native deployment

Hello all, it’s been awhile so I hope everyone has been well! Forum got a revamp(again), and looks pretty good so far

I just wanted to ask a question about the deployment options, since I am new to dealing with native deployment, and all that good stuff. (if this shouldn’t go here, please move).

It seems the main points of making a JAR file native is to not only get rid of the need for the user to DL the JRE(as it’s bundled) but to also protect the code, since it’s been compiled to native.

I am curious about the specifics about JMonkey’s deploy, and how it differs from other deployment options like Excelsior JET?

I also am using JavaFX(another project), and they have a native deployment as well which I’m interested in.

Could I use JMonkey to deploy other Java applications to Native, or is that discouraged?

So basically it comes down to, will the JMonkey/FX deployments be sufficient enough for most applications? Also is there any real reason to purchase something like Excelsior JET?

http://www.excelsiorjet.com/features

Thanks everyone!

Depends really on your needs I would say.
(Eg how dumb is your average user)

But you can always write your own buildscript if the ones provided do not cover your case.

JME’s deployment option needs the user to have JRE (bundled or installed on pc), it is only a exe launcher that starts the main jar file, so everything goes in the Java VM.
To protect the code there you need to use any obfuscator (PM me if anyone have some working & tested with JME solution).

Excelsior JET is just an different thing, as far as I know it compiles the jar and jre into platform dependant executable, so the resuling binary does not have any java’s bytecode and don’t need jre, even bundled one. And it is much more harder to hack.
Excelsior JET is not free, you need to pay for it.

Thanks, this is what I needed to know. So we still need the Jar file and such in order to run? I sent the EXE and the lib folder to my desktop and it worked, but Idk if it was pulling info from the jar, I sent it to someone else to see what happens with them.

It seems that with the 3.1 release the native deployment is better, but we still need the jar, and it still runs on the JavaVM is what you’re saying, so peopel can still hack in?

I do see an obfuscator for Jmonkey in the build options, but mine required an rt.jar file which I’m assumign is here somewhere.

I am looking to protect my code completely, so users cannot get access to the code at all, and be able to bundle the JRE so that users can get into the application with minimal fuss.

I have read this article http://www.excelsior-usa.com/articles/java-to-exe.html about exe’s and also it mentioned about obfuscators and their dislikes on them, but they do have another article explaining about obfuscating as well.

Do you think it works well enough to do a good job? It seems native deployment is the way to go to fully protect it, at least with JET, it seems that we will have issues wit JMonkey.

Is this the same for JavaFX? Do we still need to use a Jar File, thus the code being open to people?

I know JET costs money (I don’t know if there are other ones like JET, but it seems to be the tried and true one, that has been around for awhile), but since this is a business project, it’s needed to protect the code, so paying for something like this shouldn’t be a big deal (not too sure if it’s a 1 time license or not).

Thanks for your time.

@Empire_Phoenix haven’t done that yet, not too sure what that requires either, not if it would do what I need.

Thanks all

Note: this is impossible. You can protect the .java file to some extent but code is always reverse-engineerable to some object or byte code… otherwise the computer wouldn’t be able to run it. All obfuscation does is make it harder to reverse engineer.

With every protection you need to aks yourself:

• how much will it cost you?
• what’s the chance that someone would be so desperate/skilled to break it, and how much (time) will it cost him.

If you want to write a single player game then any simple protection would be enough. The worst situation is that someone will spend hours, days, maybe weeks to understand the code and to find a bug, add god mode etc. And maybe share it on some forum. And maybe someone would even read it.

If your target is an MMO game then… be prepared. People will try to modify client to exploit bugs or make a bot, will try to ddos ypur server, will cheat you all the time. Because mmo means money and adrenaline. Everyone in the community wants to be better and have more than others. People wants to sell their stuff for real money, hack into others accounts etc. So you need a perfect, bugless server and well protected client with encrypted connection. The biggest the community is, the greater chance that someone will break your protections.

Well in the case of JET it’s more than just obfuscation, but in a sense, yes anything can “technically” be reverse-engineered, but if it’s extremely hard, then it’s not going to be something a lot of people will attempt.

Thanks, yeah that makes a lot of sense.

In my case, this isn’t just for JMonkey Applications, but for multiple applications that I am developing.

I also found it interesting that JET can do things with Tomcat deployed WebApps, and I wonder how far that will extend.

I am also in the process of trying to protect some of my Javascript and clientside code for another application that I’ve been working on, so it’s the same issue over there, except it seems you have a harder time being able to protect that code.

I’m looking into JScrambler for that instance.

Thanks for the help guys

Is there a way I can reply to 2 posts at once while quoting??? Can someone merge these 2 posts? Seems like I see a reply on both of their posts, and then my 2 replies?

Thanks :).

Well, it’s not something a lot of people would attempt no matter what you do.

In general, there seem to only be two reasons to “hide” code:

1. a mistaken belief that it will prevent cheating.
2. a mistaken belief that the code is so ‘special’ that someone will steal it and make millions instead of the author.

Maybe I have bad experiences from the past of having looked at pre-obfuscated and/or NDA protected code as part of contracts… but it was nearly 100% laughably bad and in 0% of the cases was worth protecting. Some little snippet of code just never seems to be that important in real life.

Could be that you are the special case.

Of course, also in the past I’ve reverse engineered binary code (even in bios) and that was back before there were nice tools to do it… stepping through the debugger line by line and making notes. After a while, you can even start to tell which kind of compiler generated that code and just short cut the notes. Now there are tools for it. And these days some people will do it just for fun. In fact, the harder you make it, the more fun it is.

Makes you have to stop and think what you are protecting, really.

It is enough if there is only 1 person who reverse engeneers it, ever wonderd why every game out there is cracked?
I fact by making it hard you might challenge some guys more than without it.

Only way (for multiplayer) to actually protect your code is, by not letting it run on a client, but on a controlled server.

In my opinion, if you can lock your code (house) then you should do it, even if your code (house) is protected by law. The level of protection ofc should be equal to your funds and the value of your code (house). Unprotected code (house) means that anyone can open it and do whatever he wants without any problem.
By locking your house you stop 99.99% of potential intruders.

Yes, but the point is that a simple bolt lock will keep 99.8% of potential intruders out. Or you can spend thousands and thousands of dollars in time and energer to keep the other 0.1 percent out but still let the rest of the 0.1% in. Though the fact that you’ve qualified it with “potential intruders” and not just “everyone” means I think you’ve vastly over-estimated the percentages… and this is a case where often the harder you make, the more likely it becomes that someone will crack it (especially if it’s a game).

For example, a lock on your door will keep 99.9% of “people who come to your house” from entering… but it will keep only maybe 20% of potential intruders out and it almost doesn’t matter what kind of lock it is. An alarm system will stop more… but the better your alarm system gets the more tempting a target you become. (This metaphor is kind of interesting because if things are as OP describes where he has few competitors, it might be enough to have the app phone home quietly with the has of the application code and let it stay tempting to grab the whole library so that the code stays in… but I digress.)

And in all cases, what they are doing is illegal so if they do it in an obvious way then they can be caught should anyone be willing to prosecute. In this case, you’d almost prefer that they took the code as completely and as unobfuscated as possible because it would be easier to prove infringement.

To the OP, if it’s a file format you are trying to protect… it would surprise me very much if that weren’t reverse engineerable just be running the app and poking random stuff into the file. If there’s money in it then someone has the time. And if there’s money in it, then there is a potential line of revenue by simply licensing that tech, I guess.

…I’ve done this with about a dozen binary files in my life. “Back in the day” it was quite common to write save game hacking utilities for games. They were never plain text. A few were compressed.

I don’t think it has been cracked yet not because of it being extremely difficult, but because of “not enough popularity”.

First comes how the Java language is treated. Many developers I know in my work place want nothing to do with Java and prefer .NET and Mono since you can do many things easier with that. Another is that there are many multiplatform tools that deploy naturally since they are natively written and use scripts to make development easier for desktop environment.

As soon as Java on desktop gets very popular again, Excelsior JET will be known and cracks will appear.

From the E-JET article it says it, and GGC-GNU (or something), have been around since 2000, so that is 15 years for people to have tried and cracked it. If there are cracks, then they would be out there, but this company has been around for a long time, so they seem to have their stuff together.

But I do not have to specifically go with JET, it is something I just found randomly when looking up Obfuscation and then about native deployment. DO you know of any other programs that do what JET does, and as good or better?

I’m not sure where Java’s popularity comes from, if it’s mostly from the web, or a mix of both?

Java’s popularity back in the day came as an alternative programming environment that was really easy to learn and work with and came with a lot of power. But on the desktop side, many can say that it lost the race.

Nowadays it comes with Android and web application development as well as a variety of electronic devices. It can gain back some ground.

15 years does not say that they are flawless. Someone I knew in college was a reverse engineering expert and mentioned that there is no system that cannot be hacked, the speed in which something is hacked depends on the popularity and demand of the system itself. 15 years, in realistic terms, means that not much effort has been done to hack it, and I hope it stays that way

It’s trivially provable, in fact. The computer can run it, ergo I can watch it run. At least in the world of the PC, that can even be done without any hardware hacking.

By the way, now you can buy charity bundle of standard version E-JET for even $10. And use it for commercial projects.

@KonradZuse It’s possible to put everything into a single MSI file under Windows with the WiX toolset or with some Java code (see Apache POI, especially POIFS i.e OLE2 filesystem).

I don’t like people who base their businesses on vendor lock-ins, it’s not fair competition and it’s not viable on the long term anyway.

Good luck.

Thanks, I’ll look into that, but I need more than the standard plan :).