blocks|key|1312444|text|简而言之:不……对此没有万无一失的解决方案。问题是，向你发送高分的应用程序是在你不“信任”这个事务的人的控制下运行的。如果他们可以对代码进行反向工程，那么他们就可以在签名之前更改任何消息的内容。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1312445|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

In short: no... there is no fool-proof solution to this. The problem is that the application that sends you the highscores is running under the control of the person you don't "trust" in this transaction. If they can reverse-engineer the code, then they can alter the content of any message before it is signed.

blocks|key|11800|text|一旦你的程序的代码(无论是源代码、中间语言还是机器代码)掌握在别人的手中，他们可以做任何他们想做的事情，你不能确保他们不会滥用它。为了增加误用的难度，使用所有可能的方法来使逆向工程变得更加困难，但这并不能保证您不会误用。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|11801|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Once the code (no matter - source, intermideate language, or machine code) of your program is in someone else's hands they can do whatever they want and you can't be sure that they don't misuse it. To make misuse harder use all possible ways to make reverse engineering harder, but this won't guarantee you against misuse.

blocks|key|4115465|text|你就是做不到。这个问题没有真正的解决方案，只是越来越多的混淆和篡改检查(天哪，这只是浪费时间)。假设，每个程序都可以被反向工程、模拟和篡改。你对此无能为力。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|4115466|我唯一能想到的保护游戏结果不被篡改的方法是发送某种类型的游戏记录，这些记录可以回放并验证分数。然而，这并不能保护你的游戏不被机器人玩。只有当你的游戏世界是完全确定的时，这才适用。|4115467|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

You just can't. There's no real solution to this problem, just more and more obfuscations and tamper checks (IMHO, it's just a waste of time). Hypothetically, every program can be reverse-engineered, emulated and tampered. There's nothing you can do against that.

The only way I can think of keeping the game results safe from tampering is to send some sort of game recording which can be replayed and score verified. This does not protect your game from being played by a robot, though. And this applies only if your game's world is completely deterministic.

blocks|key|1312430|text|不是的。为了让客户端软件对其进行数字签名，它必须拥有私钥。如果软件拥有私钥，用户就可以发现(并可能滥用)它。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1312431|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

No. For the client software to digitally sign it, it must have the private key. And if the software has the private key, the user can discover (and potentially abuse) it.

blocks|key|11983|text|使用一些已知的算法，在我的应用程序中，我使用blowfish.But，这并不是它安全的原因。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|11984|游戏中通常有一个进程来检查连接到服务器的程序的同一性，这个进程被称为“握手进程”，.The服务器发送一个数据包，其中包含值和一个加密的(客户端知道如何解密它)+blowfish+key.The从服务器接收的blowfish密钥是随机的，每个connect.This都是握手的第一部分。|11985|下一部分是根据connect上收到的值加密一个计算出的整数(这些值是随机的)，然后用blowfish对其进行加密。|11986|当服务器接收到该分组时，服务器发送相同的分组，该分组是用新的(最终的)+blowfish+key.The加密的。客户端必须通过使用旧的blowfish密钥解密该密钥来找出该密钥，然后使用从第一个分组接收的值进行计算。|11987|这就是握手过程，在握手完成后，您可以将您的分数发送到相同的主体上(或者可能将其放入握手中，并在握手完成后向愚弄反向的人发送一个假数据包)。|11988|这有太多的事情要做，但是对于一个反转者来说，这要么太多了。|11989|另一种解决问题的方法是根据数据包内容添加两个字节(字)的安全值(CRC)，您自己的calculation.The服务器将检查该值，并检查其是否无效的->断开。|11990|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|S|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|T|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|U|8|@]|9|@]|A|$]]|$1|L|3|M|5|6|7|V|8|@]|9|@]|A|$]]|$1|N|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|O|$]]

Use some known algorithm,in my applications I use blowfish.But that's not what makes it safe.

Games usually have a process for checking the idenity of the program connecting to the server,the process is called "Handshake process".The server sends a packet,which conctains values and an encrypted(the client knows how to decrypt it) blowfish key.The blowfish key received from the server is random on each connect.This is the first part of the handshake.

The next part is encrypting a calculated integer based on the values received on connect(which are random) and then encrypt it with blowfish.

When the server receive that packet,the server sends the same packet,which is encrypted with the new(final) blowfish key.The client has to find out that key by decrypting it with the old blowfish key and then do calculations with the values received from the first packet.

This is the handshake process,after it's finished you can send your score on the same principal(or perhaps put it inside the handshake and send a fake packet after the handshake is done to fool reversers).

It's too much to do,but it's either too much for a reverser.

Another way to solve your problem is to add a two byte(word) security value(CRC) based on the packet content with your own calculation.The server will check that value and if its invalid -> Disconnect.

blocks|key|897301|text|问得好！这里的许多人已经说过了-你最终需要在你的应用程序中构建一个密钥，这可能是可以通过逆向工程来检索的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|897302|阅读有关Trusted+Computing的内容。这是围绕您的PC中内置的公钥/私钥构建的-您的PC永远不会允许您访问该密钥。内存限制/密封存储将使攻击者很难尝试发现传递给您的应用程序的密钥。|offset|length|897303|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/Trusted_computing^0|0|4|H|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|O|8|@]|9|@$D|P|E|Q|1|R]]|A|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|M]]]]

Good question! Plenty of people here have already said it - you end up needing to build a key into your app which potentially is retrievable by reverse engineering.

Have a read up on <a href="http://en.wikipedia.org/wiki/Trusted_computing" rel="nofollow noreferrer">Trusted Computing</a>. This is built around a public/private key built into your PC - which your PC will never allow you to access. Memory curtaining / Sealed storage would make it difficult for an attacker to try discover a key delivered to your app.

blocks|key|897358|text|不，大体上不是。你面临着其他评论提到的问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|897359|这个问题就变成了成本问题。破解保护系统的成本是否高于其保护的价值？从一次成功的入侵中恢复过来的成本是多少？|897360|由于高分数表通常不是高价值目标，因此您可能希望尝试以下任何一种方法：|897361|897362|与高分一起，发送一些关于游戏状态的信息；游戏时间，级别，收集的奖金等。加密/混淆这些数据。这将帮助服务器确定高分在理论上是否有效。忽略任何明显是假的高分。|ordered-list-item|897363|使用加密和共享密钥发送高分。不要将共享密钥以纯文本形式存储在你的应用程序中。最好使用一种算法来实时计算它。|897364|混淆您的客户端代码。|897365|使用客户端IP地址和时间戳存储高分。|897366|897367|entityMap^0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|U|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|V|8|@]|9|@]|A|$]]|$1|G|3|H|5|I|7|W|8|@]|9|@]|A|$]]|$1|J|3|K|5|I|7|X|8|@]|9|@]|A|$]]|$1|L|3|M|5|I|7|Y|8|@]|9|@]|A|$]]|$1|N|3|O|5|I|7|Z|8|@]|9|@]|A|$]]|$1|P|3|-4|5|6|7|10|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|11|8|@]|9|@]|A|$]]]|R|$]]

No, not in general. You face the problems mentioned by the other comments.

The question becomes one of cost. Is the cost of cracking a protection system higher than the value it is protecting? And what is the cost of recovering from a successful break-in?

Since a high score table is generally not a high value target, you might want to try any of these:

<ol>
<li>Along with the high score, send some information on game state; playtime, level, bonuses collected, etc. Encrypt/obfuscate this data. This will help the server determine whether the high score could theoretically be valid. Ignore any highscores which are obviously fake.</li>
<li>Send the high score using encryption with a shared secret.Don't store the shared secret as plain text in your app. Preferably, use an algorithm to calculate it in realtime. </li>
<li>Obfuscate your client code.</li>
<li>Store high scores with client IP addresses and a timestamp.</li>
</ol>

The problem in brief: I develop an application (for example a game) which is distributed in binary form. The game calls home and sends the user's high score as a message to an online game server.

What I'd like to do is digitally encrypt and sign the message so that I can trust it hasn't been tampered with.

Public key cryptography relies on each end of the conversation having a secret each, but I can't rely on my software not being reverse engineered, and the private key discovered.

Is there a secure or secure enough way of digitally signing (the encryption part isn't necessary in this case) a message from my distributed binary application when I know it can be reverse engineered?

How do I digitally sign and trust a message in a distributed program I know can be reverse engineered?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

问题简而言之:我开发了一个以二进制形式分发的应用程序(例如游戏)。游戏呼叫总部并将用户的高分作为消息发送到在线游戏服务器。我想做的是对消息进行数字加密和签名，这样我就可以相信它没有被篡改。公钥密码术依赖于会话的每一端都有一个秘密，但我不能指望我的软件不被反向工程，私钥被发现。有没有一种足够安全的方法对来自分布式二进制应用程序的消息进行数字签名(在这种情况下，加密部分不是必需的)，而我知道它可以被逆

问在我知道可以进行反向工程的分布式程序中，如何对消息进行数字签名和信任？
EN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在我知道可以进行反向工程的分布式程序中，如何对消息进行数字签名和信任？EN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在我知道可以进行反向工程的分布式程序中，如何对消息进行数字签名和信任？
EN