Author: Pierre Parrend
Contributor(s): Stephendv, jmanico, AdamButton, KristenS, Robert Larsen, Shady, Milan Singh Thakur, Imifos, Gtorok, Robk, kingthorin, Matt Coley
Status
Completely Updated: 7 March 2018Released: 14/1/2008
Principles
Java source code is typically compiled into Java bytecode – theinstruction set of the Java virtual machine. The compiled Java bytecodecan be easily reversed engineered back into source code by a freelyavailable decompilers. Bytecode Obfuscation is the process of modifyingJava bytecode (executable or library) so that it is much harder to readand understand for a hacker but remains fully functional. Almost allcode can be reverse-engineered with enough skill, time and effort.However, for some platforms such as Java, Android, or.NET, freedecompilers can easily reverse-engineer source code from an executableor library with no real time or effort. Automated bytecode obfuscationcan make reverse-engineering a program difficult but certainly not impossible.In simpler cases it can be done with enough patience and the correct tools. Other advantages could include helping to protect licensing mechanisms andunauthorized access, hiding vulnerabilities and shrinking the size of the executable.
How to recover Source Code from Bytecode?
There are a number of freely available Java decompilers that canrecreate source code from Java bytecode (executables or libraries).Popular decompilers include:
- Bytecode Viewer - A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
- Recaf - A modern Java bytecode editor with support for multiple decompiler front-ends
- CFR - Another Java decompiler
- JDGui - Yet another fast Java decompiler
- Fernflower - An analytical decompiler for Java
How to help prevent Java source code from being Reverse-Engineered?
Java bytecode obfuscation consists of multiple complementary techniquesthat can help create a layered defense against reverse engineering andtampering. Some typical examples of obfuscation techniques include:
- Renaming to alter the name of methods and variables to make the decompiled source much harder for a human to understand.
- Control Flow Obfuscationcreates conditional, branching, and iterative constructs that produce valid executable logic, but yield non-deterministic semantic results when decompiled.
- String Encryption hides strings in the executable and only restores their original value when needed
- Instruction Pattern Transformation converts common instructions to other, less obvious constructs potential confusing decompliers.
- Dummy Code Insertion inserts code that does not affect the program’s logic, but breaks decompilers or makes reverse-engineered code harder to analyze.
- Unused Code and Metadata Removal prunes out debug, non-essential metadata and used code from applications to reduce the information available to an attacker.
- Class file encryption requires the JVM to decrypt the java executable before running confusing decompilers. Unlike some of the other transforms, this one is easy to circumvent by modifing the local JVM to simply write the executable to disk in its unencrypted form. See: Javaworld article).
- Targeting Decompiler Flaws in order to cause reverse enginnering tools or analysis of the bytecode to fail. See: Stop Decompiling My Java
How to automatically clean up obfuscated bytecode?
While there are tools that would allow a person with enough patience and skill to manually deobfuscate these techniques themselves, these processes can also be automatedwith some open source tools.
- Java-Deobfuscator - A command line tool providing automated reversal of common obfuscation patterns.
- Threadtear - A UI tool including automated reversal of common obfuscation patterns, plus preview decompilation of the results and more useful tooling.
What obfuscation tools are available?
You can find popular tools for Java bytecode obfuscation below, or simply enter java obfuscator in your favorite search engine.
- ProGuard Java Optimizer is a very popular open source Java class file shrinker, optimizer, obfuscator, and preverifier.
- DashO Android & Java Obfuscator a Java, Kotlin and Android application hardening and obfuscation tool that provides passive and active protection.
- KlassMaster Heavy Duty Protection, shrinks and obfuscates both code and string constants. It can also translate stack traces back to readable form if you save the obfuscation log.
- Javaguard, a simple obfuscator without a lot of documentation.
- JObfuscator, Java source code obfuscator.
Using Proguard
The following section provides a short tutorial for usingProguard. First, download the codeunder the following url andunzip it.
For this tutorial, we use the fr.inria.ares.sfelixutils-0.1.jarpackage.
Go to the main directory of Proguard. To launch it, use following scriptand parameters:
java-jarlib/proguard.jar@config-genericFrame.pro
config-genericFrame.pro is the option file (do not forget to adapt thelibraryjars parameter to your own system) :
-obfuscationdictionary./examples/dictionaries/compact.txt-libraryjars/usr/java/j2sdk1.4.2_10/jre/lib/rt.jar-injarsfr.inria.ares.sfelixutils-0.1.jar-outjarfr.inria.ares.sfelixutils-0.1-obs.jar-dontshrink-dontoptimize-keeppublicclassproguard.ProGuard{publicstaticvoidmain(java.lang.String[]);}
Remark that the ‘keep’ option is mandatory, we use this default classfor not keep anything out.
The example dictionary (here compact.txt) is given with the code.
The output is stored in the package ‘genericFrameOut.jar’.
You can observe the modifications implied by obfuscation with followingcommands:
jarxvfgenericFrameOut.jarcdgenericFrame/pub/gui/jadc.classmorec.jadmorec.jad
