image provider

Coding Obfuscation


Sedulously eschew obfuscatory hyperverbosity and prolixity.
~ Anonymous
  1. XML (extensible Markup Language)

    The XML fad has created a bonanza of opportunities for obfuscation. The basic technique is to pick a random hunk of code, then invent an obscure way of representing its logic in XML. Then replace the piece of code with an XML properties file and an XML parser. Make sure the XML representation you choose is so limited that almost anything other than the original logic cannot be expressed in it. Of course, you never document the XML language extension or the parser. Nobody questions the simplicity of XML. Using this technique, you should easily be able to balloon 10 lines of simple Java code up to 100 lines of perfectly opaque XML.
  2. Obfuscated C

    Follow the obfuscated C contests on the Internet and sit at the lotus feet of the masters.
  3. Find a Forth or APL (A Programming Language) Guru

    In those worlds, the terser your code and the more bizarre the way it works, the more you are revered.
  4. I’ll Take a Dozen

    Never use one housekeeping variable when you could just as easily use two or three.
  5. Jude the Obscure

    Always look for the most obscure way to do common tasks. For example, instead of using arrays to convert an integer to the corresponding string, use code like this:
    char *p;
    switch (n)
    {
    case 1:
        p = one;
        if (0)
    case 2:
        p = two;
        if (0)
    case 3:
        p = three;
        printf(%s, p);
        break;
    }
  6. Foolish Consistency Is the Hobgoblin of Little Minds

    When you need a character constant, use many different formats: ' ', 32, 0x20, 040. Make liberal use of the fact that 10 and 010 are not the same number in C or Java.
  7. Casting

    Pass all data as a void * and then typecast to the appropriate structure. Using byte offsets into the data instead of structure casting is fun too.
  8. The Nested Switch

    (a switch within a switch) is the most difficult type of nesting for the human mind to unravel.
  9. Exploit Implicit Conversion

    Memorize all of the subtle implicit conversion rules in the programming language. Take full advantage of them. Never use a picture variable (in COBOL or PL/I) or a general conversion routine (such as sprintf in C). Be sure to use floating-point variables as indexes into arrays, characters as loop counters and perform string functions on numbers. After all, all of these operations are well-defined and will only add to the terseness of your source code. Any maintainer who tries to understand them will be very grateful to you because they will have to read and learn the entire chapter on implicit data type conversion; a chapter that they probably had completely overlooked before working on your programs.
  10. int literals

    When using ComboBoxes, use a switch statement with integer cases rather than named constants for the possible values.

    If you have an array with 100 elements in it, hard code the literal 100 in as many places in the program as possible. Never use a static final named constant for the 100, or refer to it as myArray.length. To make changing this constant even more difficult, use the literal 50 instead of 100/2, or 99 instead of 100-1. You can further disguise the 100 by checking for a == 101 instead of a > 100 or a > 99 instead of a >= 100.

    Consider things like page sizes, where the lines consisting of x header, y body, and z footer lines, you can apply the obfuscations independently to each of these and to their partial or total sums.

    These time-honoured techniques are especially effective in a program with two unrelated arrays that just accidentally happen to both have 100 elements. If the maintenance programmer has to change the length of one of them, he will have to decipher every use of the literal 100 in the program to determine which array it applies to. He is almost sure to make at least one error, hopefully one that won’t show up for years later.

    There are even more fiendish variants. To lull the maintenance programmer into a false sense of security, dutifully create the named constant, but very occasionally accidentally use the literal 100 value instead of the named constant. Most fiendish of all, in place of the literal 100 or the correct named constant, sporadically use some other unrelated named constant that just accidentally happens to have the value 100, for now. It almost goes without saying that you should avoid any consistent naming scheme that would associate an array name with its size constant.

  11. Semicolons!

    Always use semicolons whenever they are syntactically allowed. For example:
    if ( a );
    else;
    {
       int d;
       d = c;
    }
  12. Use Octal For Obscurity

    Smuggle octal literals into a list of decimal numbers like this:
    array = new int[]
    {
       111,
       120,
       013,
       121,
    };
  13. Convert Indirectly

    Java offers great opportunity for obfuscation whenever you have to convert. As a simple example, if you have to convert a double to a String, go circuitously, via Double with new Double(d).toString() rather than the more direct Double.toString(d). You can, of course, be far more circuitous than that! Avoid any conversion techniques recommended by the Conversion Amanuensis. You get bonus points for every extra temporary object you leave littering the heap after your conversion.
  14. Nesting

    Nest as deeply as you can. Good coders can get up to 10 levels of ( ) on a single line and 20 { } in a single method. C++ coders have the additional powerful option of preprocessor nesting totally independent of the nest structure of the underlying code. You earn extra Brownie points whenever the beginning and end of a block appear on separate pages in a printed listing. Wherever possible, convert nested ifs into nested [? : ] ternaries. If they span several lines, so much the better.
  15. C’s Eccentric View of Arrays

    C compilers transform myArray[i] into *(myArray + i), which is equivalent to *(i + myArray) which is equivalent to i[myArray]. Experts know to put this to good use. To really disguise things, generate the index with a function:

    int myfunc(int q, int p) { return p%q; }

    myfunc(6291, 8)[Array];

    Unfortunately, these techniques can only be used in native C classes, not Java.

  16. L o n g L i n e s

    Try to pack as much as possible into a single line. This saves the overhead of temporary variables and makes source files shorter by eliminating new line characters and white space. Tip: remove all white space around operators. Good programmers can often hit the 255 character line length limit imposed by some editors. The bonus of long lines is that programmers who cannot read 6 point type must scroll to view them.
  17. Exceptions

    I am going to let you in on a little-known coding secret. Exceptions are a pain in the behind. Properly-written code never fails, so exceptions are actually unnecessary. Don’t waste time on them. Subclassing exceptions is for incompetents who know their code will fail. You can greatly simplify your program by having only a single try/catch in the entire application (in main) that calls System.exit(). Just stick a perfectly standard set of throws on every method header whether they could actually throw any exceptions or not.
  18. When To Use Exceptions

    Use exceptions for non-exceptional conditions. Routinely terminate loops with an ArrayIndexOutOfBoundsException. Pass return standard results from a method in an exception.
  19. Efficient Exceptions

    Throwing an Exception has quite a high overhead. The JVM (Java Virtual Machine) has to scan the stack looking for a ton of information to potentially use in a stack trace. You can avoid this overhead by constructing a Exception object once and throwing it many times. The stack trace will be for the spot in the code where the Exception was constructed, not where it was thrown. This will really keep them guessing where the bugs are.
  20. Use threads With Abandon

    title says it all.
  21. Lawyer Code

    Follow the language lawyer discussions in the newsgroups about what various bits of tricky code should do e.g. a=a++; or f(a++,a++); then sprinkle your code liberally with the examples. In C, the effects of pre/post decrement code such as
    *++b ? (*++b + *(b-1)) : 0
    are not defined by the language spec. Every compiler is free to evaluate in a different order. This makes them doubly deadly. Similarly, take advantage of the complex tokenizing rules of C and Java by removing all spaces.
  22. Early Returns

    Rigidly follow the guidelines about no goto, no early returns and no labeled breaks especially when you can increase the if/else nesting depth by at least 5 levels.
  23. Avoid {}

    Never put in any { } surrounding your if/else blocks unless they are syntactically obligatory. If you have a deeply nested mixture of if/else statements and blocks, especially with misleading indentation, you can trip up even an expert maintenance programmer. For best results with this technique, use Perl. You can pepper the code with additional ifs after the statements, to amazing effect.
  24. Tabs From Hell

    Never underestimate how much havoc you can create by indenting with tabs instead of spaces, especially when there is no corporate standard on how much indenting a tab represents. Embed tabs inside string literals, or use a tool to convert spaces to tabs that will do that for you.
  25. Magic Matrix Locations

    Use special values in certain matrix locations as flags. A good choice is the [3][0] element in a transformation matrix used with a homogeneous coordinate system.
  26. Magic Array Slots revisited

    If you need several variables of a given type, just define an array of them, then access them by number. Pick a numbering convention that only you know and don’t document it. And don’t bother to define #define constants for the indexes. Everybody should just know that the global variable widget[15] is the cancel button. This is just an up-to-date variant on using absolute numerical addresses in assembler code.
  27. Never Beautify

    Never use an automated source code tidier (beautifier) to keep your code aligned. Lobby to have them banned them from your company on the grounds they create false deltas in PVCS/CVS (version control tracking) or that every programmer should have his own indenting style held forever sacrosanct for any module he wrote. Insist that other programmers observe those idiosyncratic conventions in his modules. Banning beautifiers is quite easy, even though they save the millions of keystrokes doing manual alignment and days wasted misinterpreting poorly aligned code. Just insist that everyone use the same tidied format, not just for storing in the common repository, but also while they are editing. This starts an RWAR (Religious War) and the boss, to keep the peace, will ban automated tidying. Without automated tidying, you are now free to accidentally misalign the code to give the optical illusion that bodies of loops and ifs are longer or shorter than they really are, or that else clauses match a different if than they really do, e. g.
  28. The Macro Preprocessor

    It offers great opportunities for obfuscation. The key technique is to nest macro expansions several layers deep so that you have to discover all the various parts in many different *.hpp files. Placing executable code into macros then including those macros in every *.cpp file (even those that never use those macros) will maximize the amount of recompilation necessary if ever that code changes.
  29. Exploit Schizophrenia

    Java is schizophrenic about array declarations. You can do them the old C, way String x[], (which uses mixed pre-postfix notation) or the new way String[] x, which uses pure prefix notation. If you want to really confuse people, mix
    byte[] rowvector, colvector, matrix[];
    which
    byte[] rowvector;
    byte[] colvector;
    byte[][] matrix;
  30. Hide Error Recovery Code

    Use nesting to put the error recovery for a function call as far as possible away from the call. This simple example can be elaborated to 10 or 12 levels of nest:
  31. Pseudo C

    The real reason for #define was to help programmers who are familiar with another programming language to switch to C. Maybe you will find declarations like #define begin { " or " #define end } useful to write more interesting code.
  32. Confounding Imports

    Keep the maintenance programmer guessing about what packages the methods you are using are in. Instead of:
    import com.mindprod.mypackage.Read;
    import com.mindprod.mypackage.Write;
    use:
    import com.mindprod.mypackage.*;
    Never fully qualify any method or class no matter how obscure. Let the maintenance programmer guess which of the packages/classes it belongs to. Of course, inconsistency in when you fully qualify and how you do your imports helps most.
  33. Toilet Tubing

    Never under any circumstances allow the code from more than one function or procedure to appear on the screen at once. To achieve this with short routines, use the following handy tricks: The technique of putting so much redundant information in documentation almost guarantees it will soon go out of date and will help befuddle maintenance programmers foolish enough to trust it.
  34. Encapsulate The Trivial

    Create entire classes or methods to encapsulate trivialities that could never possibly change, but which then require complex invocation and careful unravelling to discover that the code does almost nothing. Here is a classic
  35. Loops

    The humble canonical for loop: for (int i=0; i<n; i++ ) should never be used. Always randomly disguise it, for example by: It goes without saying you should never use the compact for:each loop. There many ways to rearrange the parts of an Iterator loop over a Collection so every time the maintenance programmer looks at on a simple Iterator, it appears to be something novel.

This page is posted
on the web at:

http://mindprod.com/jgloss/unmainobfuscation.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\unmainobfuscation.html
Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[18.221.221.171]
You are visitor number