If you are developing java application, it is important to understand that the java class files can be easily reverse engineered using java decompilers. In this article, let us explore how a java class file is reverse engineered and how to protect your source code from being reverse engineered by someone.
The java source code is compiled to a class file that contains byte code. Java Virtual Machine needs only the class file for execution. The problem is that the class file can easily be decompiled into the original source code using java decompiler tools. The best solution to prevent reverse engineering is to obfuscate the class file so that is will be very hard to reverse engineer. According to the dictionary Obfuscate means “to make obscure or unclear”. That is exactly what lot of java obfuscator tool will do as explained below.
I. Decompile Java class file.
Before understanding how to obfuscate the java code, let us first try to understand how someone can reverse engineer your java application. Following 3 steps explains how a class file is reverse engineered to the original java source code.
1. Create HelloWorld.java as shown below.
public class HelloWorld {
public static void main (String args[]) {
String userMessage = "Hello World!";
int userCount = 100;
userCount = userCount + 1;
System.out.println(userMessage);
System.out.println(userCount);
}
}
2. Compile HelloWorld.java program and execute it to make sure it works properly.
$ javac HelloWorld.java $ java HelloWorld Hello World! 101
Java class file contains only byte code. If you try to view a class file, it will be non-readable as shown below.
$ vi HelloWorld.class Ãþº¾^@^@^@2^@ ^@^G^@^P^H^@^Q ^@^R^@^S ^@^T^@^V^G^@^W^G^@^X^A^@^F<init>^A^@^C()V^A^@^DCode^A^@^OLineNumberTable ^A^@^Dmain^A^@^V([Ljava/lang/String;)V^A^@ SourceFile^A^@^OHelloWorld.java^L^@^H^@ ^A^@^LHello World!^G^@^Y^L^@^Z^@^[^G^@^\^L^@^]^@^^^L^@^]^@^_^A^@ HelloWorld^A^@^Pjava/lang/Object^A^@^Pjava/lang/System^A^@^Cout^A^@^ULjava/io/PrintStream;^A ^@^Sjava/io/PrintStream^A^@^Gprintln^A^@^U(Ljava/lang/String;)V^A^@^D(I)V^@!^@^F^@^G^@^@^@^@^@^B^@^A^@^H^@ ^@^A^@
3. Decompile HelloWorld.class file and view the original source.
For this demonstration let us use Jad decompiler which is free for non-commercial use. Download the appropriate jad for your platform. Use jad to reverse engineer the HelloWorld.class file to get the original source as shown below.
$ unzip jadls158.zip
$ ./jad HelloWorld.class
Parsing HelloWorld.class...
Generating HelloWorld.jad
$ vi HelloWorld.jad <This will show the reverse engineered original source code>
II. Obfuscate your java application
Let us review how to obfuscate and protect your source code from reverse engineering using ProGuard a free GPL licensed software.
1. Download and Install ProGuard
$ cd /home/jsmith $ unzip proguard4.2.zip
2. Create a proguard config file
Create myconfig.pro that contains all the information about your java application.
- -injar : Specify the location of your jar file. i.e the compiled java application that contains the class files
- -outjar: This is the jar file proguard will create after obfuscation. This will contain all the mangled, obscure naming convention of the methods and variables in the class file if someone tries to reverse engineer.
- -printmapping: ProGurad outputs all the mapping information in this file for your reference.
- -keep: Indicate the class files or the methods that you don’t want ProGuard to obfuscate. For e.g. mypkg.MainAppFrame contains the entry point for the application with the main class, which will not get obfuscated in this example.
$ cat myconfig.pro -injars /home/jsmith/myapp.jar -outjars /home/jsmith/myapp-obfuscated.jar This is the obfuscated jar file -libraryjars /usr/java/jdk1.5.0_14/jre/lib/rt.jar -printmapping proguard.map -verbose -keep public class mypkg.MainAppFrame
3. Execute ProGuard.
$ cd /home/jsmith/proguard4.2/lib $ java -jar proguard.jar @myconfig.pro
This creates the following two files:
- myapp-obfuscated.jar: Contains the obfuscated class files of your application. You can distribute this without having to worry about someone reverse engineering your application easily.
- proguard.map: This file contains the mapping information for your reference.
4. Sample proguard.map file
This is a sample proguard.map file that indicates the original name of the java source objects (classfile, methods, variable etc.) and the new obfuscated name.
myapp.AppToolBar -> myapp.ae: javax.swing.JButton btnNew -> d javax.swing.JButton btnOpen -> e
5. Sample java source code (myapp.AppToolBar) before obfuscation.
btnNew = changeButtonLabel(btnNew, language.getText("new"));
btnOpen = changeButtonLabel(btnOpen, language.getText("open"));
6. Sample java source code that was decompiled from the class file (myapp.ae) after obfuscation.
d = a(d, n.a("new"));
e = a(e, n.a("open"));
You can see that the line “btnNew = changeButtonLabel(btnNew, language.getText(“new”));” got translated to “d = a(d, n.a(“new”));”, by the ProGuard, which will not make any sense to someone who is using java decompiler tools to reverse engineer the class file.
Help me spread the news about The Geek Stuff.
Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can spread the word around about “The Geek Stuff” blog by adding it to del.icio.us or Digg through the link below.
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
Comments on this entry are closed.
Hi
Great introduction to obfuscation – I’d really like to get this reposted on JavaLobby with your permission
If you’re interested, please send me a mail and we’ll organise it.
James
Ramesh,
I’m very humbled and grateful that you are taking time to read my blog despite the fact that you are heavily into technology whereas I’m in personal development. If anything I can do for you, please send me a shout. I’m your friend forever.
Shilpan
I’ve solved some very difficult issues for clients (who had lost source code) where the only way to help them was to decompile some java code, make the fix and then reinject the corrected code into their production system. I am very glad they didn’t use this technique. 🙂
@James,
Thanks for posting this article on java.dzone.com.
@Shilpan,
Thanks for those kind words. I’m strongly believe in personal development and your posts are always inspiring. I’ll definitely get in touch with you for any help.
@Mark,
Thanks for reading my post. I’m glad it worked out well for you. At work, a developer should not obfuscate the code, especially if they did not write documentation (or) check-in the source code to any source code control repository.
Hello there,
its nice there are people who write things that r immensely helpful to a larger community.
you have done a decent job in achieving that motive.
Hi Ramesh,
Really nice writeup. I was looking for something like this only. Also, if you would like to see the Structure of a Java Class file read following tutorial.
Java Class file Format
Do post latest info about Java, I will definitely like to visit your site.
Thanks.
um, what if i just write a parser to remap the java source files from the map? doh! obfuscation is a false sense of confidence
For deployed, stand-alone applications, try these in combination.
I’m not sure how well they work to protect your code, but I suspect they do a pretty good job, if used in this combination.
1. Obfuscate your jar file using ProGuard. It’s free at http://proguard.sourceforge.net/
2. Convert the obfuscated jar file to an exe using Launch4j. It’s free at http://launch4j.sourceforge.net/
3. Use Enigma Protector to wrap license control around the exe file. This program also gives you trialware capability. It’s not free ($99 – but worth it) at http://www.enigmaprotector.com/en/home.html
That’s what I do to prep my programs for deployment.
One final note. In case you are interested in an installer program, I recommend NSIS (free) at http://nsis.sourceforge.net/Download. There are many add-ons that make using this package easier.
S. L. Riley
PS – I also posted this at: http://www.javaworld.com/community/?q=node/2056#comment-3572
@Manas,
Thanks for the nice comments about this article. I’m glad you found it very helpful.
@VirtalPatel,
You got a very good article on the Java-class-file-format. Yeah, I need to start writing more articles on Java. Most of my readers are Linux users. So, I’m not finding lot of motivation to write articles on Java. But, I’ll definitely try to write few in the coming days.
@saad ,
The end-user who is using your software will not have the map-file to reverse engineer. Ofcourse, as a developer who does the obfuscation should be able to do reverse engineer to get the code back using the map-file.
@Stuart L. Riley,
Excellent points. I totally agree with you. Combining ProGuard, Launch4J would be a great option. I have never tried the Enigma Protector. I’ll check-out their trial version. Thanks for your great suggestions.
Thanks !
Great tool, the mapping is very usefull ^ ^
Ramesh, you may wish to check out my article covering a couple other options for protecting Java apps:
http://www.excelsior-usa.com/articles/java-obfuscators.html
sir when i tries to install java from package manager it says that…
E: Could not get lock /var/cache/apt/archives/lock – open (11: Resource temporarily unavailable)
E: Unable to lock the download directory
what is this error…and what should i do….
it delete the main method so the application will not run
Hi, Have you tried obfuscating a war file (JSP’s, classes etc.) using proguard?
@Charan
it’s not so special. just do the way you obfuscate ear,jar,class. Every step would be same.
Hi,
I have an issue. Would be of great help if you can show some pointers. My jar has an encrypted zip file, due to which progaurd is not creating the new jar and throwing an error, “encrypted ZIP entry not supported”
I tried to obfuscate a war file in the same way like jar file.
I got Out Of Memory error.my war file is about the size of 54mb.
wat’s the solution for this?
Hi,
This is a very well written article and just what I was looking for.
With respect to protecting your work it’s probably worth remembering the good old copyright notice as well.
Thanks and regards
Melvis
plz tell me this method is secure or not if secure than at which extend
thank you
Excellent stuff!
Thanks for posting
Hi,
When i am executing command for obsfucation it is getting excuted. it is not able to reach the .jar file .
Please reply
thank , I is very good example for beginner .
Dear author,
I have a question.
Obfuscating the code seems to be an extremely ineffective way to guard against reverse-engineering if I were to use Eclipse, NetBeans or a similar IDE to reverse-engineer it. I could rename all these obfuscated classes, variables, and methods names to more appropriate, readable, meaningful names very easily by just pressing Ctrl+Shift+R or Alt+Shift+R.
These shortcut keys for Eclipse and NetBeans automatically rename ALL instances of the name in your project AT ONCE.
So other than obfuscating the code, is there any way to guard against reverse-engineering?
Regards,
Sam
Does proguard support spring mvc application ? if so what will be the options one need to choose.
Can we execute the project in windows environment
Can we use Proguard in Windows environment and with JDK 1.5 version. If so, where should we use .pro file and how to mention options in .pro file