Java code obfuscation

Only for the record.

Java code can be anti-compilation, so sometimes to protect their own intellectual property is really a bit of thought, generally speaking, there are three ideas: 1, the class file encryption, this is the safest, but also cost things, because to rewrite the ClassLoader to uncover class files; 2, using flower instructions, The class file cannot be deserialized (using the Anti-compilation Tool vulnerability); 3, code confusion, improve code reading cost, simple and easy to operate, generally use this or in combination with other methods; The Code obfuscation tool Proguard is used in our project. Related article reference: http://blog.csdn.net/wltj920/article/details/48970869 http://blog.csdn.net/earbao/article/details/ 51000108 Proguard is a pure Java-written obfuscation tool, with the client and jar package two ways to use. You can package the program as a jar and then confuse it with a tool, or you can import the Proguard plugin into maven to confuse the code. In this example, code confusion is made for the normal Javaweb project. The MAVEN configuration plugin is as follows:

<!--proguard Obfuscation plugin--><plugin> <groupId>com.github.wvengen</groupId> <artifactId> proguard-maven-plugin</artifactid> <version>2.0.11</version> <executions> &LT;EXECUTION&G         T <!--confusing moments, here is the time to pack up the confusion--<phase>package</phase> <goals> <!--what work Can, of course, be confused-<goal>proguard</goal> </goals> </execution> </execution S> <configuration> <!--whether to install the generated PG files--<attach>true</attach> <!--is confusing-- > <obfuscate>true</obfuscate> <!--specifying makefile categories--<attachArtifactClassifier>pg< /attachartifactclassifier> <options> <!--jdk target version 1.8--> <option>-target 1.8</ Option> <!--do not shrink (delete comments, unreferenced code)-<option>-dontshrink</option> <!--do not optimize (change        More code implementation logic)-- <option>-dontoptimize</option> <!--not passing through non-common class files and members--<option>-dontskipnonpubliclib Raryclasses</option> <option>-dontskipnonpubliclibraryclassmembers</option> <!--not case-insensitive          Blended class name mechanism--<option>-dontusemixedcaseclassnames</option> <!--optimizations Allow access to and modify members of classes and classes with modifiers- <option>-allowaccessmodification</option> <!--determine the member names of the unified obfuscation class to add confusion---<option >-useuniqueclassmembernames</option> <!--do not confuse all package names--<!--<option>-keeppackagenames </option>--> <!--properties to keep: exceptions, annotations, etc.--<option>-keepattributes exceptions,innerclasses,s Ignature,deprecated,sourcefile,localvariable*table,*annotation*,synthetic,enclosingmethod</option> <!- -Do not confuse all Set/get methods <!--<option>-keepclassmembers public class * {void set* (* * *); * * * get* ();} </option>--> <!--Do not confuse all class names under the package, and the methods in the class are not confusing--<option>-keep class Com.xxx.xxx.bboss.SystemConfig {<methods>;} </option> <option>-keep class com.xxx.xxx.framework.** {*;} </option> <option>-keep class com.xxx.xxx.xxx.controller.** {<methods>;} </option> <option>-keep class com.xxx.xxx.xxx.dao.** {<methods>;} </option> <option>-keep class Com.xxx.xxx.xxx.exception {<methods>;} </option> <option>-keep class com.xxx.xxx.xxx.model.** {<methods>;} </option> </options> <!--class-confused output jar--<outjar>classes-autotest.jar</outja R> <!--add dependency, here you can modify as you need, here to test only one JRE runtime package is OK--<libs> <lib>${java.home}/lib /rt.jar</lib> </libs> <!--What to load, here only classes success, after all, you can not be confused with the configuration file and JSP--&LT;INJAR&GT;CL asses</injar> <!--output directory--<oUtputdirectory>${project.build.directory}</outputdirectory> </configuration></plugin> 

Run MVN clean package-dskiptests

Confusing results: Classes-pg.jar is a confusing classes file that contains the complete project structure proguard_map.txt confusing content mappings proguard_seed.txt involved in confusing class obfuscation after the decompile code is as follows: As you can see, some packages　　Name and class names have been changed to simple letters, no longer have business meaning, and variable names have also been modified to increase the difficulty of reading code.　　Run the service and the project runs correctly. Note: 1, because sometimes the configuration does not persist the package name or the class name, so the content of some related configuration files need to change, fortunately Proguard not randomly generated class name, but first according to the original name of the same package under the class to sort, The confusing class name is A.class,b.class,c.class ..... So the problem is, when there are more than 26 classes in the package, the default name is A.class,b.class,c.class, and under some operating systems, the case of the class file name is not distinguished, resulting in errors (level limit, not in-depth exploration related to class loading); <!-- The use of a mixed-case-name mechanism-<option>-dontusemixedcaseclassnames</option> configuration is critical, when more than 26 class files are　　It is named Aa.class,ab.class,ac.class instead of the original uppercase class name, thus avoiding errors. 2, packaging deployment issues. The configuration file is packaged in a war where the classes file is still normal code and needs to be decompressed manually, Replace the classes in Classes-pg.jar, in the case of engineering management, you can configure the script in Jenkins to automatically replace the confused classes into the war package:

#更改war包classes为混淆包的内容cd/ROOT/.JENKINS/WORKSPACE/MYTEST_MASTER/TARGETJAR-XVF CLASSES-PG.JARRM-RF Mytestmkdir MYTESTMV Mytest.war mytestcd mytest/jar-xvf mytest.warrm-rf web-inf/classes/com/cd. /CP-RF com mytest/web-inf/classes/cd mytestjar-cvfm0 mytest.war./MV Mytest.war. /#删掉原来tomcat中war包跟项目, otherwise the authorization file cannot be replaced Cd/usr/local/apache-tomcat-8.5.23/webappsrm-f MYTEST.WARRM-RF mytest

This is what Jenkins is playing is a mixed war package that can be delivered directly to the customer.

Java code obfuscation