Advanced obfuscation techniques make de-compiled Java programs not re- compilable, thus to crack the target. Difficult to implement. The latest version was released June 23, . You may not obfuscate the names of standard Java API classes that are part of the JRE, so all uses of those classes remain clearly cracming in the decompiled code. For the signing scheme to be hard to break, the key needs to be inaccessible.
|Published (Last):||15 April 2007|
|PDF File Size:||15.82 Mb|
|ePub File Size:||6.12 Mb|
|Price:||Free* [*Free Regsitration Required]|
Q: If I encrypt my. A: The problem of preventing Java byte-code decompilation is almost as old the language itself. Despite a range of obfuscation tools available on the market, novice Java programmers continue to think of new and clever ways to protect their intellectual property.
The extreme ease with which Java. Arguably, the compiled. Several things can be done, if not to prevent decompilation completely, at least to make it more difficult.
For example, as a post-compilation step you could massage the. Techniques like performing extreme method name overloading work well for the former, and manipulating control flow to create control structures not possible to represent through Java syntax work well for the latter. The more successful commercial obfuscators use a mix of these and other techniques. Unfortunately, both approaches must actually change the code the JVM will run, and many users are afraid rightfully so that this transformation may add new bugs to their applications.
Furthermore, method and field renaming can cause reflection calls to stop working. In addition to altered names, if the association between class byte-code offsets and source line numbers is altered, recovering the original exception stack traces could become difficult. Then there is the option of obfuscating the original Java source code.
But fundamentally this causes a similar set of problems. Perhaps the above has made you think, "Well, what if instead of manipulating byte code I encrypt all my classes after compilation and decrypt them on the fly inside the JVM which can be done with a custom classloader? Then the JVM executes my original byte code and yet there is nothing to decompile or reverse engineer, right?
Unfortunately, you would be wrong, both in thinking that you were the first to come up with this idea and in thinking that it actually works. And the reason has nothing to do with the strength of your encryption scheme.
To illustrate this idea, I implemented a sample application and a very trivial custom classloader to run it. The application consists of two short classes:. My aspiration is to hide the implementation of my. MySecretClass by encrypting the relevant. To that effect, I use the following tool some details omitted; you can download the full source from Resources :. EncryptedClassLoader has two basic operations: encrypting a given set of classes in a given classpath directory and running a previously encrypted application.
The encryption is very straightforward: it consists of basically flipping some bits of every byte in the binary class contents. This is just an illustration. Classloading by EncryptedClassLoader deserves a little more attention. My implementation subclasses java. One is to bend the usual Java 2 classloader delegation rules and get a chance to load an encrypted class before the system classloader does it, and another is to invoke crypt immediately before the call to defineClass that otherwise happens inside URLClassLoader.
These two classes in bin have now been replaced with encrypted versions, and to run the original application, I must run the application through EncryptedClassLoader :. Sure enough, running any decompiler such as Jad on encrypted classes does not work.
Time to add a sophisticated password protection scheme, wrap this into a native executable, and charge hundreds of dollars for a "software protection solution," right? Of course not.
It is a final method that calls into JVM native code after doing a few checks. It is important to understand that no classloader can avoid calling this method if it wants to create a new Class.
The defineClass method is the only place where the magic of creating a Class object out of a flat byte array can take place. And guess what, the byte array must contain the unencrypted class definition in a well-documented format see the class file format specification. Breaking the encryption scheme is now a simple matter of intercepting all calls to this method and decompiling all interesting classes to your heart's desire I mention another option, JVM Profiler Interface JVMPI , later.
May 9, Q: If I encrypt my. Inheritance versus composition: How to choose. Get started with lambda expressions in Java. Tutorial series: Android Studio for beginners. What is JPA?
Cracking Java byte-code encryption
Cracking String Encryption in Java Obfuscated Bytecode