I do not know where to post this so I am going to post it here.
I have been considering making an offline commercial game in java for a long time. The one thing that concerns me is the fear that pirates would decompile my game and remove any security I placed in it then redistribute it for free. Is there any way I can protect my code?
Pirates WILL decompile your code and defeat your security.
No ,matter what it is written in.
They’ve been doing that for long before Java even existed. Deal with it.
This is a red herring where Java is concerned.
Dose java have an increased risk?
Definitely an increased risk - it’s easy to decompile java and understand it than it is with C++.
However, if you intend to write a commercially successful game then it has to be good. If it’s good - then someone will crack it. It only takes one to crack it - distribution after that doesn’t take long.
Obfuscation helps.
Compiling to a native helps.
Using quirky/ornate security helps.
Still, if it’s good, and people want it - it’ll get cracked.
Kev
If the attacker knows how to decompile java and read it (and is not just a script kiddy) obfuscation doesn’t help at all.
For example, if the attacker wants to bypass, say, a cd rom check, obfuscation might turn a 30 minute hack into a 45 minute one. But not more.
That said, obfuscation definitely doesn’t hurt either, and it’s dead simple to automate into your building process, so there’s really no reason to not use an obfuscator. Just make sure you use one that spits out a reverse mapping file so you can still follow the stack traces. =)
Its a little strange that such a basic problem as this has no solution for all of java’s security :-\
re obfuscation: I’ve read that it makes your jars smaller in size too.
[quote]Its a little strange that such a basic problem as this has no solution for all of java’s security
[/quote]
It’s not so strange if you consider that java security is not about copy protection. It’s two totally different matters.
To be honest, I think the java way is slightly better and less self-deceptive.
Natively compiled files can and frequently do get decompiled, analyzed and modified as well.
There’s no such thing as client-side code security. As long as you’re aware of this, you get forced to either implement some REAL security (if possible), or not ship sensitive material to the client. Of course, those two are often the same thing.
The problem with single player games is that all the sensitive data is on the clients side. Are there any successful single player games that use java? Is there any tool that would allow me to encrypt the class file then hide the key?
You can encrypt whatever you want, but you are required to give the client the key at some point, invalidating the whole effort.
As others stated, you can’t prevent that your game will be decompiled and cracked. Code obfuscation is an option to provide make it more difficult. You could encrypt your jars and write a ClassLoader that decrypts them, but the loader code will be unencrypted and therefore vulnerable.
I would opt to trust your users 
And it just aint that hard to find the test condition for your security in assembled binary and NOP it.
It really isnt.
…that simple.
put some code on a server …
The company I work for sells a commercial api. We’ve had the same concerns about people running off with the code, but in the end came to the conclusion that it’s just not worth all the effort you put into it. As has been said before, any software checks (however clever you make them) can be cracked if people put enough time and effort into it. The more complex you make your copy protection/licensing system the more you’ll annoy your legitimate users. In the end we just used a relatively simple license checking system combined with obfuscation (using proguard) and that has worked fine. We are in a niche market though, so the likelihood of widespread piracy is probably alot smaller than in the games market.
For online multiplayer games i like the way with hashvalues. Just check for each login if the package has the right hash value. If not reject the client. Ok, skilled hackers will find a way to manipulate your files/archives while not having the hash been changed. But there is some effort needed
Or just remove the hash check, as that has to be client side as well.
(or if you sent the hash to the server, just send the hash of the unmodified client)
If you’ve got a lobby server, send the license key from the client and let the server check it against a db. That way even keygens won’t work. 
If the lobby isn’t needed to play the game, the client can just bypass that step.
If you can “solve” this “basic” problem, you will become the world’s richest person.
Of course, the only way to solve this problem is to be one of the world’s richest people to start off with.
(HINT: it requires you to own every PC in the world. Quite expensive, don’t you think?)
Or, to put it another way:
“I can’t believe that such a basic problem as death hasn’t been solved yet by Western doctors. We have all these smart people, they must be really lazy that they haven’t worked out how to do it yet.”