How can I protect my plugins

Discussion in 'Programming' started by ThatOnePluginGuy, May 25, 2020.

  1. If you want to make your plugins more secure, you should rename all method and class names to less obvious names. For example making it look like the license checker is actually a command, or things like that. It would therefore be necessary to disorganize the code to make it less understandable by a cracker. You have to put yourself in the shoes of the cracker.
    Then as a last step you can obfuscate, but try the first tips mentioned anyway.
  2. You can obfuscate the Plugin but it is possible to bypass this...
  3. Strahan


    That would only stop the most brain dead pirates, hehe
  4. This whole time I've been thinking about obfuscating it and having a download url to your own website. You can have a database with bunch of randomly generated strings (as a code). Then use (for example) PHP to extract the .jar file add a 'code.txt' to the .jar file and then the plugin will automatically look for the code file upon startup and verify that it is valid by sending a HTTP request to your website's API. When the first request is received to check validation you can log the IP and some other information to have a basic fingerprint (maybe include server version or idk).
    Maybe add a online/offline status so if there's a server online with that code already, it can't be used again.
  5. I'll check where is your code responsive for the verification and will modify its bytecode. Gonna take me some hours at most

    There's no perfect solution
  6. So you're talking about verifying the integrity of the file to confirm the legitimacy of the license and then downloading the full .jar file?

    this seems like a good idea, just remember that the full plugin must depend on the gateway and the gateway will remove the full .jar if the license is incorrect.
    Otherwise, anyone could repost the final .jar on a forum.
    • Optimistic Optimistic x 1
  7. Honestly, having spent a long time working on various forms of DRM and obfuscation - don't bother.
    You should open-source your plugin instead, you can still make money on it - take, for example, mcMMO, Citizens, EcoEnchants, Oraxen
  8. There's no ways to protect your plugin, just ways to slow leaking down by a lot, you won't get far with SpigotMC's policies though.
    • Agree Agree x 1
  9. I think that you can put some of your not often needed method(but important) on cloud (as an API), use HTTP to invoke a web API. Not leaving your code in JAR file will let them have no way to get your treasure. XD
  10. This is extremely easy to bypass.

    OP, do not bother, the spigot guidelines prevent you from making your plugin hard to read/secured against cracking, you will only damage your legitimate customers unless you get it only to renaming.
    • Agree Agree x 1
  11. True, Java programs are difficult to keep sucre.
  12. Strahan


    That would not be allowed here; plugins must be able to run w/o internet access.
    • Agree Agree x 1
  13. Oh, okay, I am just giving a way to protect the plugin, no other meaning. If it is not allowed here, it is better not to do this. Btw, if the plugin does have accesses to the internet, but it does not depend on the internet, is that legal?
  14. yes, your plugin can access the internet and use it as long as is not necessary to run it.
    • Like Like x 1
  15. You can create "parasite" code.
    Like renaming many methods to names that would mislead the cracker.

    For example for the class which checks licenses etc, you can rename it to "VersionChecker", and create a fake LicenseChecker class with content that seems consistent.

    You can do the same with the variables, the expected effect is to make the cracker go around in circles as much as possible.
  16. Got it, thanks! XD
  17. Ask Maxim, the author of FeatherBoard. According to leakers, his plugin "has an hours worth of antipiracy that we had to work through." (However, is not impossible to remove)
    If he wants, maybe he can guide you in the right direction.
    #40 Itaquito, Oct 19, 2020 at 2:36 PM
    Last edited: Oct 19, 2020 at 2:45 PM