This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Bytecode obfuscation"
From OWASP
(→Principles) |
|||
| Line 1: | Line 1: | ||
== Principles == | == Principles == | ||
| + | |||
| + | |||
| + | Java is a language which code is quite intuitive to read. But some also complain that compiled code is as easy to read as source code - or at least it is easy to recover. You will find here a couple of hints and tips about this matter of fact, and how to deal with it if you need to prevent people to exploit code they should not work with. | ||
| + | |||
| + | === How to recover Source Code from Bytecode? === | ||
| + | |||
| + | The main program for uncompiling code is JAD (JAva Decompiler). It provides following advantages : | ||
| + | |||
| + | * Recover code from Java ByteCode, | ||
| + | * Get clean code for your own programs, | ||
| + | * Remove Comments, Javadoc, Names of local Variables, Names of Parameters, | ||
| + | * Several Graphical interfaces, available on the web site. | ||
| + | |||
| + | === How to prevent your Java code to be Reverse-engineered ? === | ||
| + | |||
| + | Several actions can be taken for preventing reverse-engineering : | ||
| + | |||
| + | * Code Obfuscation. This is done mainly through variable renaming; see next paragraph for more precisions, | ||
| + | * Suppression of End Of File Characters. This makes the code difficult to parse, | ||
| + | * Use of anonymous classes for handling events. This seems not to be handled by many Decompiler; however, JAD copes pretty well with this. | ||
| + | * File encoding. This implies some overhead for uncyphering at runtime. Several tools are available:: Canner, by Cinnabar Systems, Katirya, or JLock by JSoft. They are available for evaluation, and the two first are proposed currently for Windows Platforms only. | ||
| + | |||
| + | === What tools do exists for Obfuscation ? === | ||
| + | |||
| + | A lot of tools exist for Java code Obfuscation. You can find extensive lists under following URLs, or simply type 'obfuscator' in your favorite search engine : | ||
| + | |||
| + | * http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/ | ||
| + | * http://proguard.sourceforge.net/alternatives.html | ||
| + | |||
| + | Among those projects, some are open source project, and therefore more suitable for research - but also for enterprises who wish to control the programs they use (without any warranty): | ||
| + | |||
| + | * Proguard is a shrinker (make code more compact), and optimizer and obfuscator. | ||
| + | * Jode is a decompiler, an optimizer and an obfuscator. It contains facilities for cleaning logging statements,, | ||
| + | * Jarg, | ||
| + | * Javaguard, which is a simple obfuscator, without many documentation, | ||
| + | * CafeBabe, which allows precise view of Bytecode files and single file obfuscation; a good tool for teaching ByteCode Structure, more than a production tool. | ||
== Using Proguard == | == Using Proguard == | ||
== Using CafeBabe == | == Using CafeBabe == | ||
Revision as of 07:51, 15 November 2006
Principles
Java is a language which code is quite intuitive to read. But some also complain that compiled code is as easy to read as source code - or at least it is easy to recover. You will find here a couple of hints and tips about this matter of fact, and how to deal with it if you need to prevent people to exploit code they should not work with.
How to recover Source Code from Bytecode?
The main program for uncompiling code is JAD (JAva Decompiler). It provides following advantages :
- Recover code from Java ByteCode,
- Get clean code for your own programs,
- Remove Comments, Javadoc, Names of local Variables, Names of Parameters,
- Several Graphical interfaces, available on the web site.
How to prevent your Java code to be Reverse-engineered ?
Several actions can be taken for preventing reverse-engineering :
- Code Obfuscation. This is done mainly through variable renaming; see next paragraph for more precisions,
- Suppression of End Of File Characters. This makes the code difficult to parse,
- Use of anonymous classes for handling events. This seems not to be handled by many Decompiler; however, JAD copes pretty well with this.
- File encoding. This implies some overhead for uncyphering at runtime. Several tools are available:: Canner, by Cinnabar Systems, Katirya, or JLock by JSoft. They are available for evaluation, and the two first are proposed currently for Windows Platforms only.
What tools do exists for Obfuscation ?
A lot of tools exist for Java code Obfuscation. You can find extensive lists under following URLs, or simply type 'obfuscator' in your favorite search engine :
- http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/
- http://proguard.sourceforge.net/alternatives.html
Among those projects, some are open source project, and therefore more suitable for research - but also for enterprises who wish to control the programs they use (without any warranty):
- Proguard is a shrinker (make code more compact), and optimizer and obfuscator.
- Jode is a decompiler, an optimizer and an obfuscator. It contains facilities for cleaning logging statements,,
- Jarg,
- Javaguard, which is a simple obfuscator, without many documentation,
- CafeBabe, which allows precise view of Bytecode files and single file obfuscation; a good tool for teaching ByteCode Structure, more than a production tool.
