Java open-source obfuscators: Proguard details

 

When we develop java, we usually encounter code problems that protect our development. Because java is based on jvm, it is easy to decompile class files. Assume that we have developed a web program and released it to the customer. In fact, the customer can easily decompile our source code, including all src files and jsp files.

In fact, there are several methods to protect our source code: 1. Use the code obfuscator 2. Reload the classloader of the application server.

For the first method, there are a lot of open-source tools available outside, I personally think it is best to use proguard. Proguard is easy to learn. In addition, many functions are provided. The following is my personal experience

(1) download proguard tool from the Internet, proguard tool mainly contains several jar files and some example, http://proguard.sourceforge.net/

(2) add several jar files to the class path. Of course, you can also not add it, but in the following case, you must specify the classpath so that you can access this class during the obfuscation process.

(3) Compile a configuration file, mainly the parameters of the obfuscator. For example, the following is an example.
-Injars platform. jar
-Outjars platform_out.jar
-Libraryjars <java. home>/lib/rt. jar
-Libraryjars ibatis-common-2.jar
-Libraryjars ibatis-dao-2.jar
-Libraryjars ibatis-sqlmap-2.jar
-Libraryjars junit-3.8.1.jar
-Libraryjars d:/j2ee. jar
-Libraryjars struts. jar
-Libraryjars commons-lang.jar
-Libraryjars D:/0 working/coreproject/byislib/jasperreports-0.6.1.jar
-Libraryjars commons-beanutils.jar

-Printmapping proguard. map
-Overloadaggressively
-Defaultpackage''
-Allowaccessmodification
-Dontoptimize
-Keep public class *
{
Public protected *;
}
-Keep public class org .**
-Keep public class it .**

For more information about the parameters, see proguard. This document is very detailed and easy to use.

OK. Now the code obfuscation is complete. Open the generated jar package and you can see that many class files such as a, B, and c are added. The obfuscation result is successful. It is normal to delete and run the mixed jar package!

FAQs
A. memory overflow exception: the main cause is that proguard eats a lot of memory during obfuscation. Therefore, you can increase the memory when running the obfuscators, such as java-mx512m .....
B. Stack Overflow exception: When proguard is obfuscation, it will optimize some code. If it encounters some complicated methods, it may throw this exception. The solution is to add the configuration parameter dontoptimize, as shown in the preceding configuration example.

For the second method, the classloader principle of the heavy load server is as follows. First, we use certain algorithms to encrypt the class file. Then we write our own classloader to replace the classloader of the server. In this way, we can read the class file, use our own algorithm to reverse encrypt it into the correct class, and then load it again. This method has not been applied yet. I have been studying it for the past few days. What new results will be summarized here.

Proguard is an open-source project. Its homepage is http://proguard.sourceforge.net/. currently, the latest architecture is 3.3.2 .. Loading obfuscators is very simple. You only need to decompress proguard3.3.2.zip, and then select the installation directory of proguard in the j2-> packing-> obfuscation tab. As shown in, you can configure the class names to be retained during obfuscation. The MIDlet class names must be retained for the Java Runtime Environment (JRE) of the device) the execution entry point can be found.

Http://images.csdn.net/20050726/image027.jpg%EF%BC%8CIt%E2%80%99s%20about%20the%20above%20pic.

Another document
Proguard is a free Java class file compressors, optimizers, and obfuscators. It can discover and delete useless classes, fields, methods, and attribute values ). It can also optimize bytecode and delete useless commands. Finally, it uses a simple and meaningless name to rename your class name, field name, and method name. After the preceding operations, the JAR file will become smaller and it is difficult to reverse engineer. The main features of proguard are compression, optimization, and obfuscation. I will introduce these concepts first, and then introduce the basic usage of proguard.

L what is compression:

Java source code (. java file) is usually compiled into a bytecode (. class file ). Complete programs or libraries are usually compressed and published into Java documents (. jar files ). Bytecode is more concise than Java source files, but it still contains a lot of useless Code, especially when it is a library. The compression program of ProGuard can analyze bytecode and delete unused classes, fields, and methods. The program only retains functional equivalence, including the information required for the exception stack description.

L what is obfuscation:

In general, the compiled bytecode still contains a lot of debugging information: source file name, row number, field name, method name, parameter name, variable name, and so on. This information makes it easy to decompile and obtain complete programs through reverse engineering. Sometimes, this is annoying. For example, obfuscators like ProGuard can delete the debugging information and replace all names with meaningless character sequences, making it difficult to reverse engineer and further streamline code free of charge. Except for the class name, method name, and row number required for the exception stack information, the program only retains functional equivalence. With the above understanding, you should understand why obfuscation is required.

L ProGuard supports the following types of optimization:

In addition to useless classes, fields, and Methods deleted during compression operations, ProGuard can also provide performance optimization at the bytecode level. The internal methods include:

2. constant expression evaluate

2. Delete unnecessary field access

2. Delete unnecessary method calls

2. Delete unnecessary branches

2. Delete unnecessary comparisons and instanceof Verification

2. delete unused code

2. delete a write-only segment

2. delete unused method parameters

2. Various peephole optimizations like push/pop simplification

2. Add static and final modifiers to the class whenever possible

2. Add private, static, and final modifiers to the method whenever possible

2. Make the get/set Method inline whenever possible

2. replace an interface with only one implementation class.

2. Optional log deletion code

The actual optimization result depends on your code and the virtual machine that executes the code. Simple virtual machines are more effective than advanced virtual machines with complex JIT compilers. In any case, your bytecode will become smaller.

There are still some technologies that need to be optimized obviously not supported:

2. Make non-final constant fields inline

2. Make other methods inline like the get/set Method

2. Move the constant expression out of the loop

2 Optimizations that require escape analysis

ProGuard is a command line tool and provides a graphical user interface. It can also be used in combination with Ant or j2-wireless Toolkit. The more streamlined jar files obtained through ProGuard mean that only a smaller storage space is needed; network transmission is more time-saving; loading speed is faster and memory usage is smaller. In addition, ProGuard is very fast and efficient. It only takes a few seconds and a few megabytes to exist in the processing program. The processing sequence is compressed first, optimized, and then obfuscated. The results section presents actual figures for a number of applications. Compared with other Java obfuscators, ProGuard has The primary advantage of simple configuration based on template files. Some intuitive command line options or a simple
The configuration file is sufficient. For example, the following configuration options protect all applets in the jar file:

-Keep public class * extends java. applet. Applet

All available options are described in the user guide, and a large number of examples are provided to demonstrate these powerful configuration options.

I talked about many advantages of ProGuard. Now let's take a look at how to use ProGuard in the program. We also mentioned that ProGuard can execute and process programs using command lines, graphical interfaces, Ant, etc, the configuration file is also mentioned. Let's take a look at how to use it:

Run the following command to run proguard:

Java-jar proguard. Jar options ......

For specific options, refer to the proguard user guide. You can also write these attributes in the configuration file. during runtime, you only need to specify this configuration file. For example:

Java-jar proguard. Jar @ config. Pro

The configuration file format must also be written in the format provided by proguard. For details, refer to the configuration file in the proguard example to configure the proguard configuration file suitable for your application system. Proguard provides graphical interface configuration and running programs. You can configure the desired parameters on the interface and then run the program. The configuration files to be manually written can also be configured and generated on the GUI.

If you want to run proguard in ant, you only need to add one of the following targets:

<Target name = "proguard" depends = "init">

<Taskdef resource = "proguard/ANT/task. properties" classpath = "$ {Lib. dir}/proguard. Jar"/>

<Proguard configuration = "$ {SRC. dir}/config. Pro"/>

</Target>

You only need to set the Lib. dir and SRC. dir attributes. Similarly, the proguard configuration file is used here, which is the same as above. We recommend that you use proguardgui as a wizard to generate a configuration file. In this way, you only need to modify the configuration file instead of writing a new configuration file.

If you think proguard is good, add it to your project.

Document 3
This is something that should not appear in the open-source community, but it is indeed an open-source project, just like its name, Proguard (Program Guard ), it represents the relative aspect of open source-code protection.

As an advanced language such as JAVA, the product of compilation is only a concept relative to the source code. Although bytecode is not as easy to understand as the source code, it is not impossible to decompile it, there are many anti-compilation products for JAVA, such as CAVAJ and JAD. In the face of the continuous emergence of decompilation products, the developers who regard the code as a fortune should go further.

Obfuscators come into being in this context. Since it is impossible to reject the decompilation, let them decompile the obfuscators. As long as the results of decompilation cannot be directly used by others, isn't it enough? As long as the code is mixed up, the results of decompilation cannot be understood by others, or even cannot be compiled.

There are many obfuscation methods, mainly in the following aspects.
Rename: Change the name of a private class, Private member, and variable in the method body to a, B, c, or even 1, 2, 3 (the Code does not allow non-equivalent deliverables)
Change the logic flow. For example, if conditions are reversed and if/else is reversed.
Equivalent Code, for example, changing a loop to a GOTO
Invalid code, useless code inserted
Proguard is an excellent open-source JAVA obfuscator. It can be downloaded at http://proguard.sourceforge.net/. now let me download Proguard together.

Take version 3.2 as an example. Release the compressed package. As an open-source project, the docs, lib, src, and sample folders are available. We will not describe them here.
Enter the lib directory, which contains proguard. jar. If you want to have a obfuscator shell or use it as an ANT plug-in, you will use it. For details, refer to the Proguard documentation.
We should look at proguardgui. jar, which is the graphical interface of Proguard. We use JDK to open it. Note that JDK is not a JRE.

Click the Input/Output tag, select the JAR package to be confused (note that it is a JAR package), Output the JAR package, and all the class libraries used.
Click the obfuscation label and select classes that do not need to be confused (classes to be reflected cannot be confused)
Click the process tag and the process button. Wait for the result to be viewed.
Proguard also includes code optimization and code sorting functions, which are not the scope of this article. If you are interested, study it yourself)
Obfuscation-only options

In this way, if a-Z has been used, it will switch to AA. class, such as the configuration interface.
1, 4, 6, 9, 10, 11, 12

Source code
Package org. zwm. Pub;

Public class Bru {

/**
* @ Param ARGs
*/

Public static void main (string [] ARGs ){
// Todo auto-generated method stub
System. Out. println (showmsg ());
}
Public static string showmsg (){
Return "You are my sun ";
}
}
Decompiled code
// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports (3)

Package org. zwm. pub;

Import java. io. PrintStream;

Public class Bru
{

Public Bru ()
{
}

Public static void main (String args [])
{
System. out. println (PK0304140008000800fZ ());
}

Public static String PK0304140008000800fZ ()
{
Return "You are my sun ";
}
}

The class name remains unchanged and the method name is mixed.