obfuscator : Java Glossary

The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees… CurrCon requires an up-to-date browser and Java version 1.7 or later, preferably 1.8.0_05. If you can’t see the prices in your local currency, Troubleshoot. Use Chrome for best results.
obfuscator
A tool to mechanically replace all variable and method names with random meaningless names. The process is sometimes called shrouding. This makes it harder to reverse engineer class files. Obfuscators won’t stop an even mildly determined pirate, just the rank amateurs. Before you throw up your hands in despair:
  1. Consider that you might be paranoid and/or suffering from delusions of grandeur. Is your code really so wonderful it would be worth extensive effort decompiling rather than just writing from scratch? Will it actually harm you if someone steals a method of yours rather than writing it from scratch?
  2. Consider legal remedies against those who reuse your code without permission. You might send sniffers (similar to virus scanners) over the net looking for signature DNA (Deoxyribonucleic Acid) in other people’s code that indicates they stole parts of your program.
  3. Do your customers want code or a code/support package? They may have almost no interest in getting it from pirates.
  4. Consider adding tamper proofing to your code so that if anyone changes the program in the tiniest way it will develop hard to discover bugs. Learn the art of psychological warfare with the pirates. Make the pirate think he has won, then hit him with yet another delayed time bomb. He never knows when the job is done. Throw in red herring code that looks like some complicated security system but which is actually gibberish. Let the pirate waste hours discovering that. Riddle your code with a wide variety of anti-tampering devices. Camouflage them in as many ways as you can think of. The simpler the tampering test, the more it looks like ordinary code. Don’t immediately react to a tampering detection. You want the punishment to come considerably later, via a circuitous, hard to trace, route. Camouflage your punishments as ordinary bugs.
  5. You can burn in the CPU (Central Processing Unit) serial number at branding time so the code won’t work on any other Pentium III or IV CPU.
  6. Consider adding snitching code so that if some tampering is detected, you hear about it. You don’t want to flag all your anti-tamper devices so blatantly.
  7. Issue frequent updates, preferably with automatic install. If you are Machiavellian, add an early-death gene that triggers if a new update does not arrive in time. The poor pirate has to start over with each new release. This technique is also useful for encouraging deadbeat customers to pay their bills for custom coding. A variant is to automatically change the password 60 days after the install. If the customer has paid, you tell him the new password.
  8. If a standalone program needs to check in with Mom once a month for any reason, that will tend to scare off pirates.
  9. Use an AOT optimising native code compiler, perhaps in conjunction with an obfuscator. Native code is much harder to decompile than Java bytes codes. If you are serious about obfuscation, this is the only way to fly.
  10. Check out on the hacker sites which obfuscation techniques they most dread.
  11. essay on unmaintainable code. If you make it so hard to maintain that even you can’t do it, what chance to pirates have?
  12. Keep in mind that any off-the-shelf obfuscator is going to be a lot easier to defang than hand-crafted obfuscator strategy.
  13. If a project is big enough to be worth stealing, it is almost impossible to understand it even with commented source, without getting some hints from the author. If it is not that big, what’s the huge secret you are hiding?
  14. Java is very easy to decompile and defang any simple minded authorisation just by removing the call to the authorisation routine. You need to hide this in JNI (Java Native Interface) and also put into that same JNI code that has practical value so that if it is turned off the program stops working, ideally in a very non-obvious and non-immediate way.
  15. I consider it immoral to keep coding tricks secret. Why make others waste time reinventing the wheel? We all benefit if we share source code.
  16. The ultimate obfuscation tool is to never let the hacker see the code — run anything critical on a webserver. The most fool proof way of preventing theft is never to give the customer the critical object code. It runs only on a server. This means your customers need 24/7 Internet access to use your app, but for commercial customers such access is becoming more and more common.
  17. You can digitally sign your code or registration keys with Sun jar signing or with a tool such an the Transporter. This will slow down hackers too lazy to take apart your code, but it will stop those who try to patch the license files with a binary editor or to create counterfeit ones. If you add additional consistency checks to the license file information and check it as indirectly as possible in as many places as possible and delay failure as innocuously as possible, you will drive the hacker mad.
  18. Often all you want is to make it difficult to modify constants burning into the code such as customer registrations, capabilities, customer customisations, customer identification. You are more concerned someone will pirate a copy by burning in now constants without any understanding of the program itself. Obfuscators can hid the information in Strings and make it hard to charge using techniques such as this: XOR (exclusive OR) each char of every string with a 16-bit random number generated from a known seed. To get the strings back at class load time, repeat the process with the same seed.
  19. For low volumes, I hand compile each customer’s individual copy of the application, which hard wires her configuration constants in a thousand places into the byte code. Options she is not currently using are not even present in the code. This is a variant of the DOS (Disk Operating System) technique where I shipped Abundance apps preconfigured with a specific printer driver. If the customer changed printers, she would tell me and I would ship her a new executable.
This list is derived from David Waite’s art of Psychological warfare:
  1. Never break quickly. If someone has to wait a day to find out that their try at hacking didn’t work, they will never figure out what to do.
  2. Require updates. If you require frequent updates, they cannot be running a hacked version of the client. We have people go out, ask how things are going, test out the computer, install and uninstall software, look for odd executables.
  3. Make purchasing valuable. Technical support is a Good Thing™ for this. I swear some programs don’t include documentation just so you will have to call and register.
  4. Make every executable different (in some indistinguishable way, unless you have two side-by-side). If you put a hidden serial number in your code and make people register it, then you know whom to sue when they re-release your code.
  5. Look at Vermilion FTP (File Transfer Protocol). Evil! (that means fiendishly cunning). The serial number contained assembly code, function tables, and xored keys to mask it all. If you got the 100 character serial number wrong, it just crashed when it couldn’t find the 'connect' function (for example). Normally if a program is considered hard to crack people will start attacking it (for glory and ego-fodder, I imagine). Most people gave up on this one.

    One fellow finally did, after a full year of trying. Released a detailed description of what he did, just so people could understand his Hell (which was forwarded to me, which I read in awe). With Java you could do this with bytecode. Since you can write your own class loaders in Java, the opportunities for confounding the pirates abound.

  6. Use an application server. If key parts are on the web, then they would have to hack your server in order to get around your protection. You cannot reverse engineer what you cannot see. Many Internet programs use this.
Some Obfuscators work on the source code, and others on the class files.

Many of these are student projects, not full tools.

Obfuscators
Tool Alive? Notes
2LKit  
Allatori $290.00 USD Last revised/verified: 2009-06-09 Also supports war and ear files.
BLOAT works on class files. Primarily an optimiser.
Chainkey Licencing keys, with configurable copy protection, how accurate, how severe.
Condensity $195.00 USD for pro edition and $795.00 USD for developer edition. They don’t tell you on the website the difference.
CShred defunct.
Creama Unfortunately the young Dutch author Hanpeter van Vliet died of cancer.
DashO $895.00 USD Dash-O obfuscation edition, $1695.00 USD Dash-O Pro, $1995.00 USD Dash-O Embedded, $2995.00 USD Dash-O Power Pack. Companion dotFuscator for .NET.
Elixir  
HashJava  
HoseMocha Uses a simple trick to confuse the Mocha reverse engineering tool by inserting an unreachable bogus opcode. Too unsophisticated for today.
Jarg jar creating tool that compacts and obfuscates.
Java Code Protector Works with Chainkey.
Jobfuscate I suspect it works by renaming standalone class files, rather than entire jars as is traditional. $100.00 USD Last revised/verified: 2007-12-29
JBCO Free. JBCO (Java Byte Code Obfuscator). Built atop Soot. Here are some examples of the advanced scramblings it can do. Here is a technical paper on how it works.
JBuilder JBuilder is an IDE (Integrated Development Environment) with an obfuscate option on the compiler.
JChain free for the first year
JCloak by Force 5
JCMP Free. It allows you to compress public names as well.
Jet This is what you need if you are serious. Generates highly optimised native code that is almost impossible to reconstruct into Java. The catch is it only works for Windows and Linux. It is primarily an optimising native compiler.
Jobe  
Jopt primarily an optimiser
JProof defunct
JPresto $520.00 USD to $1950.00 USD
JODE JODE (Java Optimise and Decompile Environment)
JShrink Eastridge technology’s obfuscator. Jshrink removes unnecessary symbolic information from Java .class files, resulting in files that load faster and yield less information when decompiled
JZipper by Vegatech
KlassMaster by Zelix. It is somewhat cleverer than average. It:
  • Obfuscates class, field and method names.
  • Obfuscates control flow.
  • Encrypts String literals.
It has fewer bugs than the competition.
Marvin Obfuscator aka DrJava free. Obfuscated code usually isn’t recompilable. Processes any application, Applet or servlet. Resulting code is compatible with any Java Virtual Machine. Generates a compact jar file. Removes package information; scrambles class names, method names, field names. Encrypts string constants. Removes unnecessary classes. Removes all debug information. 100% Pure Java. Tested on Java version 1.2, 1.3 and 1.4beta. Last revised: 2002-05-16 Verified: 2005-12-23
Metamata Toolsuite
Obfuscate by Jamm Consulting. née Monmouth Obfuscate. Little brother to ObfuscatePro.
Obfuscate4J $50.00 USD . Comes with Ant task to automate the obfuscation. Free evaluation. Windows and Linux versions. Last revised/verified: 2007-06-05. Still available on many download sites.
ObfuscatePro by Jamm Consulting. Sometimes called Neil’s obfuscator. full featured product. ObfuscatePro is a Java bytecode obfuscator that allows you to customize the obfuscation by specifying classes to exclude from the obfuscation. For the classes that you wish to exclude, you can specify whether to preserve the method and/or the field names in addition to the class name. This is useful for classes that use RMI (Remote Method Invocation) and/or localization since the class names and the method names need to be preserved for these items. Big brother to Obfuscate
Proguard free, GPL (Gnu Public Licence) open Source, shrinker and obfuscator. Grew out of Retroguard. Popular.
Retroguard Open Source
SourceGuard by 4thpass. Commercial product. No longer being supported. Does not work with Java 1.4.
Semantic Designs Java Obfuscator $100.00 USD
ShroudIt $90.00 USD and $180.00 USD licences.
Visiblock by Visionary Solutions. Company still there but no product.
YGuard by Yworks. Free. Integrates with Ant. Allows creating patches to old obfuscated code.

Ofuscating Files

There are a number of techniques for obfuscating data files:

Books

book cover recommend book⇒Decompiling Javato book home
by Godfrey Nolan 978-0-07-913767-8 paperback
publisher Apress 978-1-59059-265-6 hardcover
published 2004-07-23 B001GIPGC2 kindle
Note that this book was published in 2004, before generics and enums. Decompiling and protecting yourself from decompilers using obfuscation.
Australian flag abe books anz abe books.co.uk UK flag
Chinese flag amazon.cn amazon.co.uk UK flag
German flag abe books.de abe books.ca Canadian flag
German flag amazon.de amazon.ca Canadian flag
Spanish flag amazon.es Chapters Indigo Canadian flag
Spanish flag iberlibro.com abe books.com American flag
French flag abe books.fr amazon.com American flag
French flag amazon.fr Barnes & Noble American flag
Italian flag abe books.it Google play American flag
Italian flag amazon.it O’Reilly Safari American flag
India flag junglee.com Powells American flag
UN flag Kobo other stores UN flag
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.
book cover recommend book⇒Covert Java: Techniques for Decompiling, Patching, and Reverse Engineeringto book home
by Alex Kalinovsky 978-0-672-32638-7 paperback
birth 1974 age: 39
publisher Sams
published 2004-05-13
Learn the art of war, both offense and defence to protect your code from pirates. Note that this book was published in 2004, before generics and enums.
Australian flag abe books anz abe books.co.uk UK flag
Chinese flag amazon.cn amazon.co.uk UK flag
German flag abe books.de abe books.ca Canadian flag
German flag amazon.de amazon.ca Canadian flag
Spanish flag amazon.es Chapters Indigo Canadian flag
Spanish flag iberlibro.com abe books.com American flag
French flag abe books.fr amazon.com American flag
French flag amazon.fr Barnes & Noble American flag
Italian flag abe books.it Google play American flag
Italian flag amazon.it O’Reilly Safari American flag
India flag junglee.com Powells American flag
UN flag Kobo other stores UN flag
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

available on the web at:

http://mindprod.com/jgloss/obfuscator.html
ClustrMaps is down

optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\obfuscator.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy.
Blog
IP:[65.110.21.43]
Your face IP:[54.227.141.230]
You are visitor number 83,829.