 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / February 2004Java code obfuscation
Hey all, I'm looking at using a tool to obfuscate some java code and have a 3 part question: 1. If price were not a factor, what obfuscator would you use? 2. If price were a factor and you wanted a midrange cost product (say under $500) what obfuscator would you use? 3. If you wanted a free obfuscator which one would you use? Something of note about my product is that there is a fair amount of reflection going on as I do a lot of dynamic class loading. I've played around with RetroGuard, and while it's nice, the script creation looks like it will be quite painful with the amount of reflection I'm going to have to work with. Anyway, I'd appreciate any thoughts you might have. Thanks. Matthew Zimmer > Hey all, > I'm looking at using a tool to obfuscate some java code and have a 3 [quoted text clipped - 13 lines] > Thanks. > Matthew Zimmer why do you think you need to obfuscate? >>Hey all, >>I'm looking at using a tool to obfuscate some java code and have a 3 [quoted text clipped - 15 lines] > > why do you think you need to obfuscate? Well, the product is for my company and a lot of man hours have been spent on this code. My company has decided that it would be better to reduce the ease of which our code can be decompiled and the only way I know of to do that is obfuscation. If there is a better way I'd love to hear it! :) >>> Hey all, >>> I'm looking at using a tool to obfuscate some java code and have a 3 >>> part question: ... >> why do you think you need to obfuscate? ... > Well, the product is for my company and a lot of man hours have been > spent on this code. My company has decided that it would be better to > reduce the ease of which our code can be decompiled and the only way I > know of to do that is obfuscation. If there is a better way I'd love > to hear it! :) http://mindprod.com/unmain.html ? -- Andrew Thompson * http://www.PhySci.org/ Open-source software suite * http://www.PhySci.org/codes/ Web & IT Help * http://www.1point1C.org/ Science & Technology >>>>Hey all, >>>>I'm looking at using a tool to obfuscate some java code and have a 3 [quoted text clipped - 19 lines] > * http://www.PhySci.org/codes/ Web & IT Help > * http://www.1point1C.org/ Science & Technology LOL...well, while that would help, I don't personally want to go back and change all of our nicely written and fairly clean code (with the exception of the reflection which I personally fought against but lost the battle to somebody who thought it made the code cleaner *sigh*) to follow those rules. However, in future projects I'll make sure that I follow all those rules. :) >>>> "Matthew Zimmer" ... ... >>>>> I'm looking at using a tool to obfuscate some java code and have >>>>> a 3 part question: ... >>>> why do you think you need to obfuscate? ... >>> Well, the product is for my company and a lot of man hours have been >>> spent on this code. ... >> http://mindprod.com/unmain.html ? ... > LOL... Since you have demonstrated you have a sense of humour* Matthew, I will point you to another of Roedy's fine pages, this one actually more ..on topic. http://mindprod.com/jgloss/obfuscator.html#OBFUSCATOR (shrugs) As an open-source freeware coder, I have never tried any of them, but you may get some pointers there. * A quality that is demonstrably absent from a lot of posters! HTH -- Andrew Thompson * http://www.PhySci.org/ Open-source software suite * http://www.PhySci.org/codes/ Web & IT Help * http://www.1point1C.org/ Science & Technology >>>>>"Matthew Zimmer" ... > [quoted text clipped - 40 lines] > * http://www.PhySci.org/codes/ Web & IT Help > * http://www.1point1C.org/ Science & Technology Thanks Andrew, there were several obfuscators on that page that my yahoo/google search didn't turn up on the first several pages. I think the most interesting point on it though was that there really is no point to the whole obfuscating. Of course, convincing the powers that be about that is unlikely. I do, however, have to argue with one particular word that you used in your post. You said that humour is "A quality that is demonstrably absent from a lot of posters!" I would suggest that in the future you change the word "posters" to "people" as it's a little more accurate and I don't view it as fair to shortchange all the humorless people out there who don't have usenet access. ;) Anyway, thanks again. Matthew (humour) >> * A quality that is demonstrably absent >> from a lot of posters! ... > I do, however, have to argue with one particular word that you used in > your post. You said that humour is "A quality that is demonstrably > absent from a lot of posters!" I would suggest that in the future you > change the word "posters" to "people" as it's a little more accurate > and I don't view it as fair to shortchange all the humorless people > out there who don't have usenet access. ;) Oh, p-e-o-p-l-e (wracks memory), ....yeahhhh. Good point. Maybe I need to get out more. ;-) > I think the most interesting > point on it though was that there really is no point to the whole > obfuscating. You're spot on there. <insert-dry-sense-of-humour-here> jus' kiddin'  SignatureTony Morris (BInfTech, Cert 3 I.T., SCJP[1.4], SCJD) Software Engineer IBM Australia - Tivoli Security Software (2003 VTR1000F) > I think the most interesting point on it though was that > there really is no point to the whole obfuscating. I thought there were two benefits to obfuscation that were widely accepted: 1. Obfuscation replaces informative names with uninformative names, making your code harder to follow than it was previously. 2. By doing so obfuscation makes your code smaller. Are these wrong, or just felt to be minor points? Mickey Segal <ignored@example.com> wrote or quoted: > I thought there were two benefits to obfuscation that were widely accepted: > 1. Obfuscation replaces informative names with uninformative names, making > your code harder to follow than it was previously. > 2. By doing so obfuscation makes your code smaller. > > Are these wrong, or just felt to be minor points? If you want point 2, code shrinkers are there to shrink code. Making code harder to understand is a goal which can conflict with the aim of maximally shrinking the code - since it can involves things like inserting code to mangle strings - and adding confusing bits of pointless dead code that just get in the way. Signature__________ |im |yler http://timtyler.org/ tim@tt1lock.org Remove lock to reply. IMHO, Java obfuscation is easily defeated, and is a poor practice to rely on to protect intellectual property. Even if bytecode-level obfuscation craps out most decompilers, that only means that we're waiting for a better decompiler. I would be curious to see an obfuscator that can create code that the JVM can decode but a decompiler cannot. Instead, consider either (a) fully compiling your product to binary (system-dependent)-- Most apps run on one system, so this isn't a big problem. Obfuscating binaries is more effective than Java bytecode, or (b) re-thinking your process-- why are you preventing your clients from viewing your product source code? Is this security through obscurity? Are you using patented algorithms and the such that you don't want getting out? I assume that you only really need to protect 1% or something. Use JNI in that case, and call the DLL/so. -Mike Scovetta > Hey all, > I'm looking at using a tool to obfuscate some java code and have a 3 [quoted text clipped - 13 lines] > Thanks. > Matthew Zimmer 1-retroguard 2-retroguard 3-retroguard And obfuscation can replace class bytecode constant pool identifiers with any unicode string (including numbers and other normally illegal chars). Unless a decompiler can create legal identifier for those, it still can't expose the meaning of the code.... People at this level of expertise would better interpret bytecode directly with javap... Tell me what this does... void a(b a1) { (new c(a1)).d(this); } > IMHO, Java obfuscation is easily defeated, and is a poor practice to > rely on to protect intellectual property. Even if bytecode-level [quoted text clipped - 32 lines] >> Thanks. >> Matthew Zimmer > 1-retroguard > 2-retroguard [quoted text clipped - 13 lines] > (new c(a1)).d(this); > } it prints the message "don't top post" > > IMHO, Java obfuscation is easily defeated, and is a poor practice to > > rely on to protect intellectual property. Even if bytecode-level [quoted text clipped - 32 lines] > >> Thanks. > >> Matthew Zimmer > > [snip] > it prints the message "don't top post" Who wrote this? > > > IMHO, Java obfuscation is easily defeated, and is a poor practice to > > > rely on to protect intellectual property. Even if bytecode-level [quoted text clipped - 15 lines] > > > > > > [snip] > > >> Thanks. > > >> Matthew Zimmer All flaming on top-posting aside, I think Michael has this one right on. Java has this weakness--that people can steal your code. Not only that but WORA has not, nor can it be, achieved at present. Rather Bill Joy's glib comment applies, "Write once, debug everywhere." (AFI can remember) So Michael has it right. Still WORA applies because the same code can run on multiple platforms, but a vendor has the resposibility to lab-test her/his code on all the platforms he/she may want to sell to. Still, as pointed out but not as clearly, there will always be someone, somewhere, who will take the time (if warranted) to steal your code. And that, damn-it-all, is the reason we still need lawyers. Meanwhile, maybe someday Microsoft will realize that "hide your code from hackers" is *not* a security measure. It's just denial. Regards, Tony Dahlman --------------------------------------- a (no spam)d ahlman( a t )att global( d o t )ne t Can you believe they figured this one out? Last post with my real if obfuscated address. :-) > > > [snip] > [quoted text clipped - 47 lines] > Can you believe they figured this one out? Last post with my > real if obfuscated address. :-) last job I had we gave the source code to the customer along with all the other stuff --> licensing > last job I had we gave the source code to the customer along > with all the other stuff --> licensing Which is sometimes reasonable, and sometimes not reasonable. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.